Microsoft has inadvertently leaked a “backdoor” means to digitally bypass ‘Secure Boot’, a firmware component designed to keep its devices sealed from outside tampering. Anyone with administrator rights who possesses the “golden keys,” as security researchers have described their finding, can load whatever operating system they please onto an otherwise restricted Windows device, such as a Windows Phone, Windows RT tablet, or HoloLens.
Someone with physical access to one of these devices can also use the tool to load malicious software, such a so-called rootkit, onto it, giving that person full control over the system. (It’s worth noting that Windows PCs and servers are typically not locked with Secure Boot.)
Microsoft has some devices which have ‘restricted operating systems’ – such as the case of a Lumia smartphone Secure Boot ensures that the device can only run Windows Phone or Windows 10 Mobile, and in the case of a Surface RT tablet the intended operating system is Windows RT. But, with Secure Boot removed and out of the way, it would be possible to, say, make a Lumia device run Android or some other operating system.
This Microsoft’s leak could be used to support tech companies in the ongoing dispute against providing governments backdoor access to encrypted devices. In February, Apple denied the FBI access to an iPhone used in the San Bernardino shootings in the US. Since then, there has been a global push from government agencies for the creation of backdoor access to encrypted devices and apps.
The US government has insisted that these keys would only be used to aid law-enforcement in terrorist cases. However, Microsoft created this key to make it easier for developers to debug its software. For many, this leak reinforces the idea held by many tech companies that backdoor keys serve as potential security vulnerabilities to users’ personal data.