Microsoft Accidentally Provides Example of Dangers of Encryption 'Back Doors'

An internal bypass mechanism in the Windows booting process makes it out into 'the wild.'


golden key
Yudesign / Dreamstime.com

Microsoft has helpfully provided a real-world example showing why mandating "back doors" so that authorities can bypass encryption to access digital data is a very bad idea. The fact that this example is a result of a complete mistake and apparently not staged or hypothetical should make it all the more powerful to law enforcement and lawmakers who want to compromise data security in the pursuit of crime or terrorism.

To summarize the best I can: Microsoft devices have a system that upon booting, will only function with operating systems that it authenticates. This means users cannot just install any other operating system on Windows tablets and phones and work them.

As explained by The Register, Microsoft created "golden keys" for internal use only to allow programmers to disable or bypass this authentication process, most likely to test new operating system builds and updates without having to get them approved.

But this method of bypassing Microsoft's booting process mistakenly got out of the hands of the company and into the clutches of a couple of hackers, who wrote a report explaining how it all worked here (trigger warning: MIDI music).

The hackers are very blunt about their reasons for revealing how this works: They're trying to get people at the FBI and in Congress to understand that any attempt to require a "golden key" to allow officials to bypass encryption, even with the best of intentions, can and eventually will go terribly, terribly awry. They note:

"About the FBI: are you reading this? If you are, then this is a perfect real world example about why your idea of backdooring cryptosystems with a "secure golden key" is very bad! Smarter people than me have been telling this to you for so long, it seems you have your fingers in your ears. You seriously don't understand still? Microsoft implemented a "secure golden key" system. And the golden keys got released from MS own stupidity. Now, what happens if you tell everyone to make a "secure golden key" system? Hopefully you can add 2+2…"

In the hands of those with sinister intent (either hackers or rogue authorities), a mechanism to bypass encryption can utterly devastate the privacy of citizens and expose them to criminal mischief and secret surveillance.

The larger question is whether or not lawmakers and government leaders actually care about the risks as long as it gets them the information they want. As I've noted repeatedly at Reason, surveillance-loving senators like Dianne Feinstein (D-Calif) and Richard Burr (R-N.C.) and Great Britain's new Prime Minister Theresa May seem to have absolutely no interest in whether encryption back doors actually compromise everybody's security as long as it allows the government to access whatever data it demands.