Microsoft’s BitLocker disk encryption system used to secure data on computers running Windows can be bypassed

BitLocker is a full-disk encryption system added to Windows in 2007, with the release of Vista. This feature allows both home users and enterprises to protect their data by means of powerful encryption, but without having to constantly enter a password on boot up.
BitLocker can be fooled into granting attackers access to the data, if the attacker is in physical possession of a laptop or
computer running Windows, which had previously been part of a domain.
Devices must be part of a Windows domain for this attack to work
In large-scale enterprise configurations, Windows PCs are joined using virtual networks called “domains.” This domain consists of all the users connected to the shared network, and a domain controller that is used to authenticate participants and grant them access to the network.
Authentication is made based on a password, which also gets stored locally on the computer inside a cache, and a unique machine password, which is generated under the hood for each domain-client connection.
Because BitLocker is specifically set up to grant access to encrypted data when working on an authorized domain, this poses some problems if an attacker manages to bypass the domain authentication
If an attacker manages to steal a laptop, they can replace the local password cache with a clone modified to have a date years in the past. If they create a new domain with the same name as the laptop’s original domain, a flaw in the authentication mechanism would allow them to bypass the first authentication step consisting of the locally set user password.
This happens because of the “fake” domain controller’s security policies that will prompt the user to change their extremely old password. After the attacker changes the stolen laptop’s domain password, this new passphrase will then replace the laptop’s original password in the stolen laptop’s cache.
An attacker can then disconnect the laptop from the fake domain (unplug network connection), even if the machine password was not validated and they weren’t granted access to the domain (and indirectly to the BitLocker data).
Because machines often leave domains for short periods of time, BitLocker is also designed to allow access to encrypted data if the local user-generated password is entered.
BitLocker is tricked into revealing data via a poisoned credentials cache
This means that, after changing the local password through this technique, an attacker would then just have to unplug the network cable, enter their newly set password, and have access to BitLocker-encrypted data.
Because the laptop is offline or out of the domain, the password gets validated only against the poisoned domain credentials cache, and BitLocker won’t be able to tell the difference.
The good news is that Microsoft fixed this issue via its MS15-122 security updates.
Category: Technology


  • Cathy

    This is incredibly insntertieg, You really are a very competent blogger. I’ve became a member of your feed and look forward to seeking more of your respective excellent article. Also, I possess shared your site in my internet sites!

Leave a Comment

You must be logged in to post a comment.