Windows Security and YellowKey exploit
We live some fast-paced times for the security! On this very May – 12th to be more precise – there was especially interesting “YellowKey” exploit shared on GitHub from a user called Nightmare-Eclipse. It bypasses Windows BitLocker which is a security feature that multiple companies rely on globally. Let’s recap briefly what kind of physical security features has been avaible for Windows to this day:
Physical security features on Windows and BIOS
So far as I’m aware physical security of Windows –installations in the recent years has relied heavily on BitLocker. BitLocker encrypts volumes to protect data from unauthorized access – especially if a Windows device gets lost or stolen. BitLocker if often used with a physical TPM chip (Trusted Platform Module) found on the system board – BitLocker generates and stores encryption keys and ecryption-related information on TMP. On startup TPM asks encryption key before it continues boot to operating system. Since TPM is a physical chip on mobo TPM settings are modified from BIOS.
Hardware manufacturers also often offer an option to set up a password for accessing BIOS and Secure Boot feature. Secure Boot is a security feature in UEFI firmware that allows only trusted software to run during the boot process. It hardens security from unauthorized USB-booting for example.
YellowKey in short
The YellowKey exploit method is explained in the GitHub repository too but in a nutshell the idea is to copy folder to an USB and boot the Windows to Recovery state with the USB attatched to the device. Quite straighforward way to use the hack.
Since YellowKey utilizes WinRE (Windows Recovery Environment) Secure Boot feature is not gonna stop it from working. And because YellowKey uses WinRE it gives unrestricted access to the system.
Concerns
In the YellowKey repository is also mentioned that the exploit doesn’t work on Windows versions older than 11 which raises concerns about it being voluntarily added to new OS versions. It isn’t a piece of old feature forgot in the architecture.
Either the method is a huge architectural slip in Windows or intentiontionally left there. And it raises (understandably) some eyebrows. Tech enthusiasts are already increasingly worried about privacy and how far the mass surveillance attempts and successes already go. Tech companies should have more transparency and respect to their clients when product is sold on a global scope. Leaving backdoors open intentionally for physical data theft would be a really low blow – even for Microslop.
Previous post: The Guild –series (2007-2013)
