Microsoft accidentally leaks golden keys that unlock Windows devices

Loading...

Technology | CyberSecurity

Microsoft accidentally leaks golden keys that unlock every Windows device The keys allow hackers to unlock Windows devices, including tablets and phones. By India Ashok August 11, 2016 13:16 BST

Microsoft accidentally leaked the golden keys to the Windows kingdom. The keys allow hackers to unlock every Windows device, including tablets, phones and other devices that are protected by Secure Boot. The most alarming part about the leak is that it is believed that it may likely be impossible for Microsoft to fully recover from the leak. The leak was uncovered by two security researchers MY123 and Slipstream, who revealed in a (Star Wars-style) blog that the security flaw allowed malicious entities with admin rights or physical access to a device can bypass Secure Boot to not only run other operating systems (OS) like Linux or Android on the device but also install and execute rootkits and bootkits, at the most deeply penetrated level of the device. The leak serves as a reminder of the potential dangers in security when tech firms are pressured by governments and law enforcement agencies into producing special keys that can be used by investigators to unlock devices, in the course of criminal investigations.

Why advertise with us

The researchers wrote: "A backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere! You can see the irony. Also the irony in that MS themselves provided us several nice 'golden keys' (as the FBI would say) for us to use for that purpose."

"About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad!," the duo added. What is Secure Boot? Microsoft's Secure Boot is part of its Unified Extensible Firmware Interface (UEFI) firmware, which when fully enabled deters users from booting their devices with other OS. Additionally, in specific devices, Secure Boot users cannot disable Secure Boot. Secure Boot works in tandem with certain policies, among which one particular boot policy is designed to load early and disable OS security checks. Although this policy is useful for developers, especially when conducting OS testing, the loophole allows users to allegedly boot devices with whichever OS they desire. According to a report by the Register, the "golden key" debacle was born out of a design flaw in this debug-mode policy, which was accidentally shipped onto retail devices. Unfortunately for Microsoft, the leaked golden key policy is universal and works on any device that operates on the Windows boot manager. Microsoft's response The researchers claim that they informed Microsoft in March that they had uncovered the debug-mode policy. Although Redmond allegedly initially refused to follow up the issue, Microsoft later awarded a bug bounty and pushed out a security patch MS16-094. A second patch MS16-100 followed the first in August, after it was deemed "inadequate". However, a third patch is also expected soon, given that the second patch did not completely resolve the issue. "Either way, it'd be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they'd break install media, recovery partitions, backups, etc," the the researchers commented.

Loading...

Microsoft accidentally leaks golden keys that unlock Windows devices

Technology | CyberSecurity Microsoft accidentally leaks golden keys that unlock every Windows device The keys allow hackers to unlock Windows devices...

27KB Sizes 2 Downloads 11 Views

Recommend Documents

Microsoft accidentally leaked 'master keys' for Windows 10 that allow
Aug 11, 2016 - Microsoft has accidentally released 'master keys' for Windows 10 that allow installation of software at t

'Golden keys' that unlock Windows' Secure Boot protection discovered
Aug 11, 2016 - Windows devices have a new threat thanks to a Secure Boot policy that leaked online.

Bungling Microsoft singlehandedly proves that golden backdoor keys
Aug 10, 2016 - Updated Microsoft leaked the golden keys that unlock Windows-powered tablets, phones and other devices se

Microsoft lets you unlock Windows 10 devices, apps with your face, iris
Mar 19, 2015 - Microsoft lets you unlock Windows 10 devices, apps with your face, iris and fingerprint ... This means "u

BitLocker How to enable Network Unlock (Windows 10) | Microsoft Docs
Apr 19, 2017 - Network Unlock allows BitLocker-enabled systems with TPM+PIN and that meet the hardware requirements to b

Accidentally saved a mistake - Microsoft Community
Sep 10, 2016 - Hey y'all. so recently i've been doing these stories, and i asked some people if they have any help to ge

Accidentally saved a mistake - Microsoft Community
Sep 10, 2016 - Hey y'all. so recently i've been doing these stories, and i asked some people if they have any help to ge

PCUnlocker - Unlock Windows Password, Reset Windows Password
PCUnlocker is powerful Windows password-unlocking software to reset lost Windows local administrator, domain administrat

With Windows Hello, Microsoft will let you unlock Windows 10 with
Mar 18, 2015 - Windows Hello is primarily targeted at businesses and government agencies. Microsoft opted not to rely on

Creating Primary Keys and Foreign Keys in Microsoft Access | MS
Feb 2, 2011 - This article has been submitted to discuss the use and creation of Primary Key and Foreign Key fields in M