Not logged in » Login
Nov 21 2018

BSI Publishes First Part of Windows 10 Security Review

Its ongoing proliferation notwithstanding, Windows 10 has often been criticized for its combination of software-as-a-service delivery model, relatively casual built-in privacy protections, and lack of preparedness to provide users with meaningful controls. The warnings prompted several authorities – among them Germany's Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik or BSI) – to take a closer look at the alleged issues. Yesterday, the researchers published part 1 of their findings.

This first chapter deals with telemetry in Windows 10, and its final conclusion was equal parts blunt and unsurprising. "The Windows 10 operating system sends extensive system and usage information to Microsoft. Although it is technically possible to prevent the collection and transmission of telemetry data by Windows, this is difficult for users to implement," says a BSI press release (available here in German only), thereby reflecting the experience privacy-aware users have made since they first switched to the new OS some three years ago. As mentioned above, the analysis of the inner workings of Windows 10 telemetry is part of a wider review of all security-relevant functions included with the system that is carried out with the aim of "evaluating the security and residual risks associated with using Windows 10, identifying the operating system's security framework, and providing practical recommendations for hardening Windows 10" so that it is safe for deployment in professional and corporate settings. The BSI explicitly sells this as a piece of "digital consumer protection."

The BSI then goes on to explain in detail some key shortcomings of the telemetry component. For example, while users are able to change the default settings in order to limit the transfer of confidential information, it's the component itself that "dynamically assigns the existing telemetry sources to these levels during operation" and reloads configuration data several times per hour in the process. The options for changing the default settings are minimal and offer only little influence regarding specific behavior patterns. Moreover, stock applications running on Windows machines, such as Internet Explorer and Microsoft Office, come with their own back channels for recording and sending telemetry data that remain operative even if the central component has been reigned in. Based on these findings, many customers – professionals and consumers alike – might have considered Windows 10 to be unfit for use only five to six years ago.

As it often goes with security evaluations, this one comes with a number of caveats. First off, the BSI didn't perform the study in-house; instead, it was commissioned to ERNW GmbH, an "independent IT Security service provider" based out of Heidelberg, Germany that's been active since 2001 and has published research about medical device security and forensics in Docker environments, among others. Second, the analysis is based on a comparatively old edition of Windows 10 Enterprise, namely the long-term servicing channel (LTSC) version 1607, which was released about 27 months ago and will be supported until October 2021. In other words, Microsoft may have cleared up a few issues in the meantime, although a more recent look at the settings doesn't corroborate that theory. However, to account for whatever positive changes may occur, the researchers will also verify their findings against an upcoming LTSC/LTSB version, most likely of Windows 10 Enterprise 2019 or Windows 10 Enterprise 2022 – provided, of course, that Microsoft sticks with both the product name and delivery model for long enough to allow them to finish up the project.

The entire BSI project goes by the name of SiSyPHuS Win10. A bilingual version (English with summaries in German) of the so-called "Work Package 4" on telemetry can be downloaded directly from the BSI website (PDF). A 27-page compendium of recommendations for configuration and logging is also available, but of limited use for a non-German audience.


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now