Microsoft fixes BitLocker disk encryption bypass

By on
Microsoft fixes BitLocker disk encryption bypass

Enterprise systems connected to domains most at risk.

Microsoft's latest Patch Wednesday round of security fixes remediated a flaw in the design of its Windows BitLocker full-disk encryption that could be bypassed in seconds, a researcher found.

Security vendor Ian Haken presented his paper, Bypassing local Windows Authentication to defeat full disk encryption [pdf], at the European Blackhat security conference last week.

He described a technique that could be reliably used by unsophisticated attackers to bypass BitLocker in the professional and enterprise editions of Windows.

A PC that has joined a corporate domain, and on which an authorised user has previously logged on, could have been attacked by setting up a mock domain controller on the target network, Haken said.

As domain and user names show up in plaintext on the domain name system (DNS) and Kerberos protocols, an attacker could harvest thes details from the network traffic. Or, Haken wrote, an attacker could just read both names off the login screen of the target machine.

The target machine is then connected to the network on which the attacker has set up the bogus domain controller. The attacker logs in to the target machine with the password used to set up the domain user account, which is considered expired by policy.

As such, the target machine will prompt the attacker to change the password, Haken wrote. As the machine password on the domain controller is absent, the login will fail but the local system credentials cache is now poisoned with the attacker's password.

Finally, the attacker disconnects the target system from the network, and logs in with the password they have set, which will be accepted as it is stored in the local, poisoned system cache.

Haken said the attacker now has full access to all of the user's data, rendering BitLocker encryption protection redundant.

For the exploit to work, BitLocker would have to be enabled without any form of pre-boot authentication using the hardware Trusted Platform Module in computers, something Microsoft recommends as a deployment strategy for the disk encryption tool.

Pre-boot authentication improves security greatly, but as users have to physically authenticate themselves before the encrypted disks can be accessed, start up times are increased and PCs cannot be accessed remotely.

As a result, pre-boot authentication is seldom used due its inconvenience and limitations it places.

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
bitlocker full disk encryption microsoft security windows

Sponsored Whitepapers

How Security as Code changes development and deployment for the cloud
How Security as Code changes development and deployment for the cloud
Tackle new ITSM priorities with this seven-step Micro Focus guide
Tackle new ITSM priorities with this seven-step Micro Focus guide
Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Tomago Aluminium improves SAP environment performance, security with Red Hat and IBM
Future of work: Support your distributed HR workforce with digital document processes
Future of work: Support your distributed HR workforce with digital document processes
Develop a resiliency strategy that integrates risk analysis & continuity management
Develop a resiliency strategy that integrates risk analysis & continuity management

Events

Most Read Articles

Telstra-led consortium to build out NSW's digital twin

Telstra-led consortium to build out NSW's digital twin
Macquarie Bank looks to break free of IaaS

Macquarie Bank looks to break free of IaaS
Adobe scores $32m myGov software deal

Adobe scores $32m myGov software deal
Westpac loses its group head of data and advanced analytics

Westpac loses its group head of data and advanced analytics

Log In

Email:
Password:
  |  Forgot your password?