Paul Thurrott's SuperSite for Windows
Home > Type > News > Microsoft Responds to Windows BitLocker Claims

Microsoft Responds to Windows BitLocker Claims

Dec. 9, 2009 Paul Thurrott | Paul Thurrott's Supersite for Windows

In a posting at the Windows Security Blog, Microsoft's Paul Cooke addresses recent claims by Fraunhofer SIT about the supposed ineffectiveness of BitLocker, the full disk encryption technology that's available in Windows Vista, 7, and Server 2008. According to the software giant, the Fraunhofer SIT report is incorrect: BitLocker can not be "broken" or "bypassed" when used as directed. Here's the word:

Windows 7 is seeing success in the marketplace which I am very happy about from a security perspective. The Microsoft Security Intelligence Report has shown us again and again that the more up-to-date a PC is, the less likely it is to be infected by malware and other potentially dangerous software. So Windows 7 making strides is helpful to the ecosystem overall from a security standpoint. Success comes at a price though, through greater scrutiny and misinterpretation of some of the technologies. One of those technologies is BitLocker.

I've seen numerous claims the past few weeks about weaknesses in BitLocker and even claims of commercial software that "breaks" BitLocker. One claim is from a product that "allows bypassing BitLocker encryption for seized computers." This claim is for a forensics product and has legitimate uses; however, to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk.  Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA).

Another report discusses targeted attack vectors where the attacker must gain physical access to the computer, multiple times I might add. This research is similar to other published attacks where the owner leaves a computer unattended in a hotel room and anyone with access to the room could tamper with this computer. This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world.Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks.

Our customers are confronted with a wide spectrum of data security threats that are specific to their environment and we work hard to provide capabilities and information to help the customer achieve the right balance of security, manageability, and ease-of-use for their specific circumstances. BitLocker is an effective solution to help safeguard personal and private data on mobile PCs and provides a number of protection options that meet different end-user needs.  Like most full volume encryption products on the market, BitLocker uses a key-in memory when the system is running in order to encrypt/decrypt data on the fly for the drives in use.  Also like other encryption products, a determined adversary has significant advantages when they have physical access to a computer.

We recognize users want advice with regards to BitLocker and have published best practice guidance in The Data Encryption Toolkit for Mobile PCs. In the toolkit, we discuss the balance of security and usability and detail that the most secure method to use BitLocker in hibernate mode and a TPM+PIN configuration. Using this method, a machine that is powered off or hibernated will protect users from the ability to extract a physical memory image of the computer.

Windows 7 BitLocker continues to be a foundational component adding to any defense in depth strategy for securing systems, and specifically laptops.  Even with the great enhancements made in Windows 7 such as BitLocker To Go, it still remains that BitLocker alone is not a complete security solution.  IT professionals as well as users must be diligent when protecting IT resources and the best protection against these sorts of targeted attacks requires more than just technology: it requires end user education and physical security also play important roles.

Discuss this Article 6

Waethorn
on Dec 9, 2009
I kind of wonder if they've addressed any possible insecurity issues of a system using Bitlocker that links the Windows Boot Manager into the BCD of a UEFI NVRAM. This is especially important with servers now that more and more of them are implementing UEFI.... I was working on a new server system recently with an Intel S5520HC motherboard flashed with the latest firmware (BIOS, EFI, etc.), and an SROMBSASMR integrated RAID module (it's a proprietary low-cost hardware RAID module that snaps on the board) with SAS drives. Trying to get Windows Server 2008 R2 to boot off the DVD from UEFI failed. If I used EFI Optimized Boot, like Intel says to use, I'd get the Windows logo loading screen from booting the DVD but it wouldn't go past that. If I DON'T use that option, but still boot off UEFI, I can get into Windows Setup, but the EFI Shell won't load drivers for the SAS controller, so Windows doesn't recognize the RAID array as being bootable. If I install anyway, of course, it won't boot. I've tried installing in NON-EFI optimized boot mode, and then switching it over after it installs, but I only get a BCD error that can't be fixed because BCDEDIT on the Windows DVD running in UEFI mode doesn't detect the NVRAM entries for some reason (the BIOS Setup shows "Windows Boot Manager" though). Stability is a major problem with UEFI implementations right now. Eventually I just said "F#$% it!" and booted from BIOS mode and everything worked perfectly. Intel says that Windows Server 2008 R2 installation on UEFI are supported for basic installation only. They've only done certification testing on BIOS mode, and it shows!
gfryesc1
on Dec 9, 2009
I dunno, the value proposition of bitlocker with the higher costs of professional/ultimate doesn't stack up to just using TrueCrypt for free. Paul loves the free solutions in general, so he should be advocating it here.
GoodThings2Life
on Dec 9, 2009
Regardless of what products you use, be it BitLocker or TrueCrypt or whatever, you should always take precautions and take security seriously for yourself. It's something I have to yell at my users for all the time about, but more and more they're "getting the message" and becoming more cautious. The BitLocker issue, in this case, is definitely a low-risk situation since it requires mutliple factors to be true.
Waethorn
on Dec 9, 2009
"I dunno, the value proposition of bitlocker with the higher costs of professional/ultimate doesn't stack up to just using TrueCrypt for free." Bitlocker isn't in Professional. It IS in Enterprise though, and when major corporations get their enterprise agreement, Bitlocker is a throw-in. Plus, it's integrated and easier to set up than TrueCrypt, and has the ability to be managed by Group Policy, and configurable during deployment with Microsoft's existing deployment tools - including WAIK/OPK, as well as the free MDT. System Center Configuration Manager also works with it, but you pay extra for the System Center applications. ConfigMgr utilizes MDT, and offers extra features too, but it's designed to facilitate system and software deployment and maintenance. MDT is mostly just for initial deployment, but offers documentation and compatibility guidance for migration.
Waethorn
on Dec 9, 2009
Hmm....just asking around about potential security issues, apparently the buddy of mine that works for an IT security company says that they already have working exploit code that takes advantage of bootloader links in UEFI firmware NVRAM to control the boot process of a remote computer. It was fairly complicated to design the exploit because it requires a good deal of programming effort to design a replacement programmable firmware, but UEFI includes support for networking, even TCP/IP, so once an attacked computer gets their UEFI reprogrammed (easy to do in any OS because there are updaters that run on Linux and Windows), the computer only has to reboot for an attacker to take control of it - and it's OS independent too. Sounds like pretty scary stuff IMO.
subzerohitman721
on Dec 9, 2009
Security will always be a work in progress in my opinion. Constant monitoring and taking advantage of newer tech to replace the older should be the rule. However, it doesn't help when guys at Fraunhofer SIT raise a red flag when really this is just a yellow flag. It also doesn't help when we have irresponsible technology vendors relying on older OSes no matter how good the defense layers are, when newer and better written OSes are available. Those who rest on their laurels create situations where technologies such as Bitlocker will be eventually compromised in a serious way. I'm just glad that I read up and am informed enough to make good decisions. But these guys still relying on older OSes such as 2000 and XP, those are the guys that really shouldn't be making decisions. There's a limit to what those older systems can do. I'm just glad that Microsoft is really focusing on security and by each edition gets better at tackling and lowering the risk. Of course we're going to have new threats and unconventional attack patterns based on social engineering. That's why I really love the Security Now podcast and all these websites based on tech to really give people resources to keep security in mind.

Please or Register to post comments.

Related Articles

IT/Dev Connections

Las Vegas
September 30th - October 4th

Paul ThurottYou'll have the opportunity to experience:
• 120 Technical
Sessions
• Networking with Peers
• Expert Speakers


Come See Paul Thurrott & Mary Jo Foley in Person!

Register Now

Office 365 InfoCenter

Get the latest insight and info from Paul

Read Now!

What I Use
Apr. 18, 2013
Article

What I Use: On the Road 21

Every so often, I publish an updated version of my “What I Use” document, which details the technology products and services I actually use day-to-day. Since I’m currently on my third business trip in five weeks, this is perhaps an ideal time to discuss the technology products I rely on when I travel and a few related points....More
Mar. 6, 2013
Article

What I Use: March 2013 33

Lots of changes since November, including a new PC-based home server running Windows 8, several new smart phones, new PCs and tablets, new cloud backup, Office 365 Home Premium and a nice doubling of my Internet speeds courtesy of Verizon FIOS....More
WinSuperSite.com
Related Penton Sites
Copyright © 2013 Penton Media, Inc