Microsoft just back-door screwed the pooch

Back door

There is no good back-door

Microsoft back-door screwed the pooch

Microsoft back-door screwed the pooch

And this pooch cannot be unscrewed

Ben over at 9to5 Mac wrote a great piece about OEM’s who build back-doors — in the context of the incident in San Bernadino.

I’ve good some advice for any OEM who believes that the need for one to access an information system is more important than the privacy and the security of all the other people who are using that information system.

It goes like this:

If you are thinking about creating one…thinking is great…especially in the lab. Get all that thinking 💭 about how awesome it would be to have a designed engineered exploit deployed in your code for contingency reasons only. That is as far as it should go.

If you have become a victim of The Stupid and already have created one…try to hide it. Hide it and don’t tell anyone.

Ever.

The FBI wanted Cupertino to build them an iOS version (for lack of better creativity we will call it FBiOS) so they could deploy it on a dead terrorists iPhone. This version would either remove the restrictions on password attempts, or just do away with the pin code on the lock screen. With that, the FBI could basically hack any phone that doesn’t have the Secure Enclave in a very reasonable amount of time.

Bens article shows an example of what can happen if back-doors are created and not given to the ‘authorities’:

Microsoft has inadvertently demonstrated the intrinsic security problem of including a universal backdoor in its software after it accidentally leaked its so-called “golden key” — which allows users to unlock any device that’s supposedly protected by Secure Boot, such as phones and tablets The key basically allows anyone to bypass the provisions Microsoft has put in place ostensibly to prevent malicious versions of Windows from being installed, on any device running Windows 8.1 and upwards with Secure Boot enabled.
Secure boot
Secure boot

Fido, here boy….

Ok.

First of all, who gives a shit about why Microsoft did this? Their intent was to mitigate the money they lose on fraud, exploits etc. What really matters is how everyone, and by ‘everyone’ I mean…everyone who wants to crack Windows mobile devices now has an excellent starting point from where they may quickly achieve access to the very thing Microsoft built the ‘protection’ for in the first place.


Originally published at imthemobile.guru.