Microsoft Just Fucked UEFI Secure Boot

Microsoft patches lead to gaping security hole in UEFI enabled portable devices.

Steve Smith talks about the gaping hole Microsoft just accidentally introduced in portable UEFI Secure Boot enabled devices.

Episode #6-48 released on August 15, 2016

Watch on Youtube

What is the worst that can happen to your Windows installation? If you are like me, you are rocking a new computer with UEFI Secure Boot, which is designed to prevent unsigned or self-signed code. These new mainboards and BIOS standards are designed to do a lot of cool stuff, but also secure our world, but apparently a new chapter of dangers just opened up, and Microsoft mistakenly open Pandora's box, yet again.

Now, you have to read the articles to get just how and who is totally screwed. This does not affect personal and enterprise desktop systems, but this does directly affect other Windows Devices, Windows Phone, Surface Hub, etc. where their secure boot can be disabled. For anyone who was watching the FBI Apple incident, you will remember that this is exactly what Apple wanted to avoid, having magical master keys from escaping into the wild. This doesn't just allow governments and police agencies to gain access to your data, anyone who has some skill can access the data, regardless of badge or warrant.

Now, what does this mean for you? We must exclude airports in this because of the very nature of airports. But, if you are stopped by a cop for any reason, and you have a Windows Phone, unlike Apple, you won't have the benefit of a company who was responsible to prevent the holy grail of keys from leaking. In many countries, including Canada, this can be bad news. Let us say that you are being questioned for a crime you are innocent of, but the cops have third party software that are not limited by a requirement for your passcode? What happens if you did commit a crime, even a minor one that would normally be over looked while being arrested for one you did not commit. They could potentially all your information, pictures, etc. without a warrant and use proof of another crime to imprison you for one you are not guilty of. In this scenario, what happens if by some means of bad luck you were near the scene of the crime you have nothing to do with? Microsoft losing the golden keys to Secure Boot may and probably will lead to many innocent people going to prison, being at risk of identity theft, or worst. Cops will use these shortcuts instead of doing their job, and criminals will bleed you dry, hijack your life, kidnap people you love, blackmail you, etc. This seems like it is an over the top overly paranoid look at the world, to which I reply, ransomware. Yes, currently the keys need local or direct access to your devices, but really, how much time will it take to do it remotely exploiting other security holes?

Until now, ransomware had to load with Windows, but now on devices, it could possibly load before Windows has a chance to run, like your Windows phone. If you are trying to call for help because your life is in danger, you may die. It is only a matter of time that companies like this will be held liable for the death of innocent people, because the keys have been leaked. And, if the FBI and other governments haven't figured this out yet, they will soon. Keys to anything secret being lose is bad news, for data, for life, for everyone. Knowing this was enough for me to not buy a Windows phone, especially if it is my only means of calling emergency services.

Host : Steve Smith | Music : Jonny Lee Hart | Editor : Steve Smith | Producer : Zed Axis Productions

Sources & Resources

Community Comments

Share your thoughts, opinions and suggestions

Login or Register to post Your comment.