Daily cyber threats and internet security news: network security, online safety and latest security alerts
December 6th, 2009

Researchers Found A Method To Discover BitLocker Drive Encryption PIN

Fraunhofer SIT has presented a method for discovering the BitLocker drive encryption PIN under Windows. The method even works where TPM is used to protect the boot process. An attacker with access to the target computer simply boots from a USB flash drive and replaces the BitLocker bootloader with a substitute bootloader which mimics the BitLocker PIN query process but saves the PINs entered by the user to disk in unencrypted form.

Although the BitLocker boot process carries out an integrity check on the system, and thereby the Windows installation, it does not check the bootloader itself – not that the actual attack described even gets as far as the Windows boot process. Consequently, according to the Fraunhofer SIT report, even if a Trusted Computing Module (TPM) is fitted, it fails to protect against such an attack.

Once the substitute bootloader has saved the victim’s PIN to the hard drive, it rewrites the original bootloader to the MBR and restarts the system. The victim may indeed wonder why their computer is restarting, but then we’ve all seen computers suddenly decide to abort a boot and restart.

To get hold of the saved PIN, the attacker needs to gain access to the target computer for a second time, to once more boot up from a USB flash drive and then access the hard drive. The computer can then be rebooted and the PIN thus obtained used to open up BitLocker, allowing access to the protected Windows system.

The technique could be used to obtain data in targeted acts of industrial espionage. SIT is nonetheless keen to stress that, “Despite the security vulnerability, BitLocker is a good solution for hard drive encryption, as it offers good protection against the most common threat to sensitive data on a hard drive – loss or theft of the computer.”

A similar attack on system encryption using TrueCrypt was presented at Black Hat in July. Austrian security specialist Peter Kleissner used his Stoned bootkit to nobble the boot process in order to inject spyware onto the system and read off data. His method does not, however, work where TPM is in place, since the MBR hash no longer matches the stored version. The advantage of Kleissner’s method is that it only requires one-time access to the victim’s computer.

Credit: Security

Share this item with others:

More on CyberInsecure:
  • “Memory-Scraping” Malware Developed By Hackers To Steal PINs
  • GSM Encryption Cracked, 4.3 Billion Mobile Phones Affected
  • Law Enforcement Get Around Encryption With Microsofts Help
  • Microsoft Unveils One-stop Service For Reporting Stolen Accounts
  • New BIOS Attack Might Allow Malware Survive Hard-disk Format And BIOS Reflashing

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Researchers Found A Method To Discover BitLocker Drive Encryption PIN

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.