The Binarly Research Team recently published a report about the firmware vulnerability PKfail. Because of this vulnerability, certain devices shipped with insecure Platform Keys (PK). These keys are used in a test/development environment and were not intended to be shipped with a production-ready device.
Dubbed PKfail and tracked under VU#455367, this vulnerability would allow an attacker to sign malicious software with these test keys, and thereby allow untrusted code to run during the early boot phases of UEFI, circumventing the security protections of UEFI Secure Boot.
Phoenix SCT Firmware is not affected by this vulnerability, and Phoenix takes great care to ensure that all test keys are stripped before shipping our firmware to our partners. Phoenix recommends that the best way to make sure you are safe from this vulnerability is to update your UEFI Firmware to the latest version provided by your device manufacturer, and to consult your vendor for specific details on patches for this vulnerability.
