If your Windows 10 PC tells you there is an update pending – it might be the Windows 10 Anniversary Update (not that you can distinguish this from any other update – until it’s applied, as far as I could see).
If it is, beware to physically secure your laptop as it disables BitLocker!
Following the principle of responsible disclosure, I reported the issue to Microsoft (4th August 2016)…
I am sending you this email, for a Windows 10 laptop, on which BitLocker security was bypassed.
Configuration.
- Windows 10;
- BitLocker;
- Dell TPM;
- BitLocker protection with PIN switched to on.
Every time I switch my PC on, I am prompted for the BitLocker PIN. Good.
Scenario
Yesterday, I turned my PC off, and it decided to apply the latest Windows updates [anniversary update]. The updates were applied, the PC switched off, and I put the machine away for the night.
Today, I turned the PC on and was ready to type my BitLocker PIN in.
HOWEVER, it went straight to a screen saying “applying security updates”.
During this it re-booted twice.
Then I was taken to the Window 10 logon screen. From here I could log in and access my files.
The BitLocker PIN protection was thus completely bypassed.
Please let me know if you need any further information to investigate this.
I was quite surprised by Microsoft’s reply…
RE: BitLocker Bypass TRK:0189001958
Thank you for contacting the Microsoft Security Response Center (MSRC). During an upgrade scenario [there] is a known issue and the team is aware of it. The scenario is very specific and unlikely.
Which then went on to say it’s not a really proper vulnerability:
For an in-depth discussion of what constitutes a product vulnerability please see the following:
“Definition of a Security Vulnerability”
<https://technet.microsoft.com/library/cc751383.aspx>
I’ll let Cyber Matters readers judge…
Just because the scenario is unlikely, does that mean it is not a vulnerability?
In summary, I switched my PC off, it decided to apply the updates and the next day it rebooted into user mode without me needing to enter the BitLocker pin.
Does that seem like a vulnerability to you?
Advice: If applying the Windows 10 Anniversary Update, make sure your machine is physically secure during the entire process.
Underlying Concern
What is more of a concern is the implication that Software – the operating system in this case – is able to control the PIN protecting the TPM. So what is to stop malware of some form undertaking this task – enabling an attacker disable boot protection just before stealing a machine?
Now, I’m not a disk encryption expert, but know some Cyber Matters readers are. Is this a common problem with all disk encryption products, or is that threat mode is unique to Microsoft BitLocker?
Hi Colin,
The Anniversary edition is a full blown OS upgrade –it’s not a simple patch. This installation won’t work if it can’t access the data! It’s my understanding that Bit-Locker suspends its service during any OS upgrade. This suspension stores the Volume Master Key (VMK) in a clear state on the disk. Microsoft states that this will allow anyone to access encrypted data until the next reboot. This explains the missing TPM PIN!
Let’s consider the alternative upgrade process. We’d have to un-encrypt and re-encrypt the entire drive! I address your question regarding BitLocker malware vulnerabilities on my blog:
http://www.stevenjordan.net/2016/01/how-to-enable-startup-pin-for-bitlocker.html?showComment=1470663306902#c8444533013262200500
TechNet articles that explain suspension and decryption:
https://technet.microsoft.com/en-us/library/ff829848%28v=ws.11%29.aspx?f=255&MSPPError=-2147217396
https://technet.microsoft.com/en-us/library/ee424325%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
LikeLike
Thank you for the detailed comment Steve.
To some extent I agree with your points, with two exceptions.
Firstly, “Microsoft states that this will allow anyone to access encrypted data until the next reboot”. This is true if you are an expert, and go looking. However, as a mere-mortal, just clicking “apply updates”, there was no user level warning that the PC would be left in an insecure state until the update had fully applied.
Secondly. this suggests storing the Volume Master Key in a clear state on the disk is 100% under software control – no user interaction was required. Thus something Malware could conceivably achieve.
No, I am not an expert here, is this an issue unique to the Microsoft implementation, or is it a risk factor in all software based disk encryption products?
Once again, thank you for taking the time to comment.
LikeLike