Oops: Microsoft leaks its Golden Key, unlocking Windows Secure Boot and exposing the danger of back

Posted:
in iPhone
Microsoft has demonstrated why the FBI's desire for "Golden Key" backdoors allowing "good guys" to bypass security is such a bad idea: it inadvertently released its own keys to Windows tablets, phones, HoloLens and other devices using UEFI Secure Boot.


Microsoft created a convenience key to bypass UEFI security, then leaked it


As noted by Charlie Osborne for Zero Day, the ability to bypass Windows Secure Boot using the profiles Microsoft made public not only allows users to replace their Windows OS with something else such as Linux, but also "permits the installation and execution of bootkit and rootkits at the deepest level of the device."

Security researchers MY123 and Slipstream published a detailed explanation of how Microsoft bungled its security keys, and then failed to correctly patch for the issue, resulting in an ongoing issue that "may not be possible to fully resolve."

"A backdoor," the researchers noted, "which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!"

Evidence for the FBI to examine



Over the past winter, the FBI has locked horns with Apple over its efforts to bypass the boot security system of iOS, with the intent to make it easier to decrypt data on iPhones and other devices.

In February, Apple's chief executive Tim Cook issued a statement in response to FBI demands, writing that, "We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them.

But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.""the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone" - Tim Cook

Cook concluded, "while the government may argue that its use would be limited to this case, there is no way to guarantee such control."

Sure enough, after Microsoft did create a backdoor for Windows Phone and other Secure Boot devices, it subsequently leaked the tools for unlocking that backdoor.

The researchers involved in documenting Microsoft's screwup observed, "About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad!

"Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don't
understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system? Hopefully you can add 2+2..."

At this week's BlackHat security conference, Apple engineer Ivan Krstić provided new details about how Apple's own security system works on iOS devices, noting that iOS lacks any sort of backdoor mechanism that would allow Apple or others to bypass device security the way Microsoft's Secure Boot for Windows does.

Apple's serious approach to security has enabled the company to take a leading roll in supplying computing devices to enterprise buyers, one of the markets Windows Phone has made very little progress in, and a market segment that has purposely shunned the sloppy security associated with Google's Android.
jbishop1039dysamoria
«13

Comments

  • Reply 1 of 44
    jfc1138jfc1138 Posts: 3,090member
    SO awkward. 
    baconstangrepressthisjony0capasicumbpg131313netmagenumenorean
  • Reply 2 of 44
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    zroger73repressthiszeus423brakkencapasicum
  • Reply 3 of 44

    when the dude from Microsoft who leaked the UEFI key gets fired you’ll be able to hear the cannon from Tacoma

    magman1979bpg131313
  • Reply 4 of 44
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    edited August 2016 magman1979numenoreanjbdragon
  • Reply 5 of 44
    roakeroake Posts: 642member
    Hahahahaha.   ahahahhhahahaha  wooooo haha
    edited August 2016 baconstangmagman1979djkfisherrobertwalterbrakkencapasicumurahara
  • Reply 6 of 44
    OMG.  That's not good.  Somebody skipped a step.  Heads will likely roll.

    magman1979repressthisdjkfishernumenorean
  • Reply 7 of 44
    jbracyjbracy Posts: 13member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    You've heard of the Surface right?
    zeus423jbdragon
  • Reply 8 of 44
    in other totally unrelated news, the FBI is urging all Americans to switch to Microsoft.
    edited August 2016 Rayz2016magman1979williamlondonradarthekatrbonnerrepressthisschwabsaucebaconstangslprescottjony0
  • Reply 9 of 44
    mknelsonmknelson Posts: 350member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    baconstangcapasicumnumenorean
  • Reply 10 of 44
    SpamSandwichSpamSandwich Posts: 31,180member
    The "dangers of back" go beyond the back.
  • Reply 11 of 44
    bulk001bulk001 Posts: 479member
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    ^This. Tens of millions of users could potentially be compromised. Not a big deal for me but then I am not standing up to regimes in China, Russia, Iran or the US. 
    repressthisjbdragon
  • Reply 12 of 44
    linkmanlinkman Posts: 916member
    The researchers involved in documenting Microsoft's screwup observed, "About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad! 
    I'm glad they said it. I would have said it but I doubt the FBI would pay much attention to me.
  • Reply 13 of 44
    in other totally unrelated news, the FBI is urging all Americans to switch to Microsoft.
    Can't even lie this made me laugh!lol.. 
    magman1979williamlondonradarthekatzeus423robertwalterbpg131313jbdragon
  • Reply 14 of 44
    rob53rob53 Posts: 2,042member
    The "dangers of back" go beyond the back.
    yep, they go through the front .... I would like to see AI do a little bit of proofreading. Is that too much to expect AI?
    dysamoriaSpamSandwichsingularity
  • Reply 15 of 44
    I am hoping Apple does not drop the security ball as Microsoft has. This is bad and the ramifications of the leak will not be known for a while. 

    I am wondering how this will impact Microsoft Azure. How will Microsoft tell its customers their data is safe in the cloud? This could be a great competitive opportunity for Amazon and IBM to grab a big part of Microsoft's cloud business. 
  • Reply 16 of 44
    jbracy said:
    Hopefully MS contacted the 10 people whom might be impacted by this leak.
    You've heard of the Surface right?
    Sure, sure.  Of course I have.  
    That's why I too hope that MS contacts the 10 people whom are impacted by this leak and tell them to trash their device and get iPads and Macs.
    zeus423baconstangtopper24hourspscooter63capasicumbpg131313williamlondonnetmagebrucemcliquidmark
  • Reply 17 of 44
    mknelson said:
    I get the joke, but with so many government and business systems still running (ancient?) versions of Windows your and millions of citizens' info could be compromised even if you've/they've used Apple products exclusively.
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    Which, btw, is even less secure.. sooo.. yeah.. great
    pscooter63capasicum
  • Reply 18 of 44
    adrayven said:
    mknelson said:
    It looks to me like it only impacts Windows 8 and newer - that's when Windows Secure Boot appeared.

    So, anybody in the UK getting medical tests shouldn't worry that the pathology company owned by the NHS is still running XP…
    Which, btw, is even less secure.. sooo.. yeah.. great
    I hear about that almost every day.
  • Reply 19 of 44
    welshdogwelshdog Posts: 1,692member
    jsmythe00 said:
    Like me most Apple product users I've been of personal use Windows since IP3GS and never looked back. 

    In fact I've been off my Mac since iPad mini 2
    Could you rephrase? I don't understand.
    mknelsonbaconstangtopper24hoursyoyo2222fotoformatwilliamlondonnolamacguyjibberj
  • Reply 20 of 44
    sockrolidsockrolid Posts: 2,788member
    In China it would be called the Dragon Key.
    The holy grail of authoritarian governments everywhere.
    jbdragon
Sign In or Register to comment.