Microsoft fixes BitLocker disk encryption bypass

By on
Microsoft fixes BitLocker disk encryption bypass

Enterprise systems connected to domains most at risk.

Microsoft's latest Patch Wednesday round of security fixes remediated a flaw in the design of its Windows BitLocker full-disk encryption that could be bypassed in seconds, a researcher found.

Security vendor Ian Haken presented his paper, Bypassing local Windows Authentication to defeat full disk encryption [pdf], at the European Blackhat security conference last week.

He described a technique that could be reliably used by unsophisticated attackers to bypass BitLocker in the professional and enterprise editions of Windows.

A PC that has joined a corporate domain, and on which an authorised user has previously logged on, could have been attacked by setting up a mock domain controller on the target network, Haken said.

As domain and user names show up in plaintext on the domain name system (DNS) and Kerberos protocols, an attacker could harvest thes details from the network traffic. Or, Haken wrote, an attacker could just read both names off the login screen of the target machine.

The target machine is then connected to the network on which the attacker has set up the bogus domain controller. The attacker logs in to the target machine with the password used to set up the domain user account, which is considered expired by policy.

As such, the target machine will prompt the attacker to change the password, Haken wrote. As the machine password on the domain controller is absent, the login will fail but the local system credentials cache is now poisoned with the attacker's password.

Finally, the attacker disconnects the target system from the network, and logs in with the password they have set, which will be accepted as it is stored in the local, poisoned system cache.

Haken said the attacker now has full access to all of the user's data, rendering BitLocker encryption protection redundant.

For the exploit to work, BitLocker would have to be enabled without any form of pre-boot authentication using the hardware Trusted Platform Module in computers, something Microsoft recommends as a deployment strategy for the disk encryption tool.

Pre-boot authentication improves security greatly, but as users have to physically authenticate themselves before the encrypted disks can be accessed, start up times are increased and PCs cannot be accessed remotely.

As a result, pre-boot authentication is seldom used due its inconvenience and limitations it places.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitlocker full disk encryption microsoft security windows
In Partnership With

Most Read Articles

RACV 'system error' empties bank accounts, credit cards

RACV 'system error' empties bank accounts, credit cards
NBN Co gives first sign its FTTC targets are achievable

NBN Co gives first sign its FTTC targets are achievable
Woolworths takes agile clues from ANZ and its 'cool uncle'

Woolworths takes agile clues from ANZ and its 'cool uncle'
NBN Co proposes to unmeter some Sky Muster traffic

NBN Co proposes to unmeter some Sky Muster traffic
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?
How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters

Events

Log In

Username / Email:
Password:
  |  Forgot your password?