There is an oft quoted adage called “Murphy’s Law” (not to be confused with Moore’s Law) that, simplified, goes like this: Anything that can go wrong, will go wrong. Well, that proverbial thing may have just hit the fan, as far as Microsoft‘s operating system and devices are concerned. The “golden key”, that is, a key to a hallowed backdoor, to Microsoft’s Secure Boot implementation has just been leaked. It’s a double-edged sword that allows power users to install operating systems and software on previously locked down devices but also gives unsavory characters the power to install malware such as rootkits and bootkits.
A well-known bane to users of other operating systems on computers and devices locked to Windows, Secure Boot is part of Microsoft’s implementation of the now mostly universal UEFI firmware system on modern PCs, laptops, and even some mobile devices. In layman’s terms, Secure Boot ensures that only certified secure software, a.k.a. Windows, will be able to boot on the device. Any compromised system, or other operating systems, are immediately rejected. Unless either the user explicitly disables Secure Boot herself or the operating system provider, like in some Linux distributions, certify the OS to be acknowledged by Secure Boot.
While that works in theory, the problem now is that Microsoft apparently not only put a backdoor to Secure Boot but, of course, has a key to that backdoor. And through a series of unfortunate events, starting from a flaw in Microsoft’s software design all the way to mishandling of fixes, that key has now been leaked out for anyone with the know-how to sue. The consequence of this is that any device previously completely locked with Secure Boot is now ready to be pried open. While most PCs and laptops do have a switch to turn Secure Boot off, some devices, like those running Windows RT and Windows Phone, are completely barricade. Until now, that is.
It also means that malware like bootkits and rootkits will be able to install themselves and by-pass Secure Boot’s checks, once again making Windows one of if not the most insecure operating systems in the world.
But more than just the fiasco of the leak itself, the incident is now being used as a glaring example of why the FBI’s, and other governments’, suggestions to have backdoors and golden keys are a terrible idea. Its mere existence invites disasters like this. Through malice, innocent error, or sheer stupidity, sooner or later that key will leak out. And, like in this case, there might be no going back.
Microsoft’s problem now, aside from a PR disaster, is that it may have no way to teardown that backdoor anymore. At least not without potentially breaking systems around the world. Considering how controversial its Windows 10 upgrade push has been, that might be something it’ll want to avoid.