Windows BitLocker Full Disk Encryption Can Be Bypassed

Exterminator

Community Manager
Thread author
Verified
Staff Member
Well-known
Oct 23, 2012
12,527
A study conducted by Synopsys security researcher Ian Haken shows that Microsoft's BitLocker disk encryption system used to secure data on computers running Windows can be bypassed using a simple trick.

BitLocker is a full-disk encryption system added to Windows in 2007, with the release of Vista. This feature allows both home users and enterprises to protect their data by means of powerful encryption, but without having to constantly enter a password on boot up.

According to Haken's most recent research, BitLocker can be fooled into granting attackers access to the data, if the attacker is in physical possession of a laptop or computer running Windows, which had previously been part of a domain.

Devices must be part of a Windows domain for this attack to work
In large-scale enterprise configurations, Windows PCs are joined using virtual networks called "domains." This domain consists of all the users connected to the shared network, and a domain controller that is used to authenticate participants and grant them access to the network.

Authentication is made based on a password, which also gets stored locally on the computer inside a cache, and a unique machine password, which is generated under the hood for each domain-client connection.

Because BitLocker is specifically set up to grant access to encrypted data when working on an authorized domain, this poses some problems if an attacker manages to bypass the domain authentication.

Only works with physical access to the device
If an attacker manages to steal a laptop, they can replace the local password cache with a clone modified to have a date years in the past. If they create a new domain with the same name as the laptop's original domain, a flaw in the authentication mechanism would allow them to bypass the first authentication step consisting of the locally set user password.

This happens because of the "fake" domain controller's security policies that will prompt the user to change their extremely old password. After the attacker changes the stolen laptop's domain password, this new passphrase will then replace the laptop's original password in the stolen laptop's cache.

An attacker can then disconnect the laptop from the fake domain (unplug network connection), even if the machine password was not validated and they weren't granted access to the domain (and indirectly to the BitLocker data).

Because machines often leave domains for short periods of time, BitLocker is also designed to allow access to encrypted data if the local user-generated password is entered.

BitLocker is tricked into revealing data via a poisoned credentials cache
This means that, after changing the local password through this technique, an attacker would then just have to unplug the network cable, enter their newly set password, and have access to BitLocker-encrypted data.

Because the laptop is offline or out of the domain, the password gets validated only against the poisoned domain credentials cache, and BitLocker won't be able to tell the difference.

The good news is that Microsoft fixed this issue via its MS15-122 security updates.

Mr. Haken has recently presented his Bypassing Local Windows Authentication to Defeat Full Disk Encryption research at the Black Hat Europe 2015 security conference in Amsterdam.
 

Enju

Level 9
Verified
Well-known
Jul 16, 2014
443
Heh, that's quite the feat to come up with such a workaround, who knows if they even were the first ones to discover this issue... :p
 
  • Like
Reactions: darko999

Ink

Administrator
Verified
Staff Member
Well-known
Jan 8, 2011
22,361
I have never trusted BitLocker since it's owned by Microsoft.
It's been patched. What do you use, Linux?

Am I right in assuming Home users with BitLocker are not affected, unless specifically part of a Domain and laptop is stolen?
 
  • Like
Reactions: darko999

darko999

Level 17
Verified
Well-known
Oct 2, 2014
805
It's been patched. What do you use, Linux?

Am I right in assuming Home users with BitLocker are not affected, unless specifically part of a Domain and laptop is stolen?

That's right, and no; I'm on Windows, however I just don't like BitLocker as an encryption tool.
 
  • Like
Reactions: upnorth and Ink

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
That's right, and no; I'm on Windows, however I just don't like BitLocker as an encryption tool.

I don't like it and I definitely do not trust it as this method mentioned in the article is just one of many many ways even if this specific one now is patched. Already 2007 and 2008 reports came that some security companies and law enforcement was able to access with tools for example like COFEE, Passware Kit Forensic etc etc. Nowdays this tools and others are ofcourse much more advanced and not all is flaunted in the open. COFEE was actually created by Microsoft themself and that says IMO everything I need to know.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top