American Megatrends Inc. (AMI), a global leader in BIOS, remote management and network storage innovations, released the following statement in relation to recent disclosures via the personal blog site of an industry blogger and security researcher regarding the discovery of a “leaky” FTP server from a Taiwan-based vendor which contained AMI UEFI BIOS source code among various internal data.

According to the post, the information available on this open FTP server included among other things “…source code for different versions of UEFI BIOS firmware from AMI for a specific hardware platform and a suspected signing key for that firmware.”

First and foremost, AMI would like to clarify that the vendor referenced in the blog post is a BIOS customer of AMI, and the unsecure FTP site that contained the BIOS source code and security key data is maintained by AMI’s customer, not AMI itself. Therefore, the leak of this data was not the fault of AMI and by extension not a result of a security lapse on AMI’s behalf.

As this would imply a serious threat to AMI intellectual property and security issues for the BIOS utilized for these platforms, AMI was compelled to respond in order to allay concerns regarding any potential security threats that might be implied from this news. AMI states that this is not a general security threat which could “create a nearly undetectable, permanent hole in a system’s security”, if the manner in which production-level BIOS is signed and created uses production keys.

To explain in more detail, AMI has examined the security keys referenced in the blog post and confirmed that the keys in question are test keys. Test keys are normally used for development and test purposes since developers do not have access to production keys. For production-level BIOS that would be shipped to consumers, AMI’s procedures for creating such a BIOS require the customer to procure or generate production keys. As such, AMI expects that a key such as the one disclosed to the public today will be used for testing purposes only.

Therefore, even though the test keys were unfortunately leaked via this unsecure FTP site, a production level private key used by a customer cannot be obtained with the information made public. Thus, AMI can state that this leak will not compromise the security of systems in the field if the BIOS for the production machines are created using production keys.

Subramonian Shankar, American Megatrends CEO and President, commented on these concerns by stating that “while today’s news is certainly distressing, AMI would like to reassure its customers and partners in no uncertain terms that this should not be a security concern for them. If they follow standard operating procedure for BIOS signing, the security features in our BIOS source code and secure signing process will function as designed and remain 100% secure.”

Concerned parties, such as AMI partners and worldwide BIOS customers, should contact their AMI Sales Representative or AMI Technical Marketing at 1-800-U-BUY-AMI for more information regarding this recent disclosure.