- Secure Boot policies are signed and validated by Microsoft
- The leaked golden key can bypass operating system checks
- Golden key allows attackers to boot any OS or self-signed binary
A leak has gone horribly wrong for Microsoft and the company is scrambling to fix the mess. Microsoft unwittingly leaked a ‘golden key’ that can unlock Windows-powered PCs, tablets, and phones protected by Secure Boot.
For the uninitiated, Secure Boot, a part of Unified Extensible Firmware Interface (UEFI), secures every component of a device’s boot process by checking it is validated and signed by Microsoft. This protects the system from being booted by any other OS (malicious or non-malicious) an attacker or user wants to install. Secure Boot, once enabled, cannot be disabled by the user due to policies that are also validated by Microsoft and are loaded and obeyed once the Windows startup process is executed.
Microsoft, however, allowed an exception to the rule that has since become a nightmare for the company. The tech giant signed a special Secure Boot policy that disables the operating system checks, meant to allow developers to test new operating systems without having to sign each one. This policy essentially bypasses the standard checks.
Understandably, the special policy isn’t available on commercial products. However, it has been leakedonline – where it is now available for attackers to misuse. A curious person may find this ‘golden key’ – which essentially allows a backdoor into a Secure Boot-enabled Windows system – load it into a Windows firmware and trick Microsoft into believing the person is loading a valid and verified OS while actually installing a malicious one, even a self-signed binary. In simple terms, the golden key can unlock Secure Boot, and gives attackers unfettered access to install bootkits or rootkits alongside.
Security researchers my123 (@never_released) and slipstream (@TheWack0lian) were the ones to warn Microsoft that its Windows machines products were vulnerable due to the leak. After months of ignoring the issue, the researchers said Microsoft issued a bug bounty award and created two patches (one in July, and another in August). The Register claimed even the second patch does not actually resolve the vulnerability, only removing access to certain boot manager systems while leaving the policy flaw intact.
A third patch is expected to come out in September. However, the researchers believe the vulnerability cannot be completely fixed. Until the third patch comes out, the only thing users can do to protect their systems is to make sure their Microsoft patches are up-to-date on all Windows devices.
The leak of the golden key signals a bigger threat, one which puts into question the safety and security of devices and the need for such backdoor entries that can render your phones and computers vulnerable to hacks. To this effect, one of the researchers, Slipstream, issued a statement to the FBI:
“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don’t understand still? Microsoft implemented a ‘secure golden key’ system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a ‘secure golden key’ system?”