Leaked documents from the German Federal Office for Information Security (BSI) suggest that the German government believe that Windows 8 contains back doors that could be used to remotely control any computers that have that version of Microsoft’s operating system installed on them.
The document claims that some Windows 8 machines have chips built into them which place the devices under Microsoft’s control with users having no means to control what can be installed on them.
According to the BSI statement the chip in question is the Trusted Platform Module (TPM) and they say (via Google translate) –
“From the perspective of the BSI, the use of Windows 8 in combination with a TPM 2.0 [chip] is accompanied by a loss of control over the operating system and the hardware used. This result for the user, especially for the federal government and critical infrastructure, new risks.”
Claims also appeared in German newspaper Zeit who said that, “Due to the loss of full sovereignty over the information technology, the security objectives of ‘confidentiality’ and ‘integrity’ can no longer be guaranteed.” Zeit also went on to say that, “This can have significant consequences on the IT security of the Federal Administration.”
The leaked document, dated from early 2012 before Windows 8 was released, says IT experts claim that the TPM chip’s DRM capabilities can decide which software can or cannot be run on a computer. This ability, controlled by Microsoft, is activated as the computer boots up and cannot be disabled.
The German government has expressed fears that control over these alleged backdoors could be passed over to the US National Security Agency (NSA). Their surveillance program, PRISM, has been in the limelight recently following revelations from former government contractor Edward Snowden who leaked several thousand documents to The Guardian newspaper. Coincidentally, after Snowden gained temporary asylum in Russia the government there revealed that it was swapping PCs for typewriters for some sensitive areas of work.
The German government, according to the document, are warning against the use of Windows 8 due to the perceived risks of snooping. They are saying that the latest version of Microsoft’s operating system is already “unusable” due to the TPM 2.0 chip issue. Interestingly, however, they do claim that Windows 7 is ok for now and can be “safely operated until 2020.” This, presumably, is due to the older operating system adhering to an older and more limited first generation of the Trusted Computing standard.
In response, Microsoft said in a statement,
“Windows has made a fundamental bet on trustworthy hardware and TPM 2.0 is a key component. Based in no small part on lessons learned in the TPM 1.2 timeframe, TPM 2.0 is designed to be on by default with no user interaction required. Since most users accept defaults, requiring the user to enable the TPM will lead to IT users being less secure by default and increase the risk that their privacy will be violated. We believe that government policies promoting this result are ill-advised.”
“It is also important to note that any user concerns about TPM 2.0 are addressable. The first concern, generally expressed as “lack of user control,” is not correct as OEMs have the ability to turn off the TPM in x86 machines; thus, purchasers can purchase machines with TPMs disabled (of course, they will also be unable to utilize the security features enabled by the technology). The second concern, generally expressed as “lack of user control over choice of operating system,” is also incorrect. In fact, Windows has been designed so that users can clear/reset the TPM for ownership by another OS of they wish. Many TPM functions can also be used by multiple OSes (including Linux) concurrently.”
Are you running Windows 8 in your business enviroment? If so, do you have any security concerns following these German claims?