BitLocker, the encryption technology built into Windows, has recently been successful. A recent exploit demonstrated the removal of a computer TPM chip to extract its encryption keys, and many hard drives break BitLocker. Here is a guide to avoid the pitfalls of BitLocker.
Note that these attacks all require physical access to your computer. This is the interest of encryption: to prevent a thief who has stolen your laptop or a person from accessing your desktop computer from viewing your files without your permission.
Standard BitLocker is not available on Windows Home
Although almost all current consumer operating systems have default encryption, Windows 10 still does not support encryption on all computers. Macs, Chromebooks, iPads, iPhones and even Linux distributions offer encryption to all their users. But Microsoft still does not associate BitLocker with Windows 10 Home.
Some computers may have similar encryption technology, which Microsoft originally called "device encryption," sometimes referred to as "BitLocker device encryption." We will discuss this in the next section. However, this device encryption technology is more limited than BitLocker.
How an attacker can exploit this: No need for exploits! If your Windows Home PC is simply not encrypted, an attacker can remove the hard drive or start another operating system on your PC to access your files.
The solution: Pay $ 99 for a upgrade to Windows 10 Professional and activate BitLocker. You may also want to consider using another encryption solution, such as VeraCrypt, the successor of TrueCrypt, which is free.
BitLocker sometimes downloads your key to Microsoft
Many modern Windows 10 PCs have a type of encryption called "device encryption. "If your PC allows it, it will be automatically encrypted after you log in to your PC with your Microsoft account (or a domain account on a corporate network). The recovery key is then automatically loaded on Microsoft servers (or your organization's servers on a domain).
This saves you from losing your files. Even if you forget the password for your Microsoft account and can not sign in, you can use the account recovery process and regain access to your encryption key.
How an attacker can exploit this: It's better than no encryption. However, this means that Microsoft could be forced to disclose your encryption key to the government with a warrant. Worse, an attacker could theoretically misuse the process of recovering a Microsoft account to access your account and access your encryption key. If the attacker had physical access to your PC or hard drive, he could then use this recovery key to decrypt your files, without needing your password.
The solution: Pay $ 99 for an upgrade to Windows 10 Professional, activate BitLocker via the Control Paneland choose not to download a recovery key on Microsoft servers when prompted.
Many Solid State Drives Break BitLocker Encryption
Some SSDs announce support for "hardware encryption." If you use such a drive on your system and enable BitLocker, Windows will trust your drive to do the work and not apply the usual encryption techniques. After all, if the reader can do the work in the material, it should be faster.
Only one problem: the researchers discovered that many SSDs did not implement it correctly. For example, the Crucial MX300 protects your encryption key with an empty password by default. Windows can say that BitLocker is enabled, but it may not do much in the background. It's scary: BitLocker should not trust SSDs to do the job. It is a more recent feature. This problem therefore only concerns Windows 10 and not Windows 7.
How an attacker could exploit this: Windows may indicate that BitLocker is enabled, but BitLocker may remain idle and let your SSD fail in the secure encryption of your data. An attacker could potentially bypass the badly implemented encryption of your SSD disk to access your files.
The solution: Change the "Configure the use of hardware encryption for fixed data drives"Option in the Windows Group Policy on" Disabled. " You must then decrypt and encrypt the drive again for this change to take effect. BitLocker will stop trusting readers and will do all the work in the software rather than the hardware.
TPM chips can be removed
A security researcher recently demonstrated another attack. BitLocker stores your encryption key in your computer's secure platform module (TPM), which is a special hardware item that is supposed to be tamper-proof. Unfortunately, an attacker could use a $ 27 FPGA card and open source code to extract it from the TPM. This would destroy the hardware but would extract the key and bypass the encryption.
How an attacker can exploit thisIf an attacker has your PC, he can theoretically bypass all these sophisticated protections of the TPM by altering the hardware and extracting the key, which is not supposed to be possible.
The solution: Configure BitLocker to Require a Pre-Start PIN in Group Policy. The "Require Start PIN with TPM" option will force Windows to use a PIN to unlock the TPM at startup. You will need to enter a PIN code when you start your PC before starting Windows. However, this will block the TPM with additional protection and an attacker will not be able to extract the key from the TPM without knowing your PIN. The TPM protects against brute force attacks so that attackers can not guess each PIN one by one.
Standby computers are more vulnerable
Microsoft recommends disabling sleep mode when using BitLocker for maximum security. Hibernate mode is fine. You can ask BitLocker to need a PIN when you wake your PC from hibernation or when booting it normally. But, in standby mode, the PC remains on with its encryption key stored in the RAM.
How an attacker can exploit this: If an attacker has your PC, he can reactivate it and connect. In Windows 10, it may be necessary to enter a digital PIN. With physical access to your PC, an attacker can also use Direct Memory Access (DMA) to retrieve the contents of your system's RAM and obtain the BitLocker key. An attacker could also execute a cold start attack– Restart the running PC and recover the keys in RAM before they disappear. It may even involve using a freezer to lower the temperature and slow down the process.
The solution: Hibernate or turn off your PC instead of letting it sleep. Use a PIN code at startup to further secure the boot process and block cold boot attacks. BitLocker will also require a PIN when resuming Hibernation if it is configured to require a PIN at startup. Windows also allows you "disable new DMA devices when this computer is locked"Also via a Group Policy setting – which provides some protection even if an attacker turns on your PC while it is running.
If you want to know more about the subject, Microsoft offers detailed documentation for secure Bitlocker on its website.