Update: Steve Gibson has taken issue with the ‘golden key’ term used by Ars, arguing that it overplays the significance of the vulnerability.
I wrote an opinion piece predating the San Bernardino shootings on why Apple was right to stand firm on encryption even in the face of terrorist attacks, and another one afterwards explaining why it would be too dangerous to give the FBI the iPhone master key they demanded.
My main argument was that something as powerful as a master key to unlock an iPhone would eventually fall into the wrong hands.
So soon, the FBI would hold the key. Then other law enforcement agencies. In time, that key would be held in every police precinct house. We would then be trusting more than a million people with access to that key to abide by the rules. Government agencies don’t always have the best of track-records in doing that.
And Microsoft has just proven my point, even with code that was never intended to leave the company’s possession …
ArsTechnica reported yesterday that Microsoft accidentally leaked a universal backdoor to Windows.
Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key”—which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets.
The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
Microsoft has today tried to downplay the importance of the leak, stating that it applies only to Surface devices and phones, not to desktops, but that’s hardly the point. A key piece of code that allows some of its devices to be completely compromised – a piece of code that should have been fiercely guarded – has leaked.
It didn’t even require any malicious intent: the leak appears to be the result of someone making a stupid, but all too human, mistake.
The golden key [was apparently] bundled in dormant form on retail devices, left in as a debugging tool by accident.
The researchers, too, were struck by the parallel with the FBI case (switch off your sound before clicking the link: their website is like something from the Geocities days …).
About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key’ is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears.
As for the code, it’s out there now, and it appears impossible for Microsoft to fully patch it.
According to the researchers, “it’d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc.”
That’s code that was intended to be purely kept within the company. Code that would inevitably be handed over to law enforcement agencies would be a million times more vulnerable. And that is why Apple was absolutely right to resist pressure to create a master key to unlock the iPhone.