Blackhat Amsterdam: BitLocker bypass remediated by Microsoft

Microsoft has fixed the bypass for BitLocker that was disclosed in recent research. The shockingly simply bypass was shown by a security researcher at Coverity, a software testing company. In a report that appears separate from the company itself Ian Haken, the author detailed how to bypass local windows authentication to defeat full disk encryption, presenting his research at last week's Blackhat security conference in Amsterdam.

Microsoft began to put BitLocker, a full disk encryption feature,  into its machines in 2007. This kind of encryption prevents an attacker from getting into your device, to steal account details or proprietary information, if it's been stolen or lost.  

BitLocker operates on on something called a Trusted Platform module, or TPM, which stores the key used for encryption and allows passwordless encryption of the disk on boot.

However, Haken invented an attack which, his paper notes, “takes advantage of physical access to bypass local windows authentication. When BitLocker is enabled without any form of pre-boot authentication by using the TPM, this would allow an attacker to access a user's data even though the disk is fully encrypted.” The paper added that “unlike other attacks that have been considered against full disk encryption generally or BitLocker specifically, this attack is completely reliable on systems affected, is a software-only attack, is fast, and does not require a sophisticated attacker (only require standard open source tools and a few commands).”

The attacks involves setting up a mock domain controller on the targeted machine, with the user account's password set as expired. Then the attacker must connect the machine with the network where this domain controller is advertised and finally, disconnect the targeted machine's network connection and use the new password the attacker has set up for the machine.

Now, the attacker can get in anything that BitLocker might have previously protected or install malware; basically having his way with the machine. Haken noted that “this attack is 100 percent reliable on affected systems, is not sophisticated and can be executed in a matter of seconds.”

It was last week that Microsoft released a patch to render this bypass obsolete, included in its Wednesday patch updates. 

This attack can be prevented by using pre-boot authentication, but it is not widely in use as it makes the basic use of a computer more cumbersome with the added security measures.