Windows Secure Boot: Insecure by design and mostly likely can’t be fixed

Encryption backdoors don’t work; the latest proof of that was discovered by security researchers Slipstream and MY123. This time, the security flub-up involves “golden keys” that can unlock Windows devices allegedly protected by Secure Boot.

The researchers sounded the alarm, saying Microsoft messed up and accidentally leaked the security key that is supposed to protect Windows devices from attackers as a box boots up. This same flaw could be used by the machine’s owner to jailbreak a locked box and run a different OS like Linux—anything really, so long as it is cryptographically signed.

Microsoft said Secure Boot, which is a feature of Unified Extensible Firmware Interface (UEFI) firmware, “ensures that each component loaded during the boot process is digitally signed and validated. Secure boot makes sure that your PC boots using only software that is trusted by the PC manufacturer or the user.”

Secure Boot is also supposed to ensure that Windows Phone or Windows RT device owners cannot disable it and install something like Android.

To wrap your head around the problem exposed by the researchers, you need to grasp Secure Boot policies. (If you prefer, you could try reading a less spastic and quieter version of the researchers’ report via the source code.)

The researchers explained policies, as well as how Microsoft has tried to patch its “screw-ups” multiple times. The researchers did disclose the issue to Microsoft. Microsoft released MS16-094 in July, but it didn’t completely fix the problem. In fact, the researchers said it didn’t do “anything useful.”

Microsoft tried again in August. Yesterday’s Patch Tuesday included the “important” rated security feature bypass patch MS16-100. You can be sure Microsoft’s notes on the patch don’t include any mention of the fix stopping people from unlocking their Secure Boot devices: Attackers, yes, they are mentioned. Owners jumping Microsoft’s ship in favor of a Linux train? Not so much.

Well, now the key-disabling script is floating in the cyber ether. It would allow anyone with physical access to a Windows device, or admin rights, to bypass Secure Boot. The disabling feature was meant to be used by developers. The researchers exploited this design flaw. They doubt Microsoft can ever fully revoke the leaked keys.

Slipstream wrote, “It’d be impossible in practice for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc.”

The duo said this is just another example showing that encryption backdoors don’t work. Their write-up also included a message for the FBI.

About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don’t understand still? Microsoft implemented a “secure golden key” system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a “secure golden key” system? Hopefully you can add 2+2…

Are you a Windows Phone user upset about the lack of app choices such as the Pokemon Go app for Windows? Sure, there was a go-around until the latest update. If you’ve had it with your Windows Phone, the truth is out there—the files aren’t hard to find if you want to switch to a different OS.

Otherwise, if you just want the flipping problem fixed so attackers can’t exploit it, you might not want to hold your breath for that one. Again, the researchers don’t think Microsoft can fully fix it.