Microsoft fixes BitLocker disk encryption bypass

By on
Microsoft fixes BitLocker disk encryption bypass

Enterprise systems connected to domains most at risk.

Microsoft's latest Patch Wednesday round of security fixes remediated a flaw in the design of its Windows BitLocker full-disk encryption that could be bypassed in seconds, a researcher found.

Security vendor Ian Haken presented his paper, Bypassing local Windows Authentication to defeat full disk encryption [pdf], at the European Blackhat security conference last week.

He described a technique that could be reliably used by unsophisticated attackers to bypass BitLocker in the professional and enterprise editions of Windows.

A PC that has joined a corporate domain, and on which an authorised user has previously logged on, could have been attacked by setting up a mock domain controller on the target network, Haken said.

As domain and user names show up in plaintext on the domain name system (DNS) and Kerberos protocols, an attacker could harvest thes details from the network traffic. Or, Haken wrote, an attacker could just read both names off the login screen of the target machine.

The target machine is then connected to the network on which the attacker has set up the bogus domain controller. The attacker logs in to the target machine with the password used to set up the domain user account, which is considered expired by policy.

As such, the target machine will prompt the attacker to change the password, Haken wrote. As the machine password on the domain controller is absent, the login will fail but the local system credentials cache is now poisoned with the attacker's password.

Finally, the attacker disconnects the target system from the network, and logs in with the password they have set, which will be accepted as it is stored in the local, poisoned system cache.

Haken said the attacker now has full access to all of the user's data, rendering BitLocker encryption protection redundant.

For the exploit to work, BitLocker would have to be enabled without any form of pre-boot authentication using the hardware Trusted Platform Module in computers, something Microsoft recommends as a deployment strategy for the disk encryption tool.

Pre-boot authentication improves security greatly, but as users have to physically authenticate themselves before the encrypted disks can be accessed, start up times are increased and PCs cannot be accessed remotely.

As a result, pre-boot authentication is seldom used due its inconvenience and limitations it places.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitlocker full disk encryption microsoft security windows
In Partnership With

Most Read Articles

ASD returns fire over Microsoft removal claims

ASD returns fire over Microsoft removal claims
TPG joins Telstra in showing NBN fixed wireless speeds

TPG joins Telstra in showing NBN fixed wireless speeds
Service NSW turfs Windows OS for Chrome

Service NSW turfs Windows OS for Chrome
NBN speed standards emerge at top tiers

NBN speed standards emerge at top tiers
You must be a registered member of iTnews to post a comment.
| Register

Whitepapers from our sponsors

Managed Security Service Providers for Dummies
Managed Security Service Providers for Dummies
The Cost of Cloud Expertise report
The Cost of Cloud Expertise report
The business case for hyperconvergence
The business case for hyperconvergence
What Every CIO Should Know about DevOps & Container Guides by Puppet
What Every CIO Should Know about DevOps & Container Guides by Puppet
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators
The 5G Business Potential – Industry digitalisation and the untapped opportunities for operators

Events

Log In

Username / Email:
Password:
  |  Forgot your password?