Bitlocker Security Questions

Dru2 · Dec 29, 2022

neemobeer said:
As some others have stated bitlocker can be hacked. The most notible example was a security research was able to read the master key with an oscilloscope directly from the TPM pins. The reason this was successful is due to the fact that Windows reads the master key in plain-text (meaning it is not encrypted on the wire). Obviously the skills required to pull this off are not trivial so the chance of this time of attack are low.

The fact that some research team managed to bypass things doesn't mean it was an easy work that anyone can accomplish. The way people post on these things is more about being Captain Obvious and fear mongering, than stating the fact that this is no simple task. That the few with such skills aren't looking for small fry home user.

And I could make the same statement about door locks... they can easily be picked. Doesn't mean we stop locking our doors. At the end of the day, no matter the barrier put up, someone will find a way to bypass it. That's why you constantly work to improve things

cereberus · Dec 29, 2022

Dru2 said:
Yes, per Microsoft, you CAN in fact use BitLocker without TPM. Yes, there are some caveats, but the bottom line is BitLocker can be used without TPM.

True for full Pro+ bitlocker. Not true for W10 Home device encryption - that needs TPM and modern standby.

hdmi · Dec 29, 2022

Dru2 said:
The fact that some research team managed to bypass things doesn't mean it was an easy work that anyone can accomplish. The way people post on these things is more about being Captain Obvious and fear mongering, than stating the fact that this is no simple task.

Andy Malone is now suddenly Captain Obvious and a fear mongerer? Another Microsoft MaleVolent Pundit? Wow. Just wow.

Dru2 said:
That the few with such skills aren't looking for small fry home user.

Hacker collectives are known to install backdoors on easy targets, they expand their botnets that way.

Dru2 said:
And I could make the same statement about door locks... they can easily be picked. Doesn't mean we stop locking our doors.

Nor does it mean we shouldn't stop putting our key under the proverbial doormat just because a few posts back you seemed to be the one to suggest that it doesn't make any real difference anyway. lol

cereberus said:
True for full Pro+ bitlocker. Not true for W10 Home device encryption - that needs TPM and modern standby.

Device Encryption – Does it requires Modern Standby support? The test seems to tell otherwise…

From: Device Encryption - Bitlocker Made Effortless - Part 2 HTMD Blog
Info about the author: Joymalya Basu Roy, Technical Architect, Microsoft Intune

EDIT: For Home users who have TPM but no Modern Standby, it is still possible to use BitLocker in such a way that it gives the same protections that can be had from Device Encryption. These steps don't involve any hacky stuff nor rely on any 3rd party tools, just some effort to get up and running, but paying careful attention is essential of course. See:

How to use Bitlocker on Windows 10 Home | Experts Exchange

Learn more about How to use Bitlocker on Windows 10 Home from the expert community at Experts Exchange

www.experts-exchange.com

The Microsoft Account requirement for Home users can be bypassed also.

How to enable BitLocker system drive encryption on Windows 10 Home

I didn't manage to easily find this while googling. Officially Windows 10 Home does not support BitLocker GUI and that's fine, they don't want home users to lose access to their data.. however.. if...

superuser.com

Dru2 · Dec 29, 2022

@hdmi, you obviously don't follow threads or pay attention to what's actually said. I'm also not going to argue line for line with you.

I said what I said and stand by it. If you choose to deep dive into the netherworlds, that's on you.

Movin on

newmann · Dec 30, 2022

Okay so I still haven't gotten the answers I'm looking for.

Can someone get into my laptop if it is in a lock state. I know if the laptop isn't powered on... then it is lot harder because now you have to know both the bitlocker pin and the local password. However, if someone has my bitlocker recovery key, do they even need my local password?

Also what about what I mentioned with using a laptop in a cafe and say you lock it and someone plug a usb with malware into it. Can they infect it or not? If it isn't locked, obviously yes. But what if it is locked? Now if the laptop isn't turned on, can someone plug a malware usb into it and then unplug it and then when you later turn on the laptop and type in bitlocker pin and windows local password, then you get malware?

Dru2 · Dec 30, 2022

newmann said:
Okay so I still haven't gotten the answers I'm looking for.

Can someone get into my laptop if it is in a lock state. I know if the laptop isn't powered on... then it is lot harder because now you have to know both the bitlocker pin and the local password. However, if someone has my bitlocker recovery key, do they even need my local password?

Your question was answered in post #2. While it might not cover every what if in the universe, it's still the same, no key, no access.

"If" someone has physical possession of a laptop left unsecure or has the password to enter your laptop where BitLocker automatically decrypts the drive for access.... yes, they have access to the data. Outside of that we can't answer every possible what if in the universe. You just have to understand if one has access to your unsecure laptop, the data can be accessed. If the laptop is secure, and using BitLocker, no access is allowed without a key. Period.

BTW, if you're really that concerned you could start here in your research - BitLocker deployment and administration FAQ (Windows 10). Perhaps it'll answer those questions no one seems to be able to satisfy.

Good luck.

cereberus · Dec 30, 2022

newmann said:
Okay so I still haven't gotten the answers I'm looking for.

Can someone get into my laptop if it is in a lock state. I know if the laptop isn't powered on... then it is lot harder because now you have to know both the bitlocker pin and the local password. However, if someone has my bitlocker recovery key, do they even need my local password?

Also what about what I mentioned with using a laptop in a cafe and say you lock it and someone plug a usb with malware into it. Can they infect it or not? If it isn't locked, obviously yes. But what if it is locked? Now if the laptop isn't turned on, can someone plug a malware usb into it and then unplug it and then when you later turn on the laptop and type in bitlocker pin and windows local password, then you get malware?

For crying out loud all this has been answered. So for LAST TIME:

1) Why the hell would somebody have access to your bitlocker recovery key?
This is same as a key to your house - you take steps to ensure thieves do not get hold of house keys in first place.

2. Of course, they need local password but as we all know it is less secure WHICH is why we blinking put Bitlocker on device in first place.

Putting on bios password reduces chance of brute forcing but they could never get this far if you kept Bitlocker info secure.

3. If pc is locked, how the hell can somebody put malware via a usb drive?

No amount of asking questions changes basic fact - Bitlocker with Bitlocker PIN is secure provided you keep all keys and passwords safe.

So, please stop asking same questions time and time again as @Dru2 says.

Signing off now.

hdmi · Dec 30, 2022

newmann said:
Okay so I still haven't gotten the answers I'm looking for.

Can someone get into my laptop if it is in a lock state. I know if the laptop isn't powered on... then it is lot harder because now you have to know both the bitlocker pin and the local password. However, if someone has my bitlocker recovery key, do they even need my local password?

Also what about what I mentioned with using a laptop in a cafe and say you lock it and someone plug a usb with malware into it. Can they infect it or not? If it isn't locked, obviously yes. But what if it is locked? Now if the laptop isn't turned on, can someone plug a malware usb into it and then unplug it and then when you later turn on the laptop and type in bitlocker pin and windows local password, then you get malware?

The 2nd vid I linked explains that, unless the ports that can be used to attach a device to get in are disabled (which they typically are not, as disabling them takes extra knowledge...), someone who has physical access to the laptop when it's turned on and locked (or not logged in) can use a cable to capture the data from the disk and from memory. So, if the BitLocker recovery key has bled into memory, then this someone can retrieve it from the data captured, and, next, decrypt the protected data and learn all your secrets. No, this someone DOES NOT NEED YOUR LOCAL PASSWORD to achieve that goal. The vid goes on to explain what's needed to make sure the recovery key doesn't bleed into memory. Ignore those who have been derailing your thread. My replies to them are here only to help other people who might stumble across this thread in the future, so it will be easier to see who is spreading misinformation.

Once the attacker has read your secrets, the attacker can use those secrets to plot the next strategy, a phishing attempt (that usually starts with an e-mail) the goal of which would be to install malware. The reason why these kinds of phishing attacks often will succeed is because the victim is still completely unaware of what it was that went on at the cafe a few days ago. The more secrets an attacker knows about you, the easier it becomes for the attacker to gain your trust. Once you trust the attacker enough that you follow those steps that make it possible for the attacker to get complete access, that's when malware gets installed, so the attacker can have permanent access with full control from that point on.

neemobeer · Dec 30, 2022

If the computer is on and just account locked it could be accessed remotely as if Bitlocker were not there since the key is in memory. Bitlocker is only going to protect your system from offline attacks and offline data access methods. Bitlocker provides no protection for data in use (a.k.a the system is on).

hdmi · Dec 30, 2022

neemobeer said:
If the computer is on and just account locked it could be accessed remotely as if Bitlocker were not there since the key is in memory. Bitlocker is only going to protect your system from offline attacks and offline data access methods. Bitlocker provides no protection for data in use (a.k.a the system is on).

That's right. It is also worth noting the fact that Encrypting File System (EFS) can still protect data in use, and can do so regardless of whether BitLocker is enabled. Windows 11 Enterprise 22H2 and Windows 11 Education 22H2 add a new feature called Personal Data Encryption (PDE) on Azure AD joined devices with Windows Hello for Business, and, PDE has the ability to also discard the encryption keys when the device is locked.

barreleye · Dec 30, 2022

hdmi said:
The 2nd vid I linked explains that

I stopped listening after 4 minutes(!) when I got to the part where he's using Firewire and hand waves that there are other methods, but he's gonna talk about Firewire. On the one 13 y/o PC I own that has an external Firewire port, I disabled it years ago, because this is a widely reported flaw, and I've never even seen a Firewire device, much less owned one. However, the OP was asking about USB, and I'm not aware of anything well-known for USB beyond Autoplay and keyboard emulators. So again, if your computer is sitting at the Windows lock screen, and it's password-protected, and it has an enabled USB port, what specific device and method can be used to hack the computer? Bitlocker isn't even particularly relevant to this question, but let's assume it's active and the OS drive is unlocked, in case there's a special way to snoop keys or something. (FWIW, I have been using Bitlocker since the TrueCrypt takedown in 2014, and I encrypt all my drives, roughly a couple dozen between multiple PCs and backup sets.)

neemobeer said:
If the computer is on and just account locked it could be accessed remotely as if Bitlocker were not there since the key is in memory. Bitlocker is only going to protect your system from offline attacks and offline data access methods. Bitlocker provides no protection for data in use (a.k.a the system is on).

Can you explain what you mean by "remotely" in this context? To me, the word implies the attacker is not sitting in front of the Windows lock screen, and how is that better for him?

neemobeer · Dec 30, 2022

Yes remotely as in not in front of the computer. Just another method of attack bitlocker provides no protection from

TraderGary · Dec 30, 2022

A BitLocker drive is either locked or unlocked. If it's unlocked, it works like any other drive. If it's locked, it's encrypted and requires a password/key to unlock it. It's not complicated. I use BitLocker on my laptop computer drives and my portable SSD backup drives to protect them when they aren't in use.

barreleye · Dec 30, 2022

neemobeer said:
Yes remotely as in not in front of the computer. Just another method of attack bitlocker provides no protection from

How exactly is this relevant to a Bitlocker discussion?

TraderGary said:
A BitLocker drive is either locked or unlocked. If it's unlocked, it works like any other drive. If it's locked, it's encrypted and requires a password/key to unlock it. It's not complicated. I use BitLocker on my laptop computer drives and my portable SSD backup drives to protect them when they aren't in use.

Everyone knows that. It's not in dispute.

TraderGary · Dec 30, 2022

barreleye said:
Everyone knows that. It's not in dispute.

From some of the clueless posts, I wasn't that sure. :eyeroll:

hdmi · Dec 31, 2022

barreleye said:
I stopped listening after 4 minutes(!) when I got to the part where he's using Firewire and hand waves that there are other methods, but he's gonna talk about Firewire. On the one 13 y/o PC I own that has an external Firewire port, I disabled it years ago, because this is a widely reported flaw, and I've never even seen a Firewire device, much less owned one. However, the OP was asking about USB, and I'm not aware of anything well-known for USB beyond Autoplay and keyboard emulators. So again, if your computer is sitting at the Windows lock screen, and it's password-protected, and it has an enabled USB port, what specific device and method can be used to hack the computer? Bitlocker isn't even particularly relevant to this question, but let's assume it's active and the OS drive is unlocked, in case there's a special way to snoop keys or something. (FWIW, I have been using Bitlocker since the TrueCrypt takedown in 2014, and I encrypt all my drives, roughly a couple dozen between multiple PCs and backup sets.)

He uses Firewire merely as a figurative speech, i.e. as an old example to convey the important message that this whole concept of simply plugging in a cable to capture the relevant data from a locked device is really nothing new, and that newer hardware connectivity standards are not exempt. The point that matters is that hackers very often abuse their victim's false assumptions, or lack of awareness when it comes to the adequacy part of "adequately secure". Since security can never be entirely bulletproof, it's all about what are weaknesses, and about how it can be possible to exploit weakness. Just to demonstrate the surprising fact that, occasionally, surprises can actually turn out to be quite a lot bigger than many think:

Razer bug lets you become a Windows 10 admin by plugging in a mouse

A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

www.bleepingcomputer.com

If your computer is sitting at the Windows lock screen, you are naturally inclined to assume that it will be protected and safe. But the reality is that protection mechanisms can still fail. Even if the chance is small, the consequences might not be small. There is a reason why PDE has the ability to also discard the encryption keys when the device is locked. The bottom line? Hackers LOVE people who stop listening after 4 minutes.

barreleye · Dec 31, 2022

hdmi said:
He uses Firewire merely as a figurative speech, i.e. as an old example to convey the important message that this whole concept of simply plugging in a cable to capture the relevant data from a locked device is really nothing new, and that newer hardware connectivity standards are not exempt.

I think he used Firewire because it's the only such exploit he knew of. AFAIK, USB does not have the capabilities that are necessary for that sort of hack to work.

The point that matters is that hackers very often abuse their victim's false assumptions, or lack of awareness when it comes to the adequacy part of "adequately secure". Since security can never be entirely bulletproof, it's all about what are weaknesses, and about how it can be possible to exploit weakness. Just to demonstrate the surprising fact that, occasionally, surprises can actually turn out to be quite a lot bigger than many think:

Razer bug lets you become a Windows 10 admin by plugging in a mouse

A Razer Synapse zero-day vulnerability has been disclosed on Twitter, allowing you to gain Windows admin privileges simply by plugging in a Razer mouse or keyboard.

www.bleepingcomputer.com

If your computer is sitting at the Windows lock screen, you are naturally inclined to assume that it will be protected and safe. But the reality is that protection mechanisms can still fail. Even if the chance is small, the consequences might not be small. There is a reason why PDE has the ability to also discard the encryption keys when the device is locked. The bottom line? Hackers LOVE people who stop listening after 4 minutes.

The Razer thing is very interesting, but the exploit requires the attacker to be at the desktop to interact with File Explorer, not the lock screen, in which case, the game's already over. Moreover, I disable automatic Windows Updates, and nothing would happen if it was plugged in.

I've always thought of Bitlocker (and TrueCrypt before it) as protecting me against theft, as no crackhead is going to bother transporting my PC Frogger-style like George tried to do to preserve his high score. No, the thief would just unplug and be quickly in and out. He won't be able to access my data when he plugs back in and starts my PC thanks to Bitlocker, which I use on all my drives, including the bare drives I use for backups.

However, I do leave my PCs on 24/7, and while I lock (Win+L) them when I'm away, I've wondered if there's any way to hack them via USB while in this state, which was one of the OP's questions. This has got nothing to do with Bitlocker per se, unless there's some way to get keys while at the Windows lock screen. The only USB hacks I'm aware of involve Autoplay, which I disable first thing, or USB sticks that emulate keyboards, but I don't know if that's any help at the lock screen. The Razer thing is new to me but mitigated for the reasons I gave above. I'm primarily wondering if there's any weakness in USB like the old Firewire hack, which was never really an issue since Firewire never really caught on, and there was no inconvenience to disabling the port, if you even had one. Disabling USB, OTOH, is pretty much a non-starter, so if it's vulnerable at the lock screen, the best practice would be to power down when you're away from the computer, or at least to hibernate. I'm aware that stuff may linger in memory cells for a while even after power is interrupted, but AFAIK, that's going to take some skill and equipment to exploit. I'm concerned about an evil HVAC tech or someone like that being able to stick a USB drive into my locked computer and copy all my data or install malware like in the movies, and I'm totally unaware that anything like that is possible.

hdmi · Dec 31, 2022

barreleye said:
I think he used Firewire because it's the only such exploit he knew of. AFAIK, USB does not have the capabilities that are necessary for that sort of hack to work.

The easiest way AFAIK would be an evil maid attack used in conjunction with something like this:

The O․MG Elite cable is a scarily stealthy hacker tool

Beware of unknown charging cables.

www.theverge.com

Here's a cheaper alternative cable that is similar in that it follows the same basic principle:

USB Ninja Cable - Hacker Warehouse

USB Ninja is an information security and penetration testing tool that looks and functions just like a regular USB cable (both power and data) until a wireless remote control triggers it to deliver your choice of attack payload to the host machine. In essence, USB Ninja is the next step in the...

hackerwarehouse.com

There exist other ways besides USB (e.g. SATAn). Thing is, Andy Malone knows much more than you can ever imagine. Much, MUCH more.

barreleye said:
The Razer thing is very interesting, but the exploit requires the attacker to be at the desktop to interact with File Explorer, not the lock screen, in which case, the game's already over. Moreover, I disable automatic Windows Updates, and nothing would happen if it was plugged in.

I've always thought of Bitlocker (and TrueCrypt before it) as protecting me against theft, as no crackhead is going to bother transporting my PC Frogger-style like George tried to do to preserve his high score. No, the thief would just unplug and be quickly in and out. He won't be able to access my data when he plugs back in and starts my PC thanks to Bitlocker, which I use on all my drives, including the bare drives I use for backups.

However, I do leave my PCs on 24/7, and while I lock (Win+L) them when I'm away, I've wondered if there's any way to hack them via USB while in this state, which was one of the OP's questions. This has got nothing to do with Bitlocker per se, unless there's some way to get keys while at the Windows lock screen. The only USB hacks I'm aware of involve Autoplay, which I disable first thing, or USB sticks that emulate keyboards, but I don't know if that's any help at the lock screen. The Razer thing is new to me but mitigated for the reasons I gave above. I'm primarily wondering if there's any weakness in USB like the old Firewire hack, which was never really an issue since Firewire never really caught on, and there was no inconvenience to disabling the port, if you even had one. Disabling USB, OTOH, is pretty much a non-starter, so if it's vulnerable at the lock screen, the best practice would be to power down when you're away from the computer, or at least to hibernate. I'm aware that stuff may linger in memory cells for a while even after power is interrupted, but AFAIK, that's going to take some skill and equipment to exploit. I'm concerned about an evil HVAC tech or someone like that being able to stick a USB drive into my locked computer and copy all my data or install malware like in the movies, and I'm totally unaware that anything like that is possible.

Of course you are totally unaware that anything like that is possible. That's just because those who are aware are usually keeping their mouth shut.

barreleye · Dec 31, 2022

hdmi said:
The easiest way AFAIK would be an evil maid attack used in conjunction with something like this:

The O․MG Elite cable is a scarily stealthy hacker tool

Beware of unknown charging cables.

www.theverge.com

Here's a cheaper alternative cable that is similar in that it follows the same basic principle:

USB Ninja Cable - Hacker Warehouse

USB Ninja is an information security and penetration testing tool that looks and functions just like a regular USB cable (both power and data) until a wireless remote control triggers it to deliver your choice of attack payload to the host machine. In essence, USB Ninja is the next step in the...

hackerwarehouse.com

I already mentioned USB devices that can emulate a keyboard. Again, the thing I care about is being able to plug something in to a PC at the Windows lock screen and have it steal secrets or inject malware, right then and there, like in the movies. Nothing I read in those links suggest this is possible for those devices, and AFAICT, there's nothing they can do that a human being without any extra equipment couldn't do sitting at that workstation under those conditions. I can't get worried about an Evil Maid attack on me in my home, mainly because they have to leave something behind, which they probably would want back, and there's no reason to target me personally. I've got motion-activated cameras set up inside as part of my alarm system (they don't sound the alarm, but they do record to the cloud), and I guess that's my de facto defense against that sort of tampering.

There exist other ways besides USB (e.g. SATAn). Thing is, Andy Malone knows much more than you can ever imagine. Much, MUCH more.

I believe you, but I had to watch 4 minutes to discover he was talking about Firewire, which again, is well-known for many years and of no concern.

Of course you are totally unaware that anything like that is possible. That's just because those who are aware are usually keeping their mouth shut.

I don't worry about my HVAC tech being a covert state actor targeting me for no reason. Anything that would be available to him or the crackhead who might break into my house is something I would hear about. I've been keeping my ear to the ground since I started using FDE over 10 years ago, because I always understood it only protected data at rest, and I haven't heard anything to cause me to believe the Windows lock screen is insecure for those times I can't at least hibernate.

hdmi · Jan 2, 2023

barreleye said:
I already mentioned USB devices that can emulate a keyboard.

Yeah, just not the ones that look exactly the same as a standard USB charging cable and have built-in WiFi in them. The point you still seem to be missing is you're trying to minimize the problem by keep claiming that you know your stuff, and keep claiming it even after all the evidence to support the contrary keeps piling up. No offense, but.. I don't do bottomless pits.

barreleye said:
Again, the thing I care about is being able to plug something in to a PC at the Windows lock screen and have it steal secrets or inject malware, right then and there, like in the movies. Nothing I read in those links suggest this is possible for those devices, and AFAICT, there's nothing they can do that a human being without any extra equipment couldn't do sitting at that workstation under those conditions. I can't get worried about an Evil Maid attack on me in my home, mainly because they have to leave something behind, which they probably would want back, and there's no reason to target me personally. I've got motion-activated cameras set up inside as part of my alarm system (they don't sound the alarm, but they do record to the cloud), and I guess that's my de facto defense against that sort of tampering.

Whether your lock screen will protect you or not, doesn't factually even matter. Evil maid attacks at the cafe can, and do happen. The lock screen is what makes you feel safe. This feeling affects your behavior. Hackers know this. They use this knowledge to their advantage in planning their attacks. Unless you know it too, and can be persistent with your own actions in response to it, the lock screen doesn't make any real difference in the end. Similar to the proven old fact that putting your key under the doormat also makes your lock useless. You can argue against this as much as you like. The facts won't change.

barreleye said:
I believe you, but I had to watch 4 minutes to discover he was talking about Firewire, which again, is well-known for many years and of no concern.

He is a cryptology expert. You didn't expect him to use the word Firewire in a cryptic way so that it may refer to something else? LOL!

barreleye said:
I don't worry about my HVAC tech being a covert state actor targeting me for no reason. Anything that would be available to him or the crackhead who might break into my house is something I would hear about. I've been keeping my ear to the ground since I started using FDE over 10 years ago, because I always understood it only protected data at rest, and I haven't heard anything to cause me to believe the Windows lock screen is insecure for those times I can't at least hibernate.

The laptop that you can see in my specs is what I use for my personal hobby activities only. So, I can't actually even use my own Windows laptop for anything work related. I have to use a separate laptop for that, and I can't discuss it. All I can tell you is that I am a trained Enterprise Java developer (EJB specialist, with a formal degree in IT) who works for very large corporations. Not just a regular type IT guy. But I do have some professional experience as a systems engineer in the customer and desktop services branch on Windows. In fact I have been using Microsoft products for equally as long as I have been programming computers. Right now, that is exactly thirty-seven years and a half of programming experience. Since 1984. But anyway.. about HVAC. I also own my own personal Milwaukee M18 Fuel FPD-0 cordless drill.