Menu
BitLocker encryption can be defeated with trivial Windows authentication bypass

BitLocker encryption can be defeated with trivial Windows authentication bypass

Domain-joined Windows computers that use BitLocker should be patched as soon as possible

Companies relying on Microsoft BitLocker to encrypt the drives of their employees' computers should install the latest Windows patches immediately. A researcher disclosed a trivial Windows authentication bypass, fixed earlier this week, that puts data on BitLocker-encrypted drives at risk.

Ian Haken, a researcher with software security testing firm Synopsys, demonstrated the attack Friday at the Black Hat Europe security conference in Amsterdam. The issue affects Windows computers that are part of a domain, a common configuration on enterprise networks.

When domain-based authentication is used on Windows, the user's password is checked against a computer that serves as domain controller. However, in situations when, for example, a laptop is taken outside of the network and the domain controller cannot be reached, authentication relies on a local credentials cache on the machine.

In order to prevent an attacker from connecting a stolen, lost or unattended laptop to a different network and creating a spoofed domain controller that accepts another password to unlock it, the authentication protocol also verifies that the machine itself is registered on the domain controller using a separate machine password.

This additional check doesn't happen when the controller cannot be reached, because the protocol developers assumed that the attacker can't change the user password stored in the local cache. However, Haken figured out a way to do it -- and it only takes a few seconds if automated.

First, the attacker sets up a mock domain controller with the same name as the one the laptop is supposed to connect to. He then creates the same user account on the controller as on the laptop and creates a password for it with a creation date far in the past.

When authentication is attempted with the attacker's password on the laptop, the domain controller will inform Windows that the password has expired and the user will automatically be prompted to change it. This happens before verifying that the machine is also registered on the controller.

At this point the attacker will have the ability to create a new password on the laptop, which will replace the original one in the local credentials cache.

Logging in while connected to the rogue domain controller would still fail, because the controller does not have the machine password. However, the attacker could disconnect the laptop from the network in order to force a fallback to local authentication, which will now succeed because only the user password is verified against the cache.

This is a logic flaw that has been in the authentication protocol since Windows 2000, the researcher said. However, physical access did not used to be part of the Windows threat model, because in such a situation an attacker could boot from an alternative source, like a live Linux CD to access to the data anyway.

That all changed when BitLocker was introduced in Windows Vista. Microsoft's full-disk encryption technology, which is available in the professional and enterprise editions of Windows, is specifically designed to protect data in case a computer is stolen or lost -- in other words when an unauthorized individual has physical access to it.

BitLocker stores the data encryption key in a Trusted Platform Module (TPM), a secure hardware component that performs cryptographic operations. The key is unsealed from the TPM only if the same boot process is followed as when BitLocker was first activated.

The various stages of the boot process are cryptographically verified, so an attacker with physical access to a BitLocker-enabled laptop will not be able to boot from an alternative OS to read the data stored on its drive. The only possibility left for the attacker in this case is to boot normally to unlock the encryption key and then to bypass the Windows authentication to gain access to the data, which Haken's attack allows.

Microsoft fixed the vulnerability Tuesday and published the corresponding MS15-122 security bulletin.

This attack shows that when it comes to security, we constantly need to reexamine old truths, Haken said.

BitLocker offers the option to enable preboot authentication using a PIN or a USB drive with a special key on it, in addition to the TPM. However, such configurations are a hard sell for enterprises, because they introduce friction for users and make it difficult for administrators to remotely manage computers, Haken said.

In its own documentation, Microsoft admits that preboot authentication is "unacceptable in the modern IT world, where users expect their devices to turn on instantly and IT requires PCs to be constantly connected to the network."

Follow Us

Join the New Zealand Reseller News newsletter!

Error: Please check your email address.

Tags BLACK HAT EUROPE

Slideshows

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise

Ingram Micro completed its nationwide roadshow in Auckland last month, kicking off its Innovation Hour series with Hewlett Packard Enterprise. Uncovering the latest in storage, networking and servers, the event outlined key market trends for resellers in 2016 and beyond.

IN PICTURES: Ingram Micro Innovation hits Auckland with Hewlett Packard Enterprise
IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference

FireEye welcomed 143 channel partners and distributors to FireEye's 2016 annual Partner Conference, FireEye A/NZ Momentum - held at Establishment in Sydney. Delegates heard from senior trans-Tasman channel leaders, marketing and the product divisions in the morning, with FireEye customers, incident responders and threat intelligence analysts sharing knowledge during the afternoon.

IN PICTURES: FireEye celebrates channel at 2016 Partner Conference
Show Comments