Secure Boot bypass revealed

Martin Brinkmann
Aug 10, 2016
Updated • Aug 10, 2016
Security
|
24

Secure Boot is a security standard that is part of UEFI designed to restrict what gets loaded during boot time of the device.

Microsoft introduced the feature in Windows 8 back in 2011, and every client or server version of Windows supported it since then.

Microsoft stated back then that it was up to the manufacturer of the device to ship it with controls to turn Secure Boot off.

Without those controls, it is not possible to use load operating systems that are not explicitly allowed. In worst case, it would mean that only one particular flavor of Windows can be run on a device.

This is for instance the case on Windows RT or Windows Phone devices. Secure Boot can be turned off on PCs and notebooks however, at least for the time being.

Researchers discovered a way to manipulate Secure Boot on Windows devices, effectively rendering it useless.

secure golden secure boot key

Secure Boot uses policies which the Windows Boot Manager reads during boot. Not all policies get loaded though. Policies are usually linked to DeviceID, and the boot manager will only execute policies with a matching DeviceID.

Microsoft did introduce supplemental policies which are not linked to DeviceID which in turn enables anyone to enable test signing. With test signing enabled, it is possible to load anything during boot.

The "supplemental" policy does NOT contain a DeviceID. And, because they were meant to be merged into a base policy, they don't contain any BCD rules either, which means that if they are loaded, you can enable testsigning. Not just for windows (to load unsigned driver, ie rootkit), but for the {bootmgr} element as well, which allows bootmgr to run what is effectively an unsigned .efi (ie bootkit)!!! (In practise, the .efi file must be signed, but it can be self-signed) You can see how this is very bad!! A backdoor, which MS put  in to secure boot because they decided to not let the user turn it off in certain devices, allows for secure boot to be disabled everywhere!

The effect here is that it unlocks Secure Boot on devices where the feature is locked. The method that the researchers discovered works on Windows devices with Secure Boot enabled, but only if Microsoft's MS16-094 security patch is not installed; also, administrative rights are required.

Microsoft tried to fix the issue with MS16-094 in July, and this month's MS16-100 security bulletins. The first patch introduced blacklisting, the second an update that revoked some boot managers.  The patches don't resolve the issue completely though according to the researchers.

You find additional information about the issue on this site. Please note that it plays an intro with music in the background. I suggest you use Ctrl-A, Ctrl-C to copy all content, and paste it in a text document as the music and background animation is quite distracting.

Summary
Secure Boot bypass revealed
Article Name
Secure Boot bypass revealed
Description
Researchers discovered a way to manipulate Secure Boot on Windows devices, effectively rendering it useless.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. HackdYourShitz said on February 16, 2019 at 3:13 pm
    Reply

    Something is up with the Surface 2RT windows 8.1 RT devices, im thinking microsoft is keeping these tablets locked down because they are still great tablets, its 2019 Feb and i use my Surface 2RT everyday, unless its a program i couldnt convert over to the arm.. i think thats why MS has these things locked down because they are just as good as the new devices and if everyone is still using the RT because they are built well, then that means less sales on new MS Surface tablets like the new so called cheap one.. i have the Surface 3 RT as well and its Secureboot you can turn it on or off so i dont see why they just wont let people turn off SecureBoot on the SurfaceRT especially now they are going to stop with the updates…. i like my Surface 2RT and soon ill have a unlock as im just rebuilding the Emulation thats on the windows 10 to work on the Surface RT and if that doesnt work ill start on my Win 10 32bit arm.iso that i just finished making but havent tried it yet

  2. John S said on February 5, 2018 at 2:15 pm
    Reply

    Secure Boot another useless weak layer Microsoft whipped up to fix its miserable track record of PC’s running Windows getting rootkits and other malware. I guess its one of those deals if all you run is Windows then keep Secure boot on for its minor improvement in resisting malware. Personally I will pass on anything Microsoft dreams up as some sort of security improvement.

  3. Simon said on January 28, 2017 at 11:32 am
    Reply

    Anyone managed to get any ARM linux booting/installed on a Surface 2?

    It’s been a while, thought Id follow up.

  4. Iscariot said on August 14, 2016 at 8:04 pm
    Reply

    You’re asking an ARM OS that bypasses the latest Micro$oft UEFI limitations…
    Tell us if you got it running!!

  5. Zeal0us said on August 14, 2016 at 12:22 am
    Reply

    Is there any how to guides on how to linux distros on to windows rt tablet?

  6. Intel Inside® said on August 12, 2016 at 9:24 pm
    Reply

    “Trusted Computing” is an Intel® way to put chips on your Mobo. These chips use low-level languages as i2C: Trusted Platform Module (TPM) with I²C interface is produced by Atmel Corporation, while Intel® puts the backdoored code in it.

    I was dragged down this rabbit hole by following Dragos Ruiu on twitter.

  7. MrHandsome said on August 12, 2016 at 1:26 am
    Reply

    Just use Noscript to not allow the site, and no music or animation is being played….

  8. Straspey said on August 11, 2016 at 2:29 pm
    Reply

    ” Please note that it plays an intro with music in the background. I suggest you use Ctrl-A, Ctrl-C to copy all content, and paste it in a text document as the music and background animation is quite distracting.”

    Yes, but —

    If you use the NoScript addon (one of Martin’s favorites, as well as myself) in your Firefox browser to defeat the flash animation, and then simply mute your speakers – you can the simply scroll through the article and read it comfortably without those annoying distractions.

    1. A or B, not C. said on August 11, 2016 at 3:30 pm
      Reply

      @ Straspey ……. With the Slimjet browser, I just disable javascript in Content setting for the same effect, ie no need addon.

  9. CHEF-KOCH said on August 11, 2016 at 12:48 pm
    Reply

    The question is how fast MS react on it and how fast they fix it, also the other question is if someone really can abuse it or if it’s simply a poc. If you use VeraCrypt I doubt that this makes any sense.

    Before someone cry it should be noted that this wasn’t actually abused in real world. So chill and keep it monitored.

    1. Rotten Scoundrel said on August 11, 2016 at 5:19 pm
      Reply

      Ummm “this wasn’t actually abused in real world”

      Chef-K, it’s hard (??) to abuse something that had not been yet found. Now found the implications are huge. Also “how fast they fix it,” it’s not that simple. This will be near impossible to “fix” looking back from when they actually fix it in next release of updates. All current and backed up Shadow Copies will contain the errant code, many levels of backups will also contain it. So a Restore or Recovery will almost certainly reinstate it.

      Any smart person backs up daily and images their drives at least weekly. Ahhh, msoft programming, ain’t it grand. Does anyone recall just a few days back I was ruminating on the ineptitude of msoft programmers? LOL

  10. 420 said on August 11, 2016 at 11:33 am
    Reply

    I see, looks like I will go with my plan of my desktop will be a windows box for games with no internet and all my other laptops will have manjaro. I am starting to see M$ plan now, get enough people on board then give them no alternatives, devious.

  11. 420 said on August 11, 2016 at 8:57 am
    Reply

    @a or b, not c, I am confused on one item. So if your windows box has uefi only and not uefi and legacy like my dell laptops, M$ can make it so you cannot disable secure boot? I think I read that the ability to turn off secure boot is cooked into the bios, so unless you are saying M$ has the ability to change my bios remotely like an update, I do not see how they can undo what is in the bios supplied by Dell. Also could you please give source articles if you are saying M$ can change my bios so that I will not be able to disable secure boot.

    1. Corky said on August 11, 2016 at 10:11 am
      Reply

      @420, Yes secure boot is controlled by the BIOS (enable, disable), having said that it does appear the direction of travel for Microsoft is to compel motherboard manufactures to eventual remove that option, for a MoBo manufacture to gain the certified for Windows label previously (Windows 8) they had to include the option in the BIOS to disable secure boot, that changed with Windows 10 to being an optional BIOS setting.

  12. mikef90000 said on August 11, 2016 at 12:27 am
    Reply

    All this total crap ‘secure boot’ EFI stuff in firmware to replace a simple write-protect hardware jumper or switch. At least I can still find motherboards that let me disable it.

  13. jack said on August 10, 2016 at 11:59 pm
    Reply

    Can we unlock old Windows Phones and put custom Android ROMs on them?

    1. A or B, not C. said on August 11, 2016 at 8:32 am
      Reply

      @ jack ……. Likely, not possible.

      Unlike cptrs, nearly all smartphones do not allow another mobile OS to be installed by the users from an external install media, eg microSD card, not even for installing the same preinstalled mobile OS that came with the phone, ie smartphones hv walled gardens = users r like in prison. Of course, the phone-users can change “prisons”, eg move from iOS to Android or vice versa.

      The work-around of ROM Flashing to update Android OS for many high-end Android phones, r provided by 3rd-party private developers, n not by the mobile OS developers or OEMs, eg Apple, Google, M$, Samsung, LG, HTC, etc.

  14. Mark Hazard said on August 10, 2016 at 11:02 pm
    Reply

    Thanks, Martin.

  15. Anonymous said on August 10, 2016 at 9:51 pm
    Reply

    I’m happy that they manage to “crack” that Microsoft imposed piece of BS.

  16. Mark Hazard said on August 10, 2016 at 9:27 pm
    Reply

    Martin, will these Secure Boot patches prevent one from booting Linux?
    Also, I can’t find a link to the site.
    Thanks for the article.

    1. 420 said on August 10, 2016 at 11:05 pm
      Reply

      What this patch (script really) is good for is… unlocking surface rt and various phones micro$ has. Which is “good news everyone” for people with surface rt’s as micrososhaft has basically abondoned the surface rt’s. For everyone else this patch doesnt really do alot, as you already have the ability to disable secure boot. The golden key also demonstrates what an incredibily stupid idea it is to have golen keys, bypasses and back doors cooked into stuff.

      1. A or B, not C. said on August 11, 2016 at 7:59 am
        Reply

        @ 420 ……. M$ hv the prerogative to pull the trigger at any time n disallow all new OEM Win 10 UEFI cptrs from being able to disable Secure Boot, esp if Win 10 has achieved critical mass of above 50% world market share.

        With the 02 Aug 2016 Win 10 Anniversary Update, M$ has blocked all unsigned Windows kernel mode drivers from being installed. This move affects the installation of programs/software/apps for AV, back-up/imaging, VPN, browser, torrent, office productivity, etc. In theory, M$ can block all 3rd-party programs/apps/software from being installed or make certain demands from the software developers. This is one of the reasons, many Win 10 users r having problems with the Anni-Update.
        ……. M$ hv also recently “decreed” that all new OEM Win 10 cptrs must ship with TPM 2.0, which, in theory, can also gives M$ more control over people’s cptrs. Pls refer to the Wiki article for Trusted Platform Module/TPM.

        So, maybe it’s best to avoid buying new OEM Win 10 cptrs n smartphones.

    2. Martin Brinkmann said on August 10, 2016 at 9:32 pm
      Reply

      Link added, it is this one: https://rol.im/securegoldenkeyboot/

      The patches should not affect that from what I can tell.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.