New fears over Chinese espionage grip Washington
Researchers crack Microsoft feature, say encryption backdoors similarly crackable
Researchers who uncovered a security key that protects Windows devices as they boot up say their discovery is proof that encryption backdoors do not work.
The pair of researchers, credited by their hacker nicknames MY123 and Slipstream, found the cryptographic key protecting a feature called Secure Boot.
They believe the discovery highlights a problem with requests law enforcement officials have made for technology companies to provide police with some form of access to otherwise virtually unbreakable encryption that might be used by criminals.
"Microsoft implemented a 'secure golden key' system. And the golden keys got released from [Microsoft's] own stupidity," wrote the researchers in their report, in a section addressed by name to the FBI.
"Now, what happens if you tell everyone to make a 'secure golden key' system? Hopefully you can add 2+2."
Secure Boot is a built into the firmware of computer - software unique to different types of hardware that exists outside the operating system and is used to boot the OS.
Microsoft built Secure Boot to handle a type of malware that tampers with the boot process. This malware - called a rootkit - flies so far under the radar that even security tools cannot notice it.
To handle the problem, Microsoft requires devices to have a mode that prevents any operating system without a Microsoft issued cryptographic key from booting. It also allows some keys to control specific aspects of the boot.
Most systems let users turn Secure Boot on and off. Certain systems, including some tablets and phones, do not. Devices that cannot disable Secure Boot can never install competing operating systems.
There appears to have been a mode set up for developers to disable the keys being checked. MY123 and Slipstream were able to exploit a design flaw in the system to steal the keys to the mode that disables the keys.
The pair notified Microsoft of the design flaw, and Microsoft has made a few patch attempts to fix it. But the patches, writes Slipstream, have not worked.
Four hours after the research was posted, someone posted what purports to be the key-disabling key. Now, anyone looking to bypass Secure Boot is able to do so.
"This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears," writes Slipstream in the report.
FBI Director James Comey has been non-committal as to whether he wants a golden key - a single key used to unlock a series of devices - or what's known as a split key - a two-key system where a device manufacturer holds one and the FBI the other. But reverse engineering the Secure Boot key or keys from this design flaw would be largely the same no matter which method was used.
From a security standpoint, now that its keys have been released, having Secure Boot turned on is more or less no different than having Secure Boot turned off, bringing rootkits back into the threat landscape.
But the keys' release is nonetheless cause for celebration for many Microsoft device owners. The phones and tablets that could not turn off Secure Boot before now have the ability to do so, which means people who had no ability to change operating systems on their tablets now have that ability.
--Update August 11, 3:34 p.m.
Microsoft responded to the story with a statement emphasizing that, as a security vulnerability, this only affects a limited number of devices.
"The jailbreak technique described in the researchers' report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices [respectively a class of processor used in mobile devices and product line of Surface tablets] and does not compromise encryption protections," a company spokesperson said.