Oops. Microsoft ‘accidentally’ leaks its ‘golden key’ unlocking Secure-Boot protected Windows devices.

Microsoft introduced a feature called “Secure Boot” with Windows 8. The feature basically prevented users from installing operating systems that aren’t signed by Microsoft — for example, if Secure Boot was enabled on your Windows 10 device, you won’t be able to install Linux on it. In addition to Windows PCs, Secure Boot was also on Windows Phone devices and Windows tablets.

However, there are some devices where the user can’t disable Secure Boot, including Windows RT, Windows Phone and HoloLens devices.

Now, security researchers Slipstream and MY123 were able to bypass Secure Boot, thanks to a design flaw. According to the researchers, Secure Boot includes  a “golden key” which allows users to disable the feature on their device. The golden key was apparently leaked by Microsoft themselves during the development of Windows 10 Version 1607, and now the company is trying to fix it.

“A backdoor,” the researchers noted, “which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!”

Hackers who are also able to either acquire admin rights or physical access to devices could then also install and execute rootkits and bootkits, presenting a grave security threat for users.

Secure Boot works with several policies that are followed by the boot manager of Windows. For purposes of testing and tweaking, Microsoft has one boot policy that loads early in the process and disables the checks for operating systems. Developers can use this policy to boot other systems such as self-signed binaries.

This “golden key” policy, however, was inadvertently shipped out along with retail devices, and discovered by Slipstream and MY123. The policy was deactivated in the devices, but they were included nonetheless.

The researchers have now leaked the policy online. The policy, signed by the Windows Production PCA 2011 key of Microsoft, can be provisioned into devices as an active policy, which will disable Secure Boot.

Making matters worse is the fact that it is a universal policy, and not tied to a single device or architecture. The “golden key” can be used on both ARM and x86, on any device that uses the boot manager of Windows.

The researchers have since reported their discovery to Microsoft, initially ignoring the report around March to April and then later awarding a bug bounty a few months after. Microsoft has released security patches as an attempt to solve the problem, but so far has failed in affecting the capabilities of the “golden key.”

Evidence for the FBI to examine

Over the past winter, the FBI has locked horns with Apple over its efforts to bypass the boot security system of iOS, with the intent to make it easier to decrypt data on iPhones and other devices.

In February, Apple’s chief executive Tim Cook issued a statement in response to FBI demands, writing that, “We have great respect for the professionals at the FBI, and we believe their intentions are good. Up to this point, we have done everything that is both within our power and within the law to help them.

But now the U.S. government has asked us for something we simply do not have, and something we consider too dangerous to create. They have asked us to build a backdoor to the iPhone.”

Cook concluded, “while the government may argue that its use would be limited to this case, there is no way to guarantee such control.”

Sure enough, after Microsoft did create a backdoor for Windows Phone and other Secure Boot devices, it subsequently leaked the tools for unlocking that backdoor.

The researchers involved in documenting Microsoft’s screwup observed,

“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a “secure golden key” is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don’t understand still? Microsoft implemented a “secure golden key” system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a “secure golden key” system? Hopefully you can add 2+2…”

You can view the full report here, where the researchers detail the flaw with more information.

4 thoughts on “Oops. Microsoft ‘accidentally’ leaks its ‘golden key’ unlocking Secure-Boot protected Windows devices.

Add yours

  1. Microsoft is one of the dumbest tech companies out there. Create a system of securing and verifying the OS on boot. Call it Secure Boot and then proceed to give away the keys. Incredible! But predictable.


    1. Yeah.. that happened. That’s why Apple doesn’t want to create a backdoor into iPhones like the FBI wants them to. They need their image as a more security focused company.


Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Powered by WordPress.com.

Up ↑