A Real-world Windows Vista BitLocker Tip


Like a good Microsoft security citizen I installed BitLocker on my Infineon TPM-enabled laptop ages ago, well before we shipped the OS in late 2006. The nice thing is that I don’t even know BitLocker is ‘doing its thing’ as there is no performance degradation that I can see.
 
But there is something you ought to be aware of.
 
If, like me, you use Sleep mode (aka Standby) on your laptop then it is possible that an attacker can logon to the laptop because Standby simply puts the machine into a very low power state (i.e. memory is still hot) and simply prompts me to re-enter my logon creds. Of course, if the attacker can break your password or smartcard PIN (and has access to the smartcard), then you have a whole swag of other problems to worry about! But humor me for a moment. So what I do, mainly when I’m traveling, in a hotel room or at conferences, is put the machine into Hibernate mode; the mode that writes RAM contents to disk and I have implemented BitLocker so the it requires me to enter a pre-boot PIN.
 
Now, when the laptop lid is opened, the attacker (or me) is prompted for the BitLocker PIN to load the image off disk. They could try to guess the PIN but the TPM is used to unlock the disk and has anti-hammer technology built into it. After every n failed attempts the TPM goes to sleep for x seconds – and x increases exponentially. The BitLocker recovery model works fine without the PIN should I forget it in my old age!
 
Sure, Hibernate is a little slower than Sleep, but it does have the advantage of requiring no power, and it could help protect your ass(ets) when you use BitLocker.

Comments (13)

  1. paperino says:

    Pretty interesting Michael.

    Question: is the anti-hammer mechanism part of the TPM or can be implemented with USB drives as well?

  2. BitLocker Drive Encryption A Real-world Windows Vista BitLocker Tip BitLocker Drive Encryption BitLocker

  3. Scott Wendt says:

    Now all we need to do is get the TPM built into more consumer products. Its nice that bitlocker works on machines that don’t have a TPM but I’d like to use bitlocker on my laptop without having to carry a usb key or remembering a long number.

  4. Following is a consolidation of the bookmark updates made over the past several days. Vista Security

  5. Corrine says:

    Nice tip.  Thanks.  Added "bookmark" in "Windows Vista Bookmarks" and the mirror at "Connected to Vista Bookmarks"

    Pingbacks: http://securitygarden.blogspot.com/2007/03/windows-vista-bitlocker-tip.html

    and

    http://windowsconnected.com/blogs/corrine/archive/2007/03/24/connected-to-vista-bookmark-updates.aspx

  6. michael_HOWARD says:

    paperino, the anyi-hammering stuff in TPM specific, and is a requirement of the Trusted Computing Group (TCG)

  7. Steve Lamb says:

    Spookily enough I was wrestling with the same scenario at the weekend though I hadn’t tried hibernate and am glad to hear that it invokes the BitLocker PIN prompt though as you say if someone knows your creds then you’re dead regardless of BitLocker protection

  8. Good tip, Michael!

    It is only valid if you have enabled the TPM to ask for PIN at each boot. Of course, this adds an extra security, but if if you rely on OS security TPM won’t be noticed at all. Could you look at the security threats in this scenario, perhaps in future article.

    Just one thing to add: most atackers will try to reboot after certain number of unsuccessful attempts to login.

  9. Alexander Trofimov. says:

    Such a sweet scenario =) Thanks.

  10. Don’t you mean "Like a good Microsoft SENIOR citizen…"?  :)

    Yes, Standby/Sleep/Hybrid Sleep creates certain vulnerabilities against which BitLocker cannot mitigate.  While the "TPM is not enough; you must use TPM + PIN" response is the most cohesive response when BitLocker is considered the primary/only mitigation, there are other options as well.  Some of these can be considered fair substitutes, other are complementary or overlapping for the kinds of threats most organizations are concerned about:

    – enable the Smart Card protection of EFS (only in Vista)

    – enable EFS with the (soon-to-be-released) EFS Assistant

    – drive-level encryption

    – disable all Power States altogether [but only if you want to re-enact the scene from Frankenstein where the citizenry come knockin, pitchforks and torches in hand]

    There are many ways to skin a cat, and while I know Michael was trying to provide a helpful tip inside the "closed universe" of BitLocker, I always like to help remind everyone to think *outside* the box as well.

    Check out the forthcoming Data Encryption Toolkit for a comprehensive look at all these data encryption technologies (http://www.microsoft.com/DET).

  11. BitLocker Drive Encryption A Real-world Windows Vista BitLocker Tip BitLocker Drive Encryption BitLocker

  12. Field of dreams… The software and IT industry is a field of dreams. More than ever all can come to the field to offer ideas and contribute to its evolution. One means of doing so is through portals. A …

  13. Alun Jones says:

    The key hole here is not that someone might guess your user name and password, to unlock the computer. That, as you say, pretty much assumes that you are already owned.

    The problem is more that you are now up and running with a complete OS, not a small secure piece of code whose sole purpose is to decrypt the key that will let the boot drive work. This is also my concern with Microsoft frequently implying that the system is secured by simply using TPM as protection for the keys, without external keying material such as a USB key and a memorised PIN.

    All those holes on the outside of the computer, where the rain comes in, are now ports of attack.

    Does your system have a flaw exploitable through the network? Then you can exploit the system. [If it’s a sufficiently valuable target, and not time-sensitive, simply wait for the next exploit to come along.]

    Does your system have USB, PC-Card, or other DMA technology? Then you can plug in an exotic device whose job is to scan or modify memory. [Okay, so that’s more in the realm of high-value targets, who ought to know to hibernate every time.]

    I do think BitLocker should support a PIN+USB scenario even in the absence of TPM’s protective anti-hammering technology – it would at least limit brain-dead "I stole the laptop bag, with the USB key in it" attacks, and require that those attacks use a level of sophistication that raises the cost to the attacker.