Microsoft fixes BitLocker disk encryption bypass

By on
Microsoft fixes BitLocker disk encryption bypass

Enterprise systems connected to domains most at risk.

Microsoft's latest Patch Wednesday round of security fixes remediated a flaw in the design of its Windows BitLocker full-disk encryption that could be bypassed in seconds, a researcher found.

Security vendor Ian Haken presented his paper, Bypassing local Windows Authentication to defeat full disk encryption [pdf], at the European Blackhat security conference last week.

He described a technique that could be reliably used by unsophisticated attackers to bypass BitLocker in the professional and enterprise editions of Windows.

A PC that has joined a corporate domain, and on which an authorised user has previously logged on, could have been attacked by setting up a mock domain controller on the target network, Haken said.

As domain and user names show up in plaintext on the domain name system (DNS) and Kerberos protocols, an attacker could harvest thes details from the network traffic. Or, Haken wrote, an attacker could just read both names off the login screen of the target machine.

The target machine is then connected to the network on which the attacker has set up the bogus domain controller. The attacker logs in to the target machine with the password used to set up the domain user account, which is considered expired by policy.

As such, the target machine will prompt the attacker to change the password, Haken wrote. As the machine password on the domain controller is absent, the login will fail but the local system credentials cache is now poisoned with the attacker's password.

Finally, the attacker disconnects the target system from the network, and logs in with the password they have set, which will be accepted as it is stored in the local, poisoned system cache.

Haken said the attacker now has full access to all of the user's data, rendering BitLocker encryption protection redundant.

For the exploit to work, BitLocker would have to be enabled without any form of pre-boot authentication using the hardware Trusted Platform Module in computers, something Microsoft recommends as a deployment strategy for the disk encryption tool.

Pre-boot authentication improves security greatly, but as users have to physically authenticate themselves before the encrypted disks can be accessed, start up times are increased and PCs cannot be accessed remotely.

As a result, pre-boot authentication is seldom used due its inconvenience and limitations it places.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitlocker full disk encryption microsoft security windows
In Partnership With

Most Read Articles

NSW puts digital driver's licence on a blockchain

NSW puts digital driver's licence on a blockchain
ANZ breaks out LEGO to bust staff silos

ANZ breaks out LEGO to bust staff silos
UNSW researchers find FTTP NBN worth the extra billions

UNSW researchers find FTTP NBN worth the extra billions
ANZ digital chief Maile Carnegie frets over human obsolescence

ANZ digital chief Maile Carnegie frets over human obsolescence
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

How to choose a trusted IT provider
How to choose a trusted IT provider
Why Business Process Modelling Matters
Why Business Process Modelling Matters
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Report: ANZ IT Decision Makers - Top Priorities for Endpoint Security 2018
Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report

Events

Log In

Username / Email:
Password:
  |  Forgot your password?