- Joined
- Apr 15, 2009
- Messages
- 47,252
- Thread Author
- #1
Link Removed
Computerworld - Microsoft dismissed recently-disclosed threats to its BitLocker disk-encryption technology as "relatively low risk," noting that attackers must not only have physical access to a targeted PC, but must manipulate the machine two separate times.
The company's move was prompted by a paper published by five German researchers at the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), a Darmstadt, Germany-based security company. In the paper, the researchers spelled out multiple attack scenarios criminals could use to access files protected by BitLocker.
BitLocker, which Microsoft debuted in higher-end versions of Windows Vista, is included only in Link Removed due to 404 Error Ultimate and Windows 7 Link Removed due to 404 Error, available only to companies and organizations that buy Windows licenses in volume, as well as Windows Server 2008 and Server 2008 R2. The software encrypts disk volumes and locks them with a PIN, USB-based key device or, if the computer includes one, a Trusted Platform Module (TPM) chip.
The Fraunhofer SIT researchers spelled out five attack possibilities, including one where the attacker boots the PC from a flash drive and replaces the BitLocker bootloader with a substitute bootloader that spoofs the PIN request process, then snatches the PIN and saves it to disk or sends it elsewhere using the computer's wireless connection. Later, the attacker must revisit the PC to use the purloined PIN to access the BitLocker-protected data.
Link Removed due to 404 Error scoffed at such scenarios.
"This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world," said Paul Cooke, a senior director at Microsoft who looks after the operating system's security features.
In a post to the Windows Security blog, Cooke acknowledged that the Fraunhofer SIT researchers were right. "Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme."
Cooke downplayed the threat and argued that that research broke no new ground. "These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks."
The Fraunhofer SIT five-some admitted that the attacks they outlined were essentially useless in what they called "opportunistic" attacks, which they defined as "easily obtained under common real-world conditions." Instead, the attack vectors they detailed required physical access to the targeted machine.
They also noted that their attack scenarios didn't exploit an actual vulnerability in BitLocker. "Our attack demonstration does neither imply a bug in BitLocker, nor renders it Trusted Computing useless," said two of the researchers in an entry on the Fraunhofer SIT blog. "BitLocker still works as well as other disk encryption products, it only fails to fulfill an unrealistic, yet common, expectation."
The pair also posted a video demonstrating the spoofed bootloader attack on the blog.
Computerworld - Microsoft dismissed recently-disclosed threats to its BitLocker disk-encryption technology as "relatively low risk," noting that attackers must not only have physical access to a targeted PC, but must manipulate the machine two separate times.
The company's move was prompted by a paper published by five German researchers at the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT), a Darmstadt, Germany-based security company. In the paper, the researchers spelled out multiple attack scenarios criminals could use to access files protected by BitLocker.
BitLocker, which Microsoft debuted in higher-end versions of Windows Vista, is included only in Link Removed due to 404 Error Ultimate and Windows 7 Link Removed due to 404 Error, available only to companies and organizations that buy Windows licenses in volume, as well as Windows Server 2008 and Server 2008 R2. The software encrypts disk volumes and locks them with a PIN, USB-based key device or, if the computer includes one, a Trusted Platform Module (TPM) chip.
The Fraunhofer SIT researchers spelled out five attack possibilities, including one where the attacker boots the PC from a flash drive and replaces the BitLocker bootloader with a substitute bootloader that spoofs the PIN request process, then snatches the PIN and saves it to disk or sends it elsewhere using the computer's wireless connection. Later, the attacker must revisit the PC to use the purloined PIN to access the BitLocker-protected data.
Link Removed due to 404 Error scoffed at such scenarios.
"This sort of targeted attack poses a relatively low risk to folks who use BitLocker in the real world," said Paul Cooke, a senior director at Microsoft who looks after the operating system's security features.
In a post to the Windows Security blog, Cooke acknowledged that the Fraunhofer SIT researchers were right. "Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme."
Cooke downplayed the threat and argued that that research broke no new ground. "These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks."
The Fraunhofer SIT five-some admitted that the attacks they outlined were essentially useless in what they called "opportunistic" attacks, which they defined as "easily obtained under common real-world conditions." Instead, the attack vectors they detailed required physical access to the targeted machine.
They also noted that their attack scenarios didn't exploit an actual vulnerability in BitLocker. "Our attack demonstration does neither imply a bug in BitLocker, nor renders it Trusted Computing useless," said two of the researchers in an entry on the Fraunhofer SIT blog. "BitLocker still works as well as other disk encryption products, it only fails to fulfill an unrealistic, yet common, expectation."
The pair also posted a video demonstrating the spoofed bootloader attack on the blog.
reghakr
Essential Member
- Joined
- Jan 26, 2009
- Messages
- 14,186
- Joined
- Apr 15, 2009
- Messages
- 47,252
- Thread Author
- #3
Hey, quit stealing my posts
I posted this earlier in the Security Zone section.
No worries though, more people get access to it.
Sorry never got around too the Security Zone .
That is a good point , will spread the news a tad . Thanks
reghakr
Essential Member
- Joined
- Jan 26, 2009
- Messages
- 14,186
- Joined
- Apr 15, 2009
- Messages
- 47,252
- Thread Author
- #5
Sure enough, I don't mind since it's you whoosh
Well that is really kind of you . Always a pleasure and if I notice you have inadvertently posted something I have already posted I will reciprocate the kindness
Now that The Water Cooler is in a state of flux had to spread me wings a tad to take up the air in the more rarefied heights of the forum . My treading water days may be numbered !!!
reghakr
Essential Member
- Joined
- Jan 26, 2009
- Messages
- 14,186
My treading water days may be numbered
I think I know what you mean and I'll stand up for you in any way possible.
I think I'm on the list also.
- Joined
- Apr 15, 2009
- Messages
- 47,252
- Thread Author
- #7
I think I know what you mean and I'll stand up for you in any way possible.
I think I'm on the list also.
Thanks reghakr
Similar threads
- Replies
- 0
- Views
- 70
- Article
- Replies
- 0
- Views
- 108