Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

BitLocker encryption can be defeated with trivial Windows authentication bypass

Lucian Constantin | Nov. 16, 2015
Domain-joined Windows computers that use BitLocker should be patched as soon as possible

That all changed when BitLocker was introduced in Windows Vista. Microsoft's full-disk encryption technology, which is available in the professional and enterprise editions of Windows, is specifically designed to protect data in case a computer is stolen or lost -- in other words when an unauthorized individual has physical access to it.

BitLocker stores the data encryption key in a Trusted Platform Module (TPM), a secure hardware component that performs cryptographic operations. The key is unsealed from the TPM only if the same boot process is followed as when BitLocker was first activated.

The various stages of the boot process are cryptographically verified, so an attacker with physical access to a BitLocker-enabled laptop will not be able to boot from an alternative OS to read the data stored on its drive. The only possibility left for the attacker in this case is to boot normally to unlock the encryption key and then to bypass the Windows authentication to gain access to the data, which Haken's attack allows.

Microsoft fixed the vulnerability Tuesday and published the corresponding MS15-122 security bulletin.

This attack shows that when it comes to security, we constantly need to reexamine old truths, Haken said.

BitLocker offers the option to enable preboot authentication using a PIN or a USB drive with a special key on it, in addition to the TPM. However, such configurations are a hard sell for enterprises, because they introduce friction for users and make it difficult for administrators to remotely manage computers, Haken said.

In its own documentation, Microsoft admits that preboot authentication is "unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network."

IDG Insider

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.