Skip to main content

Microsoft left the Secure Boot golden key sitting out in the open

microsoft secure boot tool policy patched surface pro 3 hands on 10
Image used with permission by copyright holder
Whoops! Two researchers discovered earlier this year that Microsoft accidentally included an internal debugging tool, or policy, on Surface hardware shipped to customers. It’s a “golden key” of sorts that will enable anyone to bypass Microsoft’s Secure Boot provision. This security feature prevents the installation of non-genuine Windows-based operating systems and other non-Microsoft platforms, such as Linux. Microsoft introduced Secure Boot with the launch of Windows 8 back in October of 2012.

Secure Boot works at the firmware level, and essentially makes sure that the bootloader and other components are cryptographically signed and allowed to run on the current hardware. Because of this, only an operating system cryptographically signed by Microsoft can load. In addition to preventing piracy, Secure Boot also stops malware in its tracks when it tries to modify the system firmware, or install rootkits that load up before or during the OS loading process.

Recommended Videos

Secure Boot relies on a DeviceID element, meaning each device has its own unique number. Thus, this number is associated with the installed operating system. That said, Secure Boot cannot be disabled on Microsoft devices by consumers.

Please enable Javascript to view this content

However, Microsoft created tools (aka policies) for altering the Secure Boot system. These tools are merely sets of rules that load up during the boot process, enabling IT administrators to make changes to their Microsoft-based hardware, for developers to test drivers, and so on. The “golden key” in question disables the operating system signature check so that Microsoft’s own developers can test new builds without having to officially sign each one.

Thus, the leaked tool does not include a DeviceID element, nor does it have any rules pertaining to on-disk Boot Configuration Data, enabling anyone to test-sign software not signed by Microsoft. With this tool now out in the wild, Microsoft devices like the Surface 3 and Surface Book could be even more open to nasty attacks by hackers. This of course heats up the controversy surrounding backdoors in operating systems.

“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key’ is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears,” the researchers write. “You seriously don’t understand still? Microsoft implemented a ‘secure golden key’ system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a ‘secure golden key’ system? Hopefully you can add 2+2.”

According to a disclosure timeline, the researchers discovered the initial policy and reported the problem to Microsoft between March and April of this year. Microsoft seemed reluctant to fix the issue at first, but finally awarded them a bug bounty in June. A patch arrived in July but didn’t totally resolve the issue, thus Microsoft launched another patch in August. A third patch is expected to be released soon.

The Secure Boot credential leak arrives after Apple’s conflict with the FBI over the iPhone 5c used by one of the San Bernardino shooters in December of 2015. The government wanted Apple to create a version of iOS with a built-in backdoor so that agents could gain access to the device’s data. The investigation was to take place within a special lab at Apple, but the company refused to create such a tool, stating that it would cause utter chaos for iOS device owners if it fell into the wrong hands.

Kevin Parrish
Former Digital Trends Contributor
Kevin started taking PCs apart in the 90s when Quake was on the way and his PC lacked the required components. Since then…
Microsoft Edge gets hit with the same serious security bug that plagued Chrome
The Microsoft Edge browser is open on a Surface Book 2 in tablet mode.

Microsoft just released an Edge browser update that patches a dangerous flaw that could allow a cleverly designed attack to execute arbitrary code. While every security update should be installed promptly, this one is a bit more urgent because the attack is "in the wild" already, meaning that hackers are already taking advantage of this vulnerability to breach security.

Designated CVE-2022-2294, this vulnerability was actually a flaw with the Chromium project, the open-source code that Google's Chrome browser is built upon. Microsoft uses the same base code for the Edge browser, meaning bugs that affect one often plague the other. Google patched the same bug recently and has been keeping quiet about details of the attack to allow others to make similar fixes, since Chromium is quite a popular codebase.

Read more
Microsoft Defender finally feels like proper antivirus software for individuals
The Windows Security app in Windows 11.

With password attacks and ransomware on the rise, Microsoft has announced the general availability of Microsoft Defender for individuals, a premium, cross-platform, consumer security application for Windows, Android, iOS, and Mac.

Available for paid Microsoft 365 Personal and Family subscribers, this new security offering from Microsoft is the latest step in a journey to bring its security features to all of its users. Building on what's been done with the Windows Security app on Windows, Microsoft Defender for individuals will bring together multiple protections into a single online dashboard.

Read more
Microsoft Defender has one key weakness its rivals don’t
A Windows 11 device running Microsoft Defender.

Nothing beats free antivirus protection on Windows, like Microsoft Defender, but some of that software might not be as strong as you think based on a new study from an anti-malware assessment company.

The latest AV-Comparatives report shows data that reveals Microsoft Defender doesn't perform as well with virus scans when it is offline when compared to competitors.

Read more