Skip to main content

Secure Boot Key Flaw Exposes Windows Devices to Attack: Report


Secure Boot Key Flaw Exposes Windows Devices to Attack: Report

Highlights

  • Secure Boot policies are signed and validated by Microsoft
  • The leaked golden key can bypass operating system checks
  • Golden key allows attackers to boot any OS or self-signed binary
A leak has gone horribly wrong for Microsoft and the company is scrambling to fix the mess. Microsoft unwittingly leaked a 'golden key' that can unlock Windows-powered PCs, tablets, and phones protected by Secure Boot.
For the uninitiated, Secure Boot, a part of Unified Extensible Firmware Interface (UEFI), secures every component of a device's boot process by checking it is validated and signed by Microsoft. This protects the system from being booted by any other OS (malicious or non-malicious) an attacker or user wants to install. Secure Boot, once enabled, cannot be disabled by the user due to policies that are also validated by Microsoft and are loaded and obeyed once the Windows startup process is executed.
Microsoft, however, allowed an exception to the rule that has since become a nightmare for the company. The tech giant signed a special Secure Boot policy that disables the operating system checks, meant to allow developers to test new operating systems without having to sign each one. This policy essentially bypasses the standard checks.
Understandably, the special policy isn't available on commercial products. However, it has been leaked online - where it is now available for attackers to misuse. A curious person may find this 'golden key' - which essentially allows a backdoor into a Secure Boot-enabled Windows system - load it into a Windows firmware and trick Microsoft into believing the person is loading a valid and verified OS while actually installing a malicious one, even a self-signed binary. In simple terms, the golden key can unlock Secure Boot, and gives attackers unfettered access to install bootkits or rootkits alongside.


Security researchers my123 (@never_released) and slipstream (@TheWack0lian) were the ones to warn Microsoft that its Windows machines products were vulnerable due to the leak. After months of ignoring the issue, the researchers said Microsoft issued a bug bounty award and created two patches (one in July, and another in August). The Register claimed even the second patch does not actually resolve the vulnerability, only removing access to certain boot manager systems while leaving the policy flaw intact.
A third patch is expected to come out in September. However, the researchers believe the vulnerability cannot be completely fixed. Until the third patch comes out, the only thing users can do to protect their systems is to make sure their Microsoft patches are up-to-date on all Windows devices.
The leak of the golden key signals a bigger threat, one which puts into question the safety and security of devices and the need for such backdoor entries that can render your phones and computers vulnerable to hacks. To this effect, one of the researchers, Slipstream, issued a statement to the FBI:
"About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a 'secure golden key' system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a 'secure golden key' system?"

Comments

Popular posts from this blog

ChatSim 2 Launched With Unlimited Internet Access and Messaging, to Be Showcased at MWC 2018

25 February 2018, Shivashish Bhunia Before Reading this up,  just check out my Bestie's Page For Amazing Quotes and Poetry Content!  https://www.theparadoxwhowritez.blogspot.com HIGHLIGHTS The second-gen variant offers access for all mobile apps in its core plan World premiere of ChatSim 2 will take place at MWC 2018 in Barcelona It provides unlimited to messaging apps like WhatsApp and WeChat SIM card provider ChatSim on Thursday announced the launch of its latest ChatSim 2 SIM card in Milan, Italy. The second generation of the company's proprietary SIM card now claims to offer Internet surfing with "free and unlimited data traffic." The SIM card can provide data access without limitations, roaming charges, or Wi-Fi connectivity. The annual plan also lets you send text messages across 165 countries. ChatSim 2 will have its world premiere at Mobile World Congress 2018 in Barcelona from February 26-March 1, and more ...

Hello Moto: A Look Back at Six Classic Moto Phones

  12 December 2016 HIGHLIGHTS Motorola was the first company to ship a cellphone Its biggest hit was the Moto RAZR V3 Today, Motorola is a part of Chinese electronics giant Lenovo Recently, we relived the past with Nokia’s most memorable phones of all time. Although there may be a lot of fanboys and fangirls of the Finnish brand, many have equally strong feelings for the daddy of all mobile phone brands - Motorola. Its name will forever be etched in history as the  first company  to sell a mobile phone - the DyanTAC 8000X - in 1983. Since then, Motorola has been an easily identifiable brand to almost everybody in the world. Its designs were often strikingly unique and at the same time, Motorola phones often gave out a vibe that these devices mean business. Today, we’ve handpicked some of the most memorable Motorola phones we’ve come across. Here are our picks for the six most memorable Motorola phones of all time. 1) Motorola ...

Today's Special---Cyber Monday Deals From Amazon, Best Buy, Walmart, eBay, GameStop, Target, and Others

  28 November 2016 HIGHLIGHTS After Black Friday, sales continue on products with Cyber Monday Products are likely to run out of stock, so if you like something, get it All major stores are participating in Cyber Monday sales The weekend is over, but the Black Friday deals sure aren't. The only thing that’s changed is the name – Cyber Monday is here to provide discounts on items from all the biggest brands. Here’s a round-up of the best Cyber Monday deals available from big retailers like Amazon, Best Buy, eBay, GameStop, and Target right now: Amazon Amazon Echo  at $139.99, instead of $179.99 This always-listening speaker comes with a friendly assistant called Alexa who can help you with recipes, play music, or just answer interesting bits of trivia. Amazon Tap  at $89.99, instead of $129.99 If you’d like a portable version of the Amazon Echo, the Amazon Tap is what you should be getting. The only downside is that it isn’t alw...