Microsoft has, too slowly, admitted that they allowed their supposedly ‘Secure Boot’ system to be bypassed with a special ‘golden key’ built into their system.
Secure Boot is sold as a way to stop computers being compromised by hackers before Windows starts. It’s an important part of securing your computer from attack.
Amazingly, Microsoft developers put in a ‘master key’ which allowed anyone to bypass Secure Boot and hack computers. Worse, they released that ‘golden key’ in public code which meant that investigators could find it.
A real problem, not a PR problem
Of course, Microsoft is doing their usual PR game rather than treating it as a serious problem. Notified of the issue in March, it took until July before the company acknowledged the issue and started issuing patches. Even now they attempt to downplay the matter saying:
“The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections.”
As ArsTechnica exposes, this is PR spin of a high order. The issue was notified to Microsoft in March, not August as they imply. It might not apply to desktop and enterprise computers (we only have Microsoft’s word for that) but it does affect Microsoft’s own Surface devices, a detail left out of the statement.
The last phrase ‘does not compromise encryption protections’ is pure sophistry. Once Secure Boot is compromised, it allows encryption on the computer to potentially be bypassed.
It’s hard to know where to begin with this:
- Why did Microsoft put a backdoor into Secure Boot at all? If Microsoft was truly serious about customer security, the backdoor would not have been created, let alone released to the public. It seems to have been done for the convenience of Microsoft staff with no consideration of the consequences.
- Are there similar backdoors in other supposedly secure Windows features like Bitlocker?
- Microsoft has, for decades, adamantly denied suggestions that their products had backdoors to bypass security features. So much for those assurances.
- Apple was right to refuse the FBI’s requests to put ‘master key’ systems into iPhones etc.
- The FBI was totally wrong to demand these intrusions into devices. Any such backdoor can be used by hackers and criminals as well as governments or other ‘good guys’.
Microsoft wonders why people don’t trust the company. It’s situations like this and their poor response that encourages suspicion.
