Microsoft fixes BitLocker disk encryption bypass

By on
Microsoft fixes BitLocker disk encryption bypass

Enterprise systems connected to domains most at risk.

Microsoft's latest Patch Wednesday round of security fixes remediated a flaw in the design of its Windows BitLocker full-disk encryption that could be bypassed in seconds, a researcher found.

Security vendor Ian Haken presented his paper, Bypassing local Windows Authentication to defeat full disk encryption [pdf], at the European Blackhat security conference last week.

He described a technique that could be reliably used by unsophisticated attackers to bypass BitLocker in the professional and enterprise editions of Windows.

A PC that has joined a corporate domain, and on which an authorised user has previously logged on, could have been attacked by setting up a mock domain controller on the target network, Haken said.

As domain and user names show up in plaintext on the domain name system (DNS) and Kerberos protocols, an attacker could harvest thes details from the network traffic. Or, Haken wrote, an attacker could just read both names off the login screen of the target machine.

The target machine is then connected to the network on which the attacker has set up the bogus domain controller. The attacker logs in to the target machine with the password used to set up the domain user account, which is considered expired by policy.

As such, the target machine will prompt the attacker to change the password, Haken wrote. As the machine password on the domain controller is absent, the login will fail but the local system credentials cache is now poisoned with the attacker's password.

Finally, the attacker disconnects the target system from the network, and logs in with the password they have set, which will be accepted as it is stored in the local, poisoned system cache.

Haken said the attacker now has full access to all of the user's data, rendering BitLocker encryption protection redundant.

For the exploit to work, BitLocker would have to be enabled without any form of pre-boot authentication using the hardware Trusted Platform Module in computers, something Microsoft recommends as a deployment strategy for the disk encryption tool.

Pre-boot authentication improves security greatly, but as users have to physically authenticate themselves before the encrypted disks can be accessed, start up times are increased and PCs cannot be accessed remotely.

As a result, pre-boot authentication is seldom used due its inconvenience and limitations it places.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitlocker full disk encryption microsoft security windows
In Partnership With

Most Read Articles

MYOB floored by AWS Sydney database outage

MYOB floored by AWS Sydney database outage
Tax crackdown on IT contractors now snares non-technology businesses

Tax crackdown on IT contractors now snares non-technology businesses
Australian bank customers caught in valuation firm data breach

Australian bank customers caught in valuation firm data breach
Suncorp CEO demands proof from Oracle that frozen core banking system actually works

Suncorp CEO demands proof from Oracle that frozen core banking system actually works
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Cloud, AI, infosec: Is your IT strategy keeping up?
Cloud, AI, infosec: Is your IT strategy keeping up?
Automate and secure IOT for Business
Automate and secure IOT for Business
Data Science and AI Solutions for Cybersecurity
Data Science and AI Solutions for Cybersecurity
Intro to AI for Security Professionals
Intro to AI for Security Professionals
Digital Transformation: Hope, or Hype?
Digital Transformation: Hope, or Hype?

Events

Log In

Username / Email:
Password:
  |  Forgot your password?