UEFI private signing key leaked, when security goes totally wrong, with the help of a security researcher

Today there was a blog post http://adamcaudill.com/2013/04/04/security-done-wrong-leaky-ftp-server/ by security researcher Adam Caudill. Apparently source code to EFI Firmware leaked through an insecure Tawianese FTP server.

Unfortunately he did not wait until the FTP was completely secured. For security researchers – like us – it is easy to find loopholes, to find the original FTP URL even though it was not published in the blog post. The “leaky” ftp was ftp://ftp.jetway.com.tw/ and here’s a screenshot:

FTP Screenshot

The catch is when the blog post was published, the “CODE” directory was password protected from file listing – however not its files from being downloaded. Through http://www.mmnt.net/db/0/0/ftp.jetway.com.tw you could still walk through the directory structure and get the direct download links.

Index Directory

These are the files in 018s.zip:

File

In \018s\Keys\Variables there are some key files:

File2

There is even documentation in the package on the private key:

SecureMod

Include PK

The real private key is stored at \018s\Keys\FW\.priKey (EXCERPT!):

Private Key

Thanks to the Taiwanese FTP, and thanks to Adam Caudill who could not wait for publishing his blog post, we have now the key. And if we have it, others might too.