Microsoft Leaks Secure Boot Key, Raises Security Concerns - InformationWeek
IoT
IoT
Software // Productivity/Collaboration Apps
News
8/12/2016
09:06 AM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

Microsoft Leaks Secure Boot Key, Raises Security Concerns

Microsoft has accidentally leaked a key that can enable users to unlock Secure Boot-protected smartphones and tablets running Windows 8.1 or later.

7 Cyber-Security Skills In High Demand
7 Cyber-Security Skills In High Demand
(Click image for larger view and slideshow.)

Microsoft is causing major cyber-security concerns with the accidental leak of a "golden key" intended to protect devices equipped with Secure Boot.

The Secure Boot feature is intended to protect Windows devices by making sure they only use software trusted by the PC maker or user. It's part of Microsoft's Unified Extensible Firmware Interface (UEFI) and ensures each component loaded during the boot process is validated.

The all-access keys were discovered by MY123 and Slipstream in March 2016. A recent blog post (animated site with tinny, arcade-style music) by researchers at MY123 and Slipstream dives into the details of Microsoft's security problems and the errors it made in addressing them.

[Google: QuadRooter threat is blocked on most Android devices.]

Note that the golden key isn't an actual key, but a means of changing the tasks launched by UEFI during the boot process, as explained in a report by Ars Technica. The policy has been made available online. It will enable anyone to disable the Secure Boot feature.

Secure Boot can be disabled on several types of desktop PCs, but is hard-coded into most devices running Windows. It seems the golden key is intended to turn off OS checks so programmers can test new projects. However, it can also leave Windows devices vulnerable.

The keys leaked by Microsoft will allow users with admin rights to install any operating system -- like Linux or Android -- on their Windows PCs, smartphones, or tablets.

(Image: Radu Bercan/iStockphoto)

(Image: Radu Bercan/iStockphoto)

This leak has dangerous implications for a machine if an attacker has physical access to it. If this is the case, a hacker could install and deploy bootkits and rootkits at deep levels, as described in the blog post.

The worst part? There's a chance Microsoft will not be able to reverse the problem.

Redmond has attempted to fix the problem through security patches, but MY123 and Slipstream believe there is no chance Microsoft will be able to make the golden keys entirely unusable for those who want to commit harm.

MY123 and Slipstream used this situation as an opportunity to warn the Federal Bureau of Investigation about the dangers of implementing a backdoor into smartphones, tablets, and PCs.

The idea of creating a device backdoor was a hot topic earlier this year, following the December 2015 shooting in San Bernardino, Calif. FBI officials ordered Apple to create code to unlock an iPhone so they could access data on a device owned by one of the shooters. Apple firmly refused to create what it called a "backdoor" to the device.

In their blog post, the MY123 and Slipstream researchers noted that Microsoft put a backdoor into Secure Boot and in doing so, allowed Secure Boot to be disabled in all Windows devices.

"About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad!" the researchers emphasized.

"Microsoft implemented a 'secure golden key' system" with Secure Boot, they continued. "And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?"

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Ninja
8/13/2016 | 5:02:06 PM
How horrible!
People will be able to load whatever software they like on their own equipment, without even having to ask the permission of the OEM?  Like they actually own it?  The concept of Trusted Computing is truly in grave danger.

I'll note that MS has for years denied that Secure Boot was imposed on OEMs for the purpose of preventing PC owners from replacing Windows, so you might want to check with its PR people to make sure you got that part of the story right.
News
A Data-Centric Approach to the US Census
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  10/12/2018
News
10 Top Strategic Predictions for 2019
Jessica Davis, Senior Editor, Enterprise Apps,  10/17/2018
Commentary
AI & Machine Learning: An Enterprise Guide
James M. Connolly, Executive Managing Editor, InformationWeekEditor in Chief,  9/27/2018
Register for InformationWeek Newsletters
Video
Current Issue
White Papers
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Sponsored Video
Flash Poll