Security researchers MY123 and Slipstream revealed this week that Microsoft accidentally leaked security keys that allow Windows-based computers, phones and tablets to be unlocked and loaded with other operating systems, as well as malicious software like rootkits.
While the company has attempted to patch Windows to fix this, the researchers believe that itâd be impossible for Microsoft to render the leaked keys useless.
Another conference. âGreat.â
This oneâs different, trust us. Our new event for New York is focused on quality, not quantity.
It isnât clear just how much of a security risk this poses for users: It appears that one would need to physically access the target device to use the key and install other software on it.
However, it shows exactly why governments and law enforcement agencies should stop asking tech companies to build backdoors into their products and software, in the hopes that theyâll be able to listen in on communications and catch criminals in the act.
When you create a backdoor, you have to lock it somehow. In Microsoftâs case the company did so to allow for easier debugging. But now that the key is publicly available, it can easily be misused by anyone who can get their hands on it.
Itâs a danger that governments donât seem to understand. Remember the San Bernardino shooterâs iPhone that the FBI wanted to unlock, and how it tried to get Apple to create a backdoored version of iOS to assist with that case? What if that version was somehow leaked publicly and became available to anyone who wanted to hack iOS devices in their possession?
Itâs not just the US: The UK is inching closer to passing a law that would require service providers to unlock encrypted customer data and correspondence at the governmentâs request â and never admit to doing so.
Microsoftâs bungle is an example of how things could go south when creating backdoors. One can only hope that the debacle will help convince politicians and law enforcement officials to stop asking for ways to endanger citizensâ security and privacy.
Via The Register