Serious Discussion Do you believe BitLocker has a backdoor?

[Studynxx]

Do you believe if, say, the police confiscate a person's BitLocker-encrypted devices, they will be able to decrypt it? Not just necessarily the police but anyone quite techsavvy.

All I know is that stackingsmashing achieved it:

 

[Bot]

While BitLocker is designed to be a secure encryption tool, it's not impervious to all forms of attack. The video you mentioned shows a physical attack method, which requires specific hardware and technical expertise. However, this doesn't necessarily mean there's a backdoor. It's more about exploiting vulnerabilities, which can exist in any software.

 

[Studynxx]

While BitLocker is designed to be a secure encryption tool, it's not impervious to all forms of attack. The video you mentioned shows a physical attack method, which requires specific hardware and technical expertise. However, this doesn't necessarily mean there's a backdoor. It's more about exploiting vulnerabilities, which can exist in any software.

I mean it's pretty worrisome that an encryption method has vulnerabilities..

 

[Bot]

I mean it's pretty worrisome that an encryption method has vulnerabilities..

Indeed, it can be concerning. However, no encryption method is 100% foolproof. The key is to stay updated with patches and use multiple layers of security to minimize risks.

 

[RoboMan]

I am certain it either has a backdoor or a NSA's exploited vulnerability. If you have sensitive information, you should encrypt it first then save it wherever you want. Use a container like Veracrypt's, which at least is open-source.

 

[Studynxx]

I am certain it either has a backdoor or a NSA's exploited vulnerability. If you have sensitive information, you should encrypt it first then save it wherever you want. Use a container like Veracrypt's, which at least is open-source.

You mean the exploit is "reserved" for federal agencies like the NSA? Or any nation's equivalent? And not "open to the public"?

 

[SpiderWeb]

I mean Microsoft assumes that the average Windows user is not smart and doesn't physically backup their encryption key so they keep a copy on OneDrive so that you can at least access your cloud files in the future. I see the goodwill here even though it could be used by law enforcement to access your files in the future. But, if I remember correctly you can set a new key provided you also create a physical backup key and it won't be saved in the cloud.

 

[bazang]

I mean it's pretty worrisome that an encryption method has vulnerabilities..

Lots of encryption algorithms and methods have vulnerabilities. That is why the field of cryptanalysis exists.

Aren't you xeno?

I mean Microsoft assumes that the average Windows user is not smart and doesn't physically backup their encryption key so they keep a copy on OneDrive so that you can at least access your cloud files in the future. I see the goodwill here even though it could be used by law enforcement to access your files in the future. But, if I remember correctly you can set a new key provided you also create a physical backup key and it won't be saved in the cloud.

If a user has committed a crime then it makes no difference who the software publisher is and what country they are located in - they are going to comply with a lawful order to provide infos.

The notion that law enforcement is conducting decryption campaigns willy-nilly and Microsoft is going to assist them is the nonsense that lives on these security forums.

I am certain it either has a backdoor or a NSA's exploited vulnerability. If you have sensitive information, you should encrypt it first then save it wherever you want. Use a container like Veracrypt's, which at least is open-source.

If nation state agencies are targeting you, then nothing or nobody can help you. Agencies do not have unlimited resources. They are very deliberate in what and whom they target, and there are policies & procedures that must be followed throughout the entire process to ensure compliance with statues and regulations.

 

[SpiderWeb]

@bazang Did you miss the Snowden security disclosures? Mass surveillance is real and governments are interested in decrypting user data. Maybe not your own government, but a foreign government might and like you said Microsoft is beholden to any jurisdiction. If M$ has your encryption key on OneDrive, what is stopping China from demanding it to see your data even though you don't live there? And it doesn't even have to be the typical boogeymen like China or Russia. Australia and the UK require companies to comply with decryption of data and UK-USA agreement aka Five Eyes requires that the US, Canada, UK, New Zealand and Australian intelligence agencies share their intelligence so the US government gets that data indirectly even if they claim they never demanded it from you.

But, I truly believe Microsoft has primarily doing this out of goodwill so that people don't accidentally lock themselves out of all their data when they do a fresh install or buy a new computer.

 

[Studynxx]

I mean Microsoft assumes that the average Windows user is not smart and doesn't physically backup their encryption key so they keep a copy on OneDrive so that you can at least access your cloud files in the future. I see the goodwill here even though it could be used by law enforcement to access your files in the future. But, if I remember correctly you can set a new key provided you also create a physical backup key and it won't be saved in the cloud.

This is what I've been wondering about. If someone does NOT store their key in OneDrive, MS account etc, doesn't print it out, write it down, saves it to a file, then can law enforcement somehow recover the key without doing what stackingsmashing did?

Lots of encryption algorithms and methods have vulnerabilities. That is why the field of cryptanalysis exists.

Aren't you xeno?


If a user has committed a crime then it makes no difference who the software publisher is and what country they are located in - they are going to comply with a lawful order to provide infos.

The notion that law enforcement is conducting decryption campaigns willy-nilly and Microsoft is going to assist them is the nonsense that lives on these security forums.


If nation state agencies are targeting you, then nothing or nobody can help you. Agencies do not have unlimited resources. They are very deliberate in what and whom they target, and there are policies & procedures that must be followed throughout the entire process to ensure compliance with statues and regulations.

Who is xeno?

 

[Wrecker4923]

Attacking a discrete TPM module like this has been known for a while now; that's why the pre-boot PIN is recommended for security-conscious individuals. Additionally, non-discrete fTPM does not have this vulnerability.

Law enforcement agencies and national intelligence agencies operate at different levels. Law enforcement agencies often rely on commercial products. You can gauge their capabilities through security product descriptions and forensic literature. On the other hand, national intelligence agencies possess the power and resources to discover/purchase vulnerabilities and keep them confidential. While they may have the technical ability to exploit vulnerabilities, the decision to allocate such resources and risk exposure on an individual is a separate matter.

 

[Marko :)]

Honestly, I never trust those "commercial" encryption programs because they can have backdoors and vulnerability which we don't know about, because they are closed source.

If you really want to encrypt your data on cloud services and Windows, I'd recommend using open source software for encryption and using it before sending files to the cloud. I wouldn't just rely on Microsoft's encryption because we have no proof that it really works as intended and that no one can access our data.

I'm doing this myself. I keep scans of personal documents locally on my PC and on Google Drive, but they are both in additionally encrypted format before sending. If I want to get the file from Google Drive, I download the nonsense file and then decrypt it using the same software. I think it's the only way.

 

[cartaphilus]

I am certain it either has a backdoor or a NSA's exploited vulnerability. If you have sensitive information, you should encrypt it first then save it wherever you want. Use a container like Veracrypt's, which at least is open-source.

If bitlocker had a backdoor it would have been found by now. That damn thing is old enough to apply for a driving license

 

[cartaphilus]

And if vulnerabilities in a vetted crypto method exist and somehow the agency decides to lose all of their advantage by revealing that they have decrypted your hard drive then honestly you have a lot more to worry about than just the data on the drive.


Let me just say that no matter how important anyone feels they are; in the eyes of the law the juice of decrypting your data via a vulnerability that's hasn't been disclosed and patched is not worth the squeeze. You are just not that important. (You is a colloquial you).

I can honestly say with 99.999% certainly that no one on this board has data that's important enough to lose a vulnerability advantage.

 

[bazang]

This is what I've been wondering about. If someone does NOT store their key in OneDrive, MS account etc, doesn't print it out, write it down, saves it to a file, then can law enforcement somehow recover the key without doing what stackingsmashing did?

Yes as @Wrecker4923 already stated.

If bitlocker had a backdoor it would have been found by now. That damn thing is old enough to apply for a driving license

These type videos and discussions that will never die-off until there are no more people in the world. There are similar conspiracy related topics in the mobile phone and even game console spaces.

"Microsoft and Bitlocker" have long been within the realm of conspiracy theories. There is that element of online digital tin foil thug life that is compelled to spread FUD and rile up a frenzied controversy. For the past 10 years everything I read online I filter it with the knowledge that click and rage bait are an everyday thing.

A person could perform online research for 30 days and come back here to show another 10 to 20 methods to "compromise" Windows or other Microsoft software. Just because any of it exists does not mean any of it needs to be fixed. In fact, it is because of Microsoft and other vendors refusal to fix stuff because the associated risk is minimal to non-existent.