Two researchers operating under aliases (my123 and slipstream) this week posted a report—accompanied by a relentless chiptune—that reveals how Microsoft inadvertently published a Secure Boot policy that acts as a backdoor that allows for the UEFI firmware feature to be disabled and for anyone to load unsigned or self-signed code.
The gaffe, meant to be a legitimate debugging and testing feature, affects Windows-based devices with Secure Boot on by default; Secure Boot checks that any components loaded during boot are digitally signed (by Microsoft) and verified. As a result of the error, users can run self-signed binaries on affected devices or install non-Windows operating systems.
Worse, the researchers said, is that it’s unlikely Microsoft can clean up this mess. For two months running, Microsoft has published security bulletins on Patch Tuesday that includes updates to Secure Boot. Neither, according to my123 and slipstream, has fully addressed this issue.
“It’d be impossible in practise for MS to revoke every bootmgr earlier than a certain point, as they’d break install media, recovery partitions, backups, etc,” the researchers wrote in their report.
Microsoft did not respond to a request for comment in time for publication.
“The jailbreak technique described in the researchers’ report on August 10 does not apply to desktop or enterprise PC systems. It requires physical access and administrator rights to ARM and RT devices and does not compromise encryption protections,” a Microsoft spokesperson told Threatpost via email.
Microsoft’s first pass at fixing this in June, MS16-094, blacklisted most, but not all of the relevant policies, the researchers said. An attacker would still be able to manipulate bootmgr, which manages boot sequences in Windows, in order to bypass Secure Boot. The second patch, released this week in MS16-100, says it revokes bootmgrs, and updates the Secure Boot dbx, which includes the addition of new SHA256 hashes. The researchers, however, said this patch may not be complete as well.
“I checked the hash in the signature of several bootmgrs of several architectures against this list, and found no matches,” slipstream said. “So either this revokes many ‘obscure’ bootmgrs and bootmgfws, or I’m checking the wrong hash.”
With the policy now available online, Windows devices, including Windows RT, HoloLens, Windows Phone, maybe Surface Hub, the researchers said, can have their versions of Secure Boot disabled.
“A backdoor, which MS put in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere! You can see the irony,” the researchers wrote. “Also the irony in that MS themselves provided us several nice ‘golden keys’ (as the FBI would say) for us to use for that purpose :)”
The irony is not lost on anyone who was watching the Apple-FBI saga from early this year during which the government asked Apple to create an intentionally weakened version of iOS that would disable or bypass existing protections on a terrorist’s iPhone that would wipe the phone after x-number of missed passcode guesses.
Apple fought the FBI in court, challenging the constitutionality of the government’s demand, which was eventually dropped after the FBI found an unnamed third-party who could crack the phone.
The Secure Boot report calls out the FBI specifically.
“About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a ‘secure golden key’ is very bad!,” the researchers wrote. “Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don’t understand still? Microsoft implemented a ‘secure golden key’ system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a “secure golden key” system? Hopefully you can add 2+2…”
This article was updated Aug. 11 with a comment from Microsoft.