Claims from a German publication that the NSA could easily access Windows 8 machines are rebuffed
A reporter in Zeit had suggested the backdoor stemmed from the Trusted Platform Module, or TPM chip, which seeks to improve security by powering the Secure Boot process that checks for and ignores malicious low-level code when a machine starts up. It does this through cryptographic keys that ensure code cannot be tampered with on loading and that the code is legitimate.
The Zeit writer had suggested the TPM could give the manufacturer of a device control over it.
He said that in light of the leaks from Edward Snowden, it would not be a surprise if TPM 2.0, the version used by Windows 8, was actually a backdoor the National Security Agency (NSA) could easily exploit. As the chips powering TPM are manufactured in China, the Chinese could easily access Windows 8 machines too, the report alleged.
The reporter attained documents from the German government that led him to reach his supposition. But the German government has not said there is a backdoor in the OS.
The Office for Information Security (BSI) later clarified the government’s position, and did say the use of TPM 2.0 and Windows 8 (TPM is used in other non-Windows machines, including Chromebooks, making the claims even more questionable) meant the user had to deal with “a loss of control over the operating system and the hardware used”. This could lead to greater risk for the federal government and critical infrastructure, it said.
But the body said it had not warned the general public nor government bodies against using Windows 8.
It said “the newly established mechanisms can also be used for sabotage by third parties”, but appeared only to be talking generally about vulnerability exploitation. There was no suggestion of a purposeful backdoor, as Zeit had hypothesised, even if the BIS does have problems with TPM.
Microsoft has responded to the kerfuffle first by denying it has ever provided such access to users’ data and by talking up the security benefits of TPM 2.0. It suggested government departments would be wise to use the security protections it provides by default. But for those governments who want to gain back control of their machines, they can go with OEMs who make Windows PCs without TPM.
“Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised,” a spokesperson said.
What do you know about Internet security? Find out with our quiz!