Leak leaves every Secure Boot device vulnerable
Microsoft loses its Secure Boot master key, Facebook fights Adblock and Kaby Lake chips trickle out.
TWO “RESEARCHERS” going by the monikers “MY123” and “slipstream” have revealed on their blog a fairly monumental hole in the Windows Secure Boot process—a so-called golden key. This “key” has the potential to be able to unlock every Secure Boot Windows device to allow the installation of other operating systems.
During booting, Windows uses Secure Boot to check that the operating system has a Microsoft certificate and the right policies. The Secure Boot Policy is normally only accessible by Boot Manager. During the development of Windows 10, a new policy was added, to ease testing and debugging, which has its settings merged in, depending on conditions. This policy was shipped with retail Windows versions—accidentally, we assume—sitting dormant in a hidden file. It’s knowledge of this new policy that has been leaked.
By editing the new policy, you can bypass certificate checking, effectively unlocking a machine to other OSes and the installation of potentially malicious software deep down in the innards of Windows, where it can live unchallenged. That’s the scary part. The fun part is that you can install a new OS on a machine otherwise locked to Windows, such as a Windows Phone, RT tablet, or HoloLens. Windows PCs and servers are generally not locked by Secure Boot.
The bug was reported to Microsoft in March—it even paid a bug bounty. Now the issue is out in the open, and it’s all rather embarrassing for Microsoft. The company has millions of systems, and a single key now unlocks them all. It promptly released a security patch, which proved ineffective; another soon followed, and another after that. A clear sign that it is struggling to fix this. Given how close to the boot this vulnerability operates, it’s going to be impossible to fix properly—the patches address things after the policy has fired up, so can be bypassed.
It looks as though the problem will never go away. Without physical access to a machine, it’s next to impossible to fix the issue, and once something is leaked on to the Internet, it is impossible to get rid of it—just ask Jennifer Lawrence.
Security experts have lined up to berate Microsoft, pointing out that any security system that relies on people, relies on the fallible. The simple existence of any such backdoor key is a huge risk. The pair that have highlighted the flaw had a personal message for the FBI, who recently asked Apple to include backdoors in its systems, after having trouble getting into a suspect’s iPhone. The bloggers say that “this is a perfect real-world example about why your idea of backdooring cryptosystems with a ‘ secure golden key’ is very bad!”
Despite generating some alarming headlines— and causing red faces at Redmond—it’s not as serious as it might sound. Malicious uses of the so-called golden key are thankfully fairly unlikely, because you need physical access to the machine, administration rights, and to do some low-level tinkering. What it does highlight is the wisdom of building backdoor into any system where security is paramount. Slipstream is right on that count. Meanwhile, if you have a machine locked to Windows that you would like to run something else on, you can. All those Windows phones can be recycled.
Microsoft has millions of systems, and a single key now unlocks them all.
The StarWars-style blog that reveals how Microsoft left the key to Secure Boot in the retail version of Windows.