Share Tweet Share





In an ongoing debate on if Bitlocker is truly secure, and if not what are the best ways to hack into the system, you need to understand how bitlocker works and what platforms it is used on. Bitlocker is only available on Ultimate and Enterprise editions of Vista or those with SP 1 for Vista; it is also available on Windows Server 2008. While the Vista security folks deny that there is any back door access into bitlocker which is good, forensics folks are aware and use some of the vulnerabilities or data sets that can crack open a Bitlocker protected system. The Bitlocker key can be stored in a number of ways, one of the most obvious is that the key is stored on a USB thumb drive, and the user is required to insert the USB drive, and off they go (if the computer is new enough to read the key off the drive while still in boot mode). The key can also be stored in the companies Active Directory, meaning direct access or nefarious access to the AD will allow someone to download the key and dump it to a USB drive as well (unless the AD is on a Bitlocker, which can be problematic in light of password recovery tools for AD (click here) that if you have the right credentials (domain) you can surf the AD for bitlocker recovery passwords.

The BitLocker Active Directory Recovery Password Viewer lets you locate and view BitLocker recovery passwords that are stored in AD DS. You can use this tool to help recover data that is stored on a volume that has been encrypted by using BitLocker. The BitLocker Active Directory Recovery Password Viewer is an extension for the Active Directory Users and Computers MMC snap-in. After you install this tool, you can examine a computer object’s Properties dialog box to view the corresponding BitLocker recovery passwords. Additionally, you can right-click a domain container and then search for a BitLocker recovery password across all the domains in the Active Directory forest. Source: Microsoft

Another intriguing attack is to use the ghost hibernation file that still exists within memory by manipulating the RAM on the computer by cooling it down with a can of compressed air, then pulling the contents out of memory. All three systems, Apple, Linux, and Microsoft systems were vulnerable to this same kind of attack, and while this is an unlikely attack, it is still interesting to note that they found they could:

With the memory contents in hand, the next step was to crack the encryption and compensate for the sporadic memory errors. Here, the researchers relied on the fact that most decryption systems store information derived from the encryption keys in memory to speed calculations. These key schedules have a some known features that make finding them largely a matter of scanning for patterns in the memory. Once near matches are identified, they can be set aside for more detailed analysis (including corrections for memory errors), eliminating most brute force aspects of the cracking. Source: Ars Techica

The research paper is fascinating, but if people really to get into the computer; it is easier to steal the computer and look through the bag for a USB key (highly likely that it will be located physically near the computer, or in the computer depending on the user). Geeks with Blogs points out that Bitlocker is also vulnerable to these other methods, not are beyond the script kiddy, but fun to learn all the same:

Even with all of the new security that is provided by BitLocker, it can’t stop everything. Some of the areas that BitLocker is helpless to defend against are: â€¢ Hardware debuggers â€¢ Online attacksâ€”BitLocker is concerned only with the systemâ€™s startup process â€¢ Post logon attacks â€¢ Sabotage by administrators â€¢ Poor security maintenance â€¢ BIOS reflashing Source: Geeks with Blogs

Physical access to the computing system is a must to make most of these attacks work out. The other cool part is how the keys can be stored in AD for recovery processes, meaning if you can get into the AD system then you have unfettered access to the entire system of recovery keys across the bitlocker installation base. Those can then be burned to USB drives and used to hack or gain access to the system. While in general it is a good system for people with Enterprise or Ultimate editions, or those who use SP 1 for Vista, there are physical and computer access issues with bitlocker depending on how the key recovery process was initiated, where the keys are stored, and the use of Ultimate or Enterprise editions of Vista. It is a good system, but there is nothing that does not say that the system is a direct panacea, and if important enough, there are ways around the physical and electronic security of a system. Tags: hack, bitlocker, bit locker, vista, windows, hacking, hacker, physical access, active directory, domain admin, password recovery, fun, thanks