After being on the market for a few months now, Microsoft started quite a large advertising campaign in Germany for its new Surface RT . We had a comprehensive look at the new tablet PC and here are a few thoughts and impressions:
Running a slightly reduced ARM version of Windows 8, I heard somebody calling it “Windows 8 Home”, which in comparison to older versions hits the spot, Microsoft offers an easily usable interface. Software is reduced to market apps (the minimal run level on a plain Windows is 0, any, and 8, Microsoft, on Windows RT), so you can’t just install your favourite app, or can you?
A first, simple to use jailbreak was published in January [1], lowering the minimal run level, so you can run what you want, as long as it’s compiled for ARM systems. This does at least let you run various Open Source applications, even though you need to jailbreak after every reboot (simply run a batch file, give it admin, press volume down). But at what price? Microsoft says the jailbreak does not have a significant security impact, as it needs administrative privileges to run.
The whole security concept is based on the fact, that the Surface will only run apps from the market store, which are checked and then signed by MS. If it’s malicious software, it won’t be offered in the store. But if it does? Let’s just assume MS to have security measures in place, just as Apple and Google have in their app stores.
Knowing this, any app that can run on the Surface is trustworthy, so why not give it admin? Surely, this would be a rather targeted attack, but still possible. So the easy solution: Don’t run any software, except for market software!
The Surface offers on-board encryption using “drive encryption”, which actually is a light version of BitLocker and can use the on-board TPM 2.0. Now usually one would have written “TPM 2.0 chip” but in this case it’s kind of an emulated TPM chip, running in Kal-El’s (NVIDIA’s codename for the used Tegra 3 chip) secure “TrustZone”. Ongoing research will show if the emulated solution was a good idea or not.
Looking at the BitLocker section in the Control Panel reveals a little surprise: there’re no options for enabling or disabling any encryption. Giving it some time and resetting the device several times (which took about 30minutes for each reset) brought some further insight.
- one local user, having admin rights -> no encryption
- one local user(admin) and one user using a MS account (no admin) -> no encryption
- one user using a MS account (admin) -> encryption
- one local user and one user using a MS account (admin) -> encryption
When having two users, the users where created in the listed order.
So if you want/need encryption in place, you ought to use a MS account, which needs to have administrative privileges.
Having a deeper look at this, some more findings appeared:
- If you add your MS Account to the device it will autocratically backup your drive’s key into your Skydrive. (You can actually delete it from there afterwards, but keep a copy in a safe place)
- If it’s your first device on the MS Account, it will be added to your trusted devices (ie can be used to recover your account’s password).
- You might get a confirmation eMail and/or Text/SMS prompting you to confirm the the new device. The text I received, just said “confirm device”, my eMail said “confirm adding the device to trusted devices”.
- When you remove your MS Account from the device, the key remains in your Skydrive (you might want to keep this one in mind).
So BitLocker, or rather “Device Encryption”, which only encrypts your main disk and no USB Sticks or inserted SD cards, works out of the box! Just remember to use a MS account, with administrative privileges.
By the way, I’ll just add one random fact: To enable logging in with your MS Account when the Surface is offline, the account’s password is stored in the local SAM.
Which results in an interesting attack scenario:
Let’s assume you find a Surface with a local account (including administrative privileges) and a MS account without having admin privs. Given that, the device does not have crypto and the MS account’s password is in the local SAM! This would result in an offline attack (like a “simple” bruteforce) against the used MS account. And well, when the device is also trusted….
One nice new feature is the so called “picture password”. Choose a picture, draw three gestures (klick, straight line, circle) and save these. When you want to log in, you’ll see the picture and can start “drawing” your gestures in the correct order. The algorithm behind it does actually seem to be rather fussy, so you will need to be quite accurate.
So for now, the Surface seems to be quite a nice device, if used just as carefully as any other mobile device… When you’ll get yours, best invest the time necessary to do a complete reset, use your MS account when setting it up and be careful on who to give administrative privileges…
stay tuned for more!
So long,
Brian
[1] http://forum.xda-developers.com/showthread.php?t=2092158