Encryption is not something bad. In fact, encryption tools are initially designed to be of help, protecting data and keeping it away from malicious intentions. No matter how good it is, encryption has been in the center of many debates.
You will find experts on both sides of the story – pro-encryption and against it, that is. No matter what the truth is, researchers should always find the time and urge to investigate the subject and provide users with information. One of the latest studies that emphasizes on encryption concerns BitLocker, Microsoft’s own disk encryption utility. It has been tested in depth by Ian Haken from Synopsys, who has revealed in his vast report (published on November 12, 2015) that the tool can be easily bypassed.
This is how Haken’s report starts off:
Full disk encryption is a defensive measure in which all data stored on a physical disk or volume is encrypted, therefore protecting any data stored on a device such as saved passwords, emails, session tokens, and intellectual property (…) BitLocker is Microsoft’s full disk encryption solution included with certain versions of Windows, first introduced in 2007. This paper describes an attack which is able to bypass Windows authentication, even in the presence of BitLocker full disk encryption, and thus allows an attacker to access a user’s data or install software. On systems effected this attack therefore bypasses all of the protections offered by BitLocker.
BitLocker – Yes or No?
Before BitLocker was implemented in Windows, a malicious coder could effortlessly boot up a live Linux system and access user files on the hard drive. Nowadays, BitLocker should be here to offer impenetrable full-disk encryption. However, the Synopsys researcher has unveiled the troublesome fact that the BitLocker feature can be omitted, no sophisticated attacker skills required.
Who Is In Danger by the Vulnerability?
Not surprisingly, enterprise computers are the ones most likely to suffer from an attack bypassing BitLocker. Imagine the following scenario. An attacker takes a laptop off the network, the domain cannot be reached. The computer then withdraws to a local username and password stored in its cache.
(…) The attack to bypass local authentication and thereby defeat BitLocker’s full disk encryption assumes the following conditions:
1. BitLocker is enabled without pre-boot authentication, so the attacker is able to boot up the machine to the login screen.
2. The machine has joined a domain and an authorized domain user has previously logged into the machine.
How Did Haken Perform His Vulnerability Test?
He discovered a way to replace the cached password (unknown to the attacker). The only thing needed here is setting up a fake domain server identical to the original one, and creating a user account with a password created long ago, to initiate a policy-based password change.
Is the Flaw Fixed?
Microsoft has already fixed the bug, promising that no attackers have exploited it in reality. The bug should have been patched with the release of the security updates in the MS15-122 security bulletin. Microsoft has also said that bypassing BitLocker could happen only if a series of particular events take place.
According to Haken, the vulnerability is due to the fact that ‘At that point in time, an attacker having physical control of a client machine meant it was already totally compromised.’ He also adds that ‘when threat models change, the security architecture of applications may need to be carefully revised along with them.’ Word.
Jump to the whole report by Ian Haken.
More to Read: