Secure Boot snafu: Microsoft leaks backdoor key, firmware flung wide open:
Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
And while this means that enterprising users will be able to install any operating system—Linux, for instance—on their Windows tablet, it also allows bad actors with physical access to a machine to install bootkits and rootkits at deep levels. Worse, according to the security researchers who found the keys, this is a decision Microsoft may be unable to reverse.
There’s a lot that can be said about this absolute debacle. I’ll restrain myself to two things:
- This is the exact kind of problem that crops up when you include backdoors in software: eventually the information required to exploit the backdoors emerge.
- Microsoft’s own leakage of the key is one of the most amazing ‘own goals’ in recent security history. It’s going to be one for the history books.
Also: remember when Apple said they didn’t, and would vigorously fight, any effort to backdoor their operating systems? Microsoft’s absolutely failure to secure the cryptographic material is just one rationale behind Apple’s security posture.
Excited Pixels 