Researcher Demonstrates Simple BitLocker Bypass

BitLocker, the disk encryption solution implemented in the Windows operating system starting with Windows Vista, does not require sophisticated tools or exploits to be bypassed on systems that do not have the latest patches from Microsoft installed, security researcher Ian Haken claims.

With the help of BitLocker, users can lock their entire computer with full-disk encryption, thus ensuring that an attacker cannot access data. BitLocker is available on professional and enterprise versions of Windows and was also designed to protect the pre-boot process from modification using the Trusted Platform Module (TPM), which is also being used to safely store its secret key for the full-disk encryption.

A TPM is a hardware chip designed to performing cryptographic operations and to store secrets, and its use enables BitLocker to decrypt the operating system partition on boot without requiring pre-boot authentication. However, there is the option to require re-boot authentication, meaning that the user has to supply a PIN or insert a USB key containing a saved secret key.

One of the Security Support Providers (SSPs) in Windows is Kerberos, and Ian Haken, a researcher at security firm Synopsys, discovered a vulnerability that could allow an attacker to bypass the Kerberos authentication and to decrypt drives encrypted with BitLocker. For the exploit to be successful, however, BitLocker on the target system has to be enabled without a PIN or USB key (pre-boot authentication), the machine should be domain-joined, and the attacker needs physical access to it.

To bypass authentication, Haken explained that the attacker needs to set up a Kerberos Key Distribution Center (KDC), needs control of the network communication and needs to direct communication to the attacker-controlled “mock” domain controller. By connecting the machine to the mock domain controller (DC), the attacker can trigger a password reset action, thus gaining access to the encrypted drives.

According to the researcher, in this scenario, the attacker does not know the user password and the machine password, although it controls both the Windows login screen and the mock DC account database where they will be setting a new user password. To be successful, the attacker needs to trigger the password change Kerberos protocol by setting the mock DC to inform the workstation that the user password has expired.

According to Haken, the DC does not have to provide authentication and the workstation prompts the user for a new password, thus allowing the attacker to initiate the exchange. Since the new password is not present on the DC, the login attempt will fail, but the attacker gains access to the machine by disabling network communication, which results in the workstation reverting to local account credentials, now known to the attacker.

“This attack is 100% reliable on affected systems, is not sophisticated (no custom tool was developed, no patches to Samba were necessary, and it was executed with just a few shell commands), and can be executed in a matter of seconds. Configuring Samba manually, this can be done in under a minute. If a tool was written to respond automatically based on DNS/Kerberos requests (thus automatically determining the domain/realm and the username), this could be used to bypass the login screen in a matter of seconds,” the researcher explained.

Microsoft resolved the vulnerability in last week’s set of patches (Patch Tuesday) by adding an additional authentication check and claims that it was unaware of any attack attempting to exploit this bypass at the time the fix was released. The issue was found to affect all Windows versions from Windows Vista Service Pack 2 onwards, except for Windows RT or Windows RT 8.1, the company explains in a security bulletin.

Leave a Reply