back to article BitLocker popper uses Windows authentication to attack itself

Synopsys security boffin Ian Haken says un-patched PCs in enterprises are at risk of having user accounts popped and Bitlocker bypassed, in an attack he describes as "trivial" to perform. The attack vector, sealed off in the latest round of Redmond patches (MS15-122), affect those Windows machines that are part of network …

  1. Robert Helpmann??
    Childcatcher

    Would it also work vs two factor authentication?

    Many government systems require smart card login which I believe would at least complicate this hack, assuming drive encryption. This can be expensive to implement, but as the main target of this sort of attack are likely to be corporate assets, it would probably be within reach to implement.

    1. Anonymous Coward
      Anonymous Coward

      Re: Would it also work vs two factor authentication?

      "un-patched PCs in enterprises are at risk of having user accounts popped and Bitlocker bypassed"

      No enterprise would normally use Bitlocker without the recommended settings - which include a pin code - which defeats this attack.

      1. John Brown (no body) Silver badge

        Re: Would it also work vs two factor authentication?

        "No enterprise would normally use Bitlocker without the recommended settings - which include a pin code - which defeats this attack."

        So the three local councils I can think of where I know bitlocker is in use are not an "enterprise" by that definition. Sad innit.

        1. swampdog

          Re: Would it also work vs two factor authentication?

          That might possibly be four local councils!

        2. Anonymous Coward
          Anonymous Coward

          Re: Would it also work vs two factor authentication?

          "No enterprise ^^^with competent IT staff^^^ would normally use Bitlocker without the recommended settings - which include a pin code - which defeats this attack."

          TFTFY - now it covers the public sector too....

  2. Anonymous Coward
    Anonymous Coward

    There's a race here..

    Over the years I've come to suspect that there is a race on who can code worse and still get installed between Microsoft and Adobe. I have no idea who is winning, it seems pretty neck and neck.

    1. tony2heads

      Re: There's a race here..

      No competition really

      Clearly Adobe have the experience of writing really buggy code, and I expect them to keep ahead for the foreseeable future.

  3. Anonymous Coward
    Anonymous Coward

    Domain trust should be based on more than just the name matches!

    FFS Microsoft. Unique SIDs are there for a reason.

    1. phuzz Silver badge
      Facepalm

      Re: Domain trust should be based on more than just the name matches!

      Even a SID could be spoofed, but the attacker would have had to previously connected to the target domain to get that SID.

      Instead, why not use certificates to verify the identity of both the domain and the client laptop?

      1. Anonymous Coward
        Anonymous Coward

        Re: Domain trust should be based on more than just the name matches!

        "Instead, why not use certificates to verify the identity of both the domain and the client laptop?"

        You mean enable IPSEC?

        1. joed

          Re: Domain trust should be based on more than just the name matches!

          Exactly. It looks like a computer account is validated more stringently than server's (certificates etc). Try using VM's snapshot after restore. Same for RDP. Yet servers can be impersonated so easily even though Windows PC has all the certs needed to authenticate DC.

          If I recall, MS has recently patched an issue where networked system would execute any logon scripts as long as the path matched. I guess it was too much to ask for MS to really address the source of the problem. Bandaid type of fix it was then.

  4. Gotno iShit Wantno iShit

    Sadistic?

    "Only sadistic sysadmins whose users suffer having to enter pre-boot passwords are immune, Haken says."

    What on earth is sadistic about that? Last place I worked just about every aspect of the IT was an utter shambolic disaster. One of the few examples that wasn't was the (iirc) McAfee drive encryption with pre-boot authentication. When it got installed it just worked. Every morning it just worked. Every password change, once you knew to wait an hour and log off/on before shutting down, it just worked. Why is entering your password before boot rather than after sadistic?

    Even there if you didn't know the password change trick you soon learned that for one boot cycle you'll enter the old password before boot and the new one at log in. Is that, typically once a quarter, really so insufferable?

    1. John Robson Silver badge

      Re: Sadistic?

      - Is that, typically once a quarter, really so insufferable?

      Once a quarter? Try every 30 days (i.e. not quite aligned to months)

      Particularly when you normally work remotely (at a client site) and therefore don't get any warnings of password expiry...

    2. Anonymous Coward
      Anonymous Coward

      Re: Sadistic?

      Once a quarter? 'Round these parts, IT have set the group policy to force update installation, and approve WSUS updates on a random basis. We're lucky to go a week without Windows Update popping up to bug us to reboot.

  5. Anonymous Coward
    Linux

    Linux is 100% immune

    Well, has to be as Linux desktops aren't deployed in the enterprise!

  6. artbristol

    Passwordless Bitlocker?

    How could that even work? If a bug in Windows can decrypt the disk without the user's password, then obviously some malicious code or recovery tool could do the same thing.

    1. Anonymous Coward
      Anonymous Coward

      Re: Passwordless Bitlocker?

      No. Because that would require you to run the application against the data on the machine, which is encrypted. The hack here is that a network exchange of info regarding password takes place without the need for access to the os or apps or data for machine in question.

    2. Lennart Sorensen

      Re: Passwordless Bitlocker?

      The fact it allows windows to boot from an "encrypted" drive without asking for the decryption password certainly indicates that such a problem exists.

      1. joed

        Re: Passwordless Bitlocker?

        No, the "easy" boot (with TPM opening the key store for normal start) is not a problem, just a reasonable compromise between usability and security. You can still manage BL lockout so failed login to Windows would force BL key prompt at boot.

        It's true that the machine is exposed on the network to all other security exploits (once Windows started) but this particular issue is ridiculous due to type of the problem. Looks like "domain trust failed" is one way affair only and this is the crux of the problem.

  7. NeverMindTheBullocks

    Would hibernation defeat the boot password?

    We have Bitlocker with a boot password here, however many users simply hibernate their laptops instead of shutting them down as the startup process is so slow.

    Would this work if a stolen device had been put into hibernation, even with a boot password?

  8. TheVogon

    "Would this work if a stolen device had been put into hibernation, even with a boot password?"

    No, when you resume from Hibernation BitLocker will prompt to enter the PIN again.

  9. Old Handle
    Facepalm

    Remind me why the TrueCrypt people pushed this as an acceptable substitute again.

    1. Lennart Sorensen

      If you use it with the boot password (which I honestly thought everyone did), then it probably is a good replacement for truecrypt. If you use it in stupid mode because it would be so awful if you inconvenienced the users, then it isn't.

      1. joed

        unfortunately - due to it's closed source nature - BL can't be checked for backdoors. Not an issue for most of applications but definitely a problem for someone that may deal wit 3 letter organizations.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021