Modern field guide to security and privacy

Microsoft mishaps apparently exposed 'golden keys' to mobile security

Microsoft apparently released a set of security protocols for unlocking security protections that could allow attackers to install malicious software on the company's smartphones and tablets.

Lucy Nicholson/Reuters

Microsoft engineers appear to have inadvertently released software files that are intended to unlock the security protections built into many of the company's phones and tablets.

The files could allow attackers so much access to protected systems that the researchers who discovered them dubbed the files "golden keys" for access to millions of the tech giant's products. 

Anyone with the "keys," according to security researchers using the handles my123 and slipstream, could install any software – including malware – on these devices to steal sensitive data or surveil Microsoft users without their knowledge.

"Microsoft implemented a 'secure golden key' system," the researchers said. And because of an unknown issue at the company, they said, the keys were released into the wild.

The two researchers said the mishap is a prime example of why companies shouldn't maintain master keys for access to security systems or to unlock encrypted communications – a suggestion that some in Washington have made for providing the US government access to private communications during criminal or terrorist investigations.

But many security researchers have warned that creating so-called "golden keys" would only put the public at greater security risk if those keys were ever leaked or mishandled.

"This is a perfect real world example about why your idea of backdooring cryptosystems with a 'secure golden key' is very bad," the researchers said in their blog post.

In this case, the Microsoft "keys" are really a set of rules or policies that the company developed for internal use to make it easier for software developers to test new software on systems running a security program called Secure Boot.

In a statement, a Microsoft spokesman said the issues raised by the two researchers in their report do not apply to Windows desktop or business systems. In order to take advantage of the keys, someone would still need physical access and administrative rights to phones and devices running Windows RT, a now discontinued operating system for mobile devices. 

The techniques for getting around Secure Boot described in the report also do not compromise encryption protections, the spokesman said.

Secure Boot ensures that only manufacturer-trusted software and firmware runs on a Windows device when it is starting up. Users cannot make certain changes to their devices, like swapping out the operating system or installing an unapproved graphics card, when Secure Boot is enabled.

Microsoft users have the option of disabling the technology on their own in many cases. With some devices, however, such as phones and tablets running Windows RT operating system, they cannot. 

In the case, the so-called golden keys allow users to disable Secure Boot in such instances and essentially give them a way to install another operating system or make device changes that would not have been previously possible. Bad actors with access to the keys can install malware of their choice on these devices.

The two security researchers claimed they first found the policies for getting around Secure Boot between March and April this year and informed Microsoft of their discovery. It is not immediately clear how the keys may have leaked or ended in the security researchers' hands.

After refusing to acknowledge the issue for weeks, Microsoft finally issued an initial fix for the problem in July while also awarding the researchers a bug bounty.

According to the researchers, the initial fix did not fully address the issue prompting Microsoft to release another patch this month. But even with the fixes, certain technical realities make it impossible for Microsoft to close the backdoor on all Windows systems running Secure Boot, they claimed.


You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to

QR Code to Microsoft mishaps apparently exposed 'golden keys' to mobile security
Read this article in
QR Code to Subscription page
Start your subscription today