Windows 10 Anniversary Update – BitLocker Bypass Warning

8 Aug

If your Windows 10 PC tells you there is an update pending – it might be the Windows 10 Anniversary Update (not that you can distinguish this from any other update – until it’s applied, as far as I could see).

If it is, beware to physically secure your laptop as it disables BitLocker!

bitlocker bypass image

Following the principle of responsible disclosure, I reported the issue to Microsoft (4th August 2016)…

I am sending you this email, for a Windows 10 laptop, on which BitLocker security was bypassed.

Configuration.

  • Windows 10;
  • BitLocker;
  • Dell TPM;
  • BitLocker protection with PIN switched to on.

Every time I switch my PC on, I am prompted for the BitLocker PIN.  Good.

Scenario

Yesterday, I turned my PC off, and it decided to apply the latest Windows updates [anniversary update]. The updates were applied, the PC switched off, and I put the machine away for the night.

Today, I turned the PC on and was ready to type my BitLocker PIN in.

HOWEVER, it went straight to a screen saying “applying security updates”.

During this it re-booted twice.

Then I was taken to the Window 10 logon screen. From here I could log in and access my files.

The BitLocker PIN protection was thus completely bypassed.

Please let me know if you need any further information to investigate this.

I was quite surprised by Microsoft’s reply…

RE: BitLocker Bypass TRK:0189001958

Thank you for contacting the Microsoft Security Response Center (MSRC).  During an upgrade scenario [there] is a known issue and the team is aware of it.  The scenario is very specific and unlikely.

Which then went on to say it’s not a really proper vulnerability:

For an in-depth discussion of what constitutes a product vulnerability please see the following:

“Definition of a Security Vulnerability”
<https://technet.microsoft.com/library/cc751383.aspx>

I’ll let Cyber Matters readers judge…

Just because the scenario is unlikely, does that mean it is not a vulnerability?

In summary, I switched my PC off, it decided to apply the updates and the next day it rebooted into user mode without me needing to enter the BitLocker pin.

Does that seem like a vulnerability to you?

Advice: If applying the Windows 10 Anniversary Update, make sure your machine is physically secure during the entire process.

Underlying Concern

What is more of a concern is the implication that Software – the operating system in this case – is able to control the PIN protecting the TPM. So what is to stop malware of some form undertaking this task – enabling an attacker disable boot protection just before stealing a machine?

Now, I’m not a disk encryption expert, but know some Cyber Matters readers are. Is this a common problem with all disk encryption products, or is that threat mode is unique to Microsoft BitLocker?

2 Responses to “Windows 10 Anniversary Update – BitLocker Bypass Warning”

  1. stevenuwm August 25, 2016 at 00:43 #

    Hi Colin,

    The Anniversary edition is a full blown OS upgrade –it’s not a simple patch. This installation won’t work if it can’t access the data! It’s my understanding that Bit-Locker suspends its service during any OS upgrade. This suspension stores the Volume Master Key (VMK) in a clear state on the disk. Microsoft states that this will allow anyone to access encrypted data until the next reboot. This explains the missing TPM PIN!

    Let’s consider the alternative upgrade process. We’d have to un-encrypt and re-encrypt the entire drive! I address your question regarding BitLocker malware vulnerabilities on my blog:

    http://www.stevenjordan.net/2016/01/how-to-enable-startup-pin-for-bitlocker.html?showComment=1470663306902#c8444533013262200500

    TechNet articles that explain suspension and decryption:

    https://technet.microsoft.com/en-us/library/ff829848%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396

    https://technet.microsoft.com/en-us/library/ee424325%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396

    Like

  2. Colin Robbins August 31, 2016 at 13:46 #

    Thank you for the detailed comment Steve.

    To some extent I agree with your points, with two exceptions.

    Firstly, “Microsoft states that this will allow anyone to access encrypted data until the next reboot”. This is true if you are an expert, and go looking. However, as a mere-mortal, just clicking “apply updates”, there was no user level warning that the PC would be left in an insecure state until the update had fully applied.

    Secondly. this suggests storing the Volume Master Key in a clear state on the disk is 100% under software control – no user interaction was required. Thus something Malware could conceivably achieve.
    No, I am not an expert here, is this an issue unique to the Microsoft implementation, or is it a risk factor in all software based disk encryption products?

    Once again, thank you for taking the time to comment.

    Like

Please join the discussion, we welcome your views...

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: