Microsoft inadvertently demonstrates the intrinsic security problem of including a universal backdoor in its software by accidentally leaking its “golden key”

From Ars Technica:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.

The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.

And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.

The golden keys were found by MY123 and Slipstream in March this year. They’ve just posted, on a rather funky website, adescription both of Microsoft’s security errors and of its seeming reluctance to patch the issue. The researchers note that this snafu is a real-world demonstration of the lack of wisdom in the FBI’s recent demands for universal backdoors in Apple’s devices. They wrote:

A backdoor, which MS put in to Secure Boot because they decided to not let the user turn it off in certain devices, allows for Secure Boot to be disabled everywhere! You can see the irony. Also the irony in that MS themselves provided us several nice “golden keys” (as the FBI would say) 😉 for us to use for that purpose 🙂

About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad! Smarter …

Continue Reading