Oops: Microsoft leaks its Golden Key, unlocking Windows Secure Boot and exposing the danger of back

Jump to First Reply
Posted:
in iPhone
Microsoft has demonstrated why the FBI's desire for "Golden Key" backdoors allowing "good guys" to bypass security is such a bad idea: it inadvertently released its own keys to Windows tablets, phones, HoloLens and other devices using UEFI Secure Boot.


Microsoft created a convenience key to bypass UEFI security, then leaked it


As noted by Charlie Osborne for Zero Day, the ability to bypass Windows Secure Boot using the profiles Microsoft made public not only allows users to replace their Windows OS with something else such as Linux, but also "permits the installation and execution of bootkit and rootkits at the deepest level of the device."

Security researchers MY123 and Slipstream published a detailed explanation of how Microsoft bungled its security keys, and then failed to correctly patch for the issue, resulting in an ongoing issue that "may not be possible to fully resolve."

"A backdoor," the researchers noted, "which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!"

Evidence for the FBI to examine



Over the past winter, the FBI has locked horns with Apple over its efforts to bypass the boot security system of iOS, with the intent to make it easier to decrypt data on iPhones and other devices.

In February, Apple's chief executive Tim Cook issued a statement in response to FBI demands, writing that, "We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them.

But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.""the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone" - Tim Cook

Cook concluded, "while the government may argue that its use would be limited to this case, there is no way to guarantee such control."

Sure enough, after Microsoft did create a backdoor for Windows Phone and other Secure Boot devices, it subsequently leaked the tools for unlocking that backdoor.

The researchers involved in documenting Microsoft's screwup observed, "About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad!

"Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don't
understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system? Hopefully you can add 2+2..."

At this week's BlackHat security conference, Apple engineer Ivan Krstić provided new details about how Apple's own security system works on iOS devices, noting that iOS lacks any sort of backdoor mechanism that would allow Apple or others to bypass device security the way Microsoft's Secure Boot for Windows does.

Apple's serious approach to security has enabled the company to take a leading roll in supplying computing devices to enterprise buyers, one of the markets Windows Phone has made very little progress in, and a market segment that has purposely shunned the sloppy security associated with Google's Android.
jbishop1039dysamoria
«13

Comments

  • Reply 1 of 44
    jfc1138jfc1138 Posts: 3,090member
    SO awkward. 
    baconstangdoozydozenjony0capasicumbpg131313netmagenumenorean
     7Likes 0Dislikes 0Informatives
  • Reply 2 of 44
    baconstangbaconstang Posts: 1,165member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    zroger73doozydozenzeus423brakkencapasicum
     5Likes 0Dislikes 0Informatives
  • Reply 3 of 44

    when the dude from Microsoft who leaked the UEFI key gets fired you’ll be able to hear the cannon from Tacoma

    magman1979bpg131313
     2Likes 0Dislikes 0Informatives
  • Reply 4 of 44
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    edited August 2016
    magman1979numenoreanjbdragon
     3Likes 0Dislikes 0Informatives
  • Reply 5 of 44
    roakeroake Posts: 821member
    Hahahahaha.   ahahahhhahahaha  wooooo haha
    edited August 2016
    baconstangmagman1979djkfisherrobertwalterbrakkencapasicumurahara
     7Likes 0Dislikes 0Informatives
  • Reply 6 of 44
    OMG.  That's not good.  Somebody skipped a step.  Heads will likely roll.

    magman1979doozydozendjkfishernumenorean
     4Likes 0Dislikes 0Informatives
  • Reply 7 of 44
    jbracyjbracy Posts: 13member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    You've heard of the Surface right?
    zeus423jbdragon
     2Likes 0Dislikes 0Informatives
  • Reply 8 of 44
    in other totally unrelated news, the FBI is urging all Americans to switch to Microsoft.
    edited August 2016
    Rayz2016magman1979williamlondonradarthekatrbonnerdoozydozenschwabsaucebaconstangslprescottjony0
     23Likes 0Dislikes 0Informatives
  • Reply 9 of 44
    mknelsonmknelson Posts: 1,152member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    baconstangcapasicumnumenorean
     3Likes 0Dislikes 0Informatives
  • Reply 10 of 44
    SpamSandwichspamsandwich Posts: 33,407member
    The "dangers of back" go beyond the back.
     0Likes 0Dislikes 0Informatives
  • Reply 11 of 44
    bulk001bulk001 Posts: 800member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    ^This. Tens of millions of users could potentially be compromised. Not a big deal for me but then I am not standing up to regimes in China, Russia, Iran or the US. 
    doozydozenjbdragon
     2Likes 0Dislikes 0Informatives
  • Reply 12 of 44
    linkmanlinkman Posts: 1,047member
    The researchers involved in documenting Microsoft's screwup observed, "About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad! 
    I'm glad they said it. I would have said it but I doubt the FBI would pay much attention to me.
     0Likes 0Dislikes 0Informatives
  • Reply 13 of 44
    in other totally unrelated news, the FBI is urging all Americans to switch to Microsoft.
    Can't even lie this made me laugh!lol.. 
    magman1979williamlondonradarthekatzeus423robertwalterbpg131313jbdragon
     7Likes 0Dislikes 0Informatives
  • Reply 14 of 44
    rob53rob53 Posts: 3,330member
    The "dangers of back" go beyond the back.
    yep, they go through the front .... I would like to see AI do a little bit of proofreading. Is that too much to expect AI?
    dysamoriaSpamSandwichsingularity
     3Likes 0Dislikes 0Informatives
  • Reply 15 of 44
    I am hoping Apple does not drop the security ball as Microsoft has. This is bad and the ramifications of the leak will not be known for a while. 

    I am wondering how this will impact Microsoft Azure. How will Microsoft tell its customers their data is safe in the cloud? This could be a great competitive opportunity for Amazon and IBM to grab a big part of Microsoft's cloud business. 
     0Likes 0Dislikes 0Informatives
  • Reply 16 of 44
    jbracy said:
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    You've heard of the Surface right?
    Sure, sure.  Of course I have.  
    That's why I too hope that MS contacts the 10 people whom are impacted by this leak and tell them to trash their device and get iPads and Macs.
    zeus423baconstangtopper24hourspscooter63capasicumbpg131313williamlondonnetmagebrucemcliquidmark
     11Likes 0Dislikes 0Informatives
  • Reply 17 of 44
    mknelson said:
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    Which, btw, is even less secure.. sooo.. yeah.. great
    pscooter63capasicum
     2Likes 0Dislikes 0Informatives
  • Reply 18 of 44
    mknelsonmknelson Posts: 1,152member
    adrayven said:
    mknelson said:
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    Which, btw, is even less secure.. sooo.. yeah.. great
    I hear about that almost every day.
     0Likes 0Dislikes 0Informatives
  • Reply 19 of 44
    welshdogwelshdog Posts: 1,917member
    jsmythe00 said:
    Like me most Apple product users I've been of personal use Windows since IP3GS and never looked back. 

    In fact I've been off my Mac since iPad mini 2
    Could you rephrase? I don't understand.
    mknelsonbaconstangtopper24hoursyoyo2222fotoformatwilliamlondonnolamacguyjibberj
     8Likes 0Dislikes 0Informatives
  • Reply 20 of 44
    sockrolidsockrolid Posts: 2,789member
    In China it would be called the Dragon Key.
    The holy grail of authoritarian governments everywhere.
    jbdragon
     1Like 0Dislikes 0Informatives
Sign In or Register to comment.