Security researchers MY123 and Slipstream revealed this week that Microsoft accidentally leaked security keys that allow Windows-based computers, phones and tablets to be unlocked and loaded with other operating systems, as well as malicious software like rootkits.
While the company has attempted to patch Windows to fix this, the researchers believe that it’d be impossible for Microsoft to render the leaked keys useless.
It isn’t clear just how much of a security risk this poses for users: It appears that one would need to physically access the target device to use the key and install other software on it.
However, it shows exactly why governments and law enforcement agencies should stop asking tech companies to build backdoors into their products and software, in the hopes that they’ll be able to listen in on communications and catch criminals in the act.
When you create a backdoor, you have to lock it somehow. In Microsoft’s case the company did so to allow for easier debugging. But now that the key is publicly available, it can easily be misused by anyone who can get their hands on it.
It’s a danger that governments don’t seem to understand. Remember the San Bernardino shooter’s iPhone that the FBI wanted to unlock, and how it tried to get Apple to create a backdoored version of iOS to assist with that case? What if that version was somehow leaked publicly and became available to anyone who wanted to hack iOS devices in their possession?
It’s not just the US: The UK is inching closer to passing a law that would require service providers to unlock encrypted customer data and correspondence at the government’s request – and never admit to doing so.
Microsoft’s bungle is an example of how things could go south when creating backdoors. One can only hope that the debacle will help convince politicians and law enforcement officials to stop asking for ways to endanger citizens’ security and privacy.
Via The Register