Microsoft Accidentally Leaks Backdoor In Secure Boot

Microsoft has accidentally leaked the so-called “golden key.” This is a universal backdoor it provides for devices running Secure Boot, like phones and tablets.

Further Reading

7 Apps to Supervise Your Kids Online

6 macOS Tips to Supercharge your Security

What Is Secure Boot?

Microsoft introduced Secure Boot, or Trusted Boot, in Windows 8. It uses the secure boot functionality built into the Unified Extensible Firmware Interface or UEFI. UEFI replaced the older BIOS firmware or Basic Input/Output System of IBM PC-compatible computers.

Secure Boot stops malicious software and unauthorized operating systems, like a Linux live cd, from loading during the boot process. Secure Boot makes sure that only an operating system signed by Microsoft can load on startup. Users can disable Secure Boot on laptops and desktops, but not on certain other devices.

The Hack

Slipstream and MY123, two security researchers, found the keys earlier this year in March. They posted a description of the issue on an awesome, 90s-era website. I’m sitting here dancing to the 8-bit song. Anyway, they talk about Microsoft’s myriad security issues, and also why Microsoft seems unable to patch this. Arstechnica notes that this is why the FBI’s demand for a universal backdoor in Apple’s devices is unwise.

The website notes,

“A backdoor, which MS put in to Secure Boot because they decided to not let the user turn it off in certain devices, allows for Secure Boot to be disabled everywhere! You can see the irony. Also the irony in that MS themselves provided us several nice “golden keys” (as the FBI would say) ? for us to use for that purpose ?

About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears.

You seriously don’t understand still? Microsoft implemented a “secure golden key” system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a “secure golden key” system? Hopefully you can add 2+2…”

Internal debugging seems to be the reason for these golden keys. Apparently, someone left it in the final version of Windows as a debugging tool by accident. Turning off Secure Boot means that Microsoft programmers can disable OS signature checks to test new builds of Windows.

tech support catsIt’s possible that Microsoft cannot even fix the vulnerability. The company released two patches, called MS16-04 (CVE-2016-3287) and MS16-100 (CVE-2016-3320) with a third patch coming in the future. However, none of the patches fully close the backdoor. The researchers say, “It’d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc.”

Windows RT

There is a way to disable Secure Boot. The researchers have a script on their website. This may be of interest to users of Windows ARM-based RT since Microsoft has forsaken this system. The script works by running a Microsoft EFI binary during your next reboot. It inserts the debug-mode policy into storage space. Only the firmware and boot manager can access this space.

The script works on Windows RT tablets even with the July and August Patch Tuesday updates. It’s also possible to unlock Windows Phones in this way to install other operating systems like Android.

Can You Do Anything?

It’s important to keep in mind that this vulnerability doesn’t let hackers remotely hijack your computer. They need to manually mess with your computer to take advantage of it. LiquidVPN has a guide on security tools, including Veracrypt. Veracrypt lets you encrypt your hard drive. This won’t stop hackers from bypassing Secure Boot on your machine. However, malicious third parties can’t access your data.

If you want to get in touch with the researchers, you can use an IRC client at in #rtchurch.