Bitlocker Broken/Cracked… NOT!

Ok, I’ve been trying to keep my cool on this whole thing but enough is enough. A few days ago ars technica ran a hype-story called “First commercial tool to crack BitLocker arrives” (no, I’m not going to link to it because they don’t deserve the traffic IMHO) The claim is that Passware has created a commercial tool that cracks BitLocker encryption. This is misleading garbage. Sorry, there is no other way to put it well there is, but I edited that one out. First, the encryption hasn’t been cracked, second it still requires access to a live machine (sleep is still live).

What Passware actually does, is take an image of the RAM / Swap file and hunt for the decryption key in it. This is nothing new, and nothing that can’t be done with any full volume encryption system, yes including PGP and TrueCrypt. It’s the same thing as the frozen RAM trick and every other Administrator enabled Direct Memory access trick.  Passware requires administrative access to a machine that is in a ‘non-off’ state in order to get a snap-shot of the memory and then troll through it to find the key.  If your machine is turned off, non of these so-called encryption cracking techniques work, NONE of them.

ALL full volume encyrption systems must have the decryption key available in memory. And no you cannot protect it completely like some people claim PGP does, PGP is just as susceptible, if not more so,  to this kind of thing commercial tools like McAfee Endpoint Encryption (formerly Safeboot) and BitLocker.

Now pay attention, Neither BitLocker nor any other drive encryption system is  designed to protect data on a drive when the machine is booted, and someone with administrator privileges has access to the machine. People keep conveniently glossing over this fact. BitLocker is designed to prevent off-line attacks such as the ‘stolen/lost laptop’ scenario. If you login to your computer, then hand it to someone, nothing in the world will protect your data.

All of this sensationalist drivel would like you to believe that if you can get at the data which is protected by a disc encryption system from a logged in machine as an administrator that there is some huge security vulnerability. There isn’t. If you have that kind of access to the machine why not just turn off the encryption and save yourself the trouble. 

If you don’t have the key in memory when a decryption operation is required, the decryption does not happen. Simple as that. Finding this key in a snap-shot of the computer memory is not rocket science nor is it cracking anything. It is using that key to decrypt the drive. Cracking would be breaking the encryption without the key, which is still not possible in any reasonable amount of time on modern computers.

Now, if someone can do this on a BitLockered machine, that is turned off (not sleep, but cold off) and configured for TPM+PIN+USB key (the recommended secure configuration), then I’ll be impressed. Oh one other thing, you have to be able to get to the data in my lifetime, brute forcing the encryption after about 40 Billion years doesn’t count.

If I locked a door, then hid the key under the mat and told you where the key was, is the door or lock cracked because you were able to unlock it and open the door? No, of course not. This kind of crap about saying BitLocker is cracked because someone had access to the key is garbage. It’s like saying notepad is broken because it saves files in plain text. Then again now that I’ve said that, some of these sensationalists are probably going to start writing headlines like Notepad File Format Cracked!

Ok all of you wanna-be journalists out there (you know who you are), start doing a bit of homework before you drivel onto your keyboard. Try being responsible for just a tiny little bit instead of wondering how many hits you can get on your page by spouting some sensationalist garbage.

Funny, but after being called to task on their sensationalist crap, the ‘writer’ (doesn’t deserve to be called a journalist) updated the post to say “this isn't exactly a "crack" for BitLocker” and “If a forensics analyst or thief has physical access to a running system, it is possible to take advantage of the fact that the contents are in the computer's memory. Other drive encryption programs have similar issues.”

Gee, you probably should have thought that out before you published the drivel.

There are a lot of journalists I respect out there and no they are not all pro-Microsoft. But they do their homework and they write thoughtful, insightful, and factual articles. Be a journalist, not a sensationalist.

Comments (12)

  1. wma says:

    Well said.

  2. josheinstein says:

    Why don’t you tell us how you really feel? 🙂

    I know what you mean though. I got pretty bent out of shape when rumors started circulating about a "PowerShell vulnerability" which was nothing more than a malicious script written in PowerShell. Ironically, you can’t even run a PowerShell script by double clicking it and script execution is disabled by default so I’m not quite sure how anyone bought into that.

  3. Singh400 says:

    Thanks for the run down, I’ll be sure to point people in this direction when they bring this up (and they will).

  4. Vyacheslav Lanovets says:

    There were a couple of similar "news" of recent like this and this

    Generally speaking, nowadays it is nay impossible to find anything positive about Microsoft in the media.

  5. JC says:

    SoOOO…what your saying is, if the cops bust up in my house, hit the kill switch before they can sit at my computer??? LOL

  6. RockyH says:

    Well that approach is certainly up to you. Just remember the courts can subpoena the passphrase/backup keys from you. Of course if you don't keep a backup key and the post-it note the very long passphrase is written on gets uhm accidentally swallowed during the excitement…

  7. Anonymous watcher says:

    Well… everyone who belived the guy posting above, plese read this…/Cold_boot_attack

    This means that if someone could gain physical access to the laptop/PC and get the RAM fact enough (either hardware or software way), could read the encryption keys.

    In other words… as long the stealer/attacker is not aware the hard drisc drive is encrypted and won't act fast enough prepared, this attack will be unsuccessful.

    So if cobs go into your house…. not only pull the plug of the PC/laptop, but also throw the RAM throu window =P (the RAM is cheap and doing this will give some time for this RAM to forget the keys, making the Cold boot attack impossible).

    But yes, the author of the above article is right…. this is not really cracking… it's just taking advantage of the hardware vulnerability. (Perhaps need to invent better technology for RAM, like Secure-RAM?)

  8. Anonymous says:

    Ars Technica is crap.  A garbage site full of losers.  I get what you're saying, just don't let them upset you that much.  They don't know any better.  What's WORSE is that they THINK they know better…  which makes them a lost cause.

  9. jack says:

    Oh i'm sick of sensationalist media…unfortunately it isn't limited to Ars Technica. I mean..look at "current affairs" style programs…full of rubbish journalism.

  10. FL says:

    And what about the hibernation file stored on an unencrypted partition ?

  11. RockyH says:

    FL That could indeed create a compromise. However, you would have to intentionally place it on an unencrypted partition since the hibernation file is on the OS drive by default. Additionally, Bitlocker best practice recommends not doing that.  If a person insists on going against all of the recommendations, defaults, and best practices and intentionally setting up their system in an incorrect manner, no security mechanism will protect them.

  12. TheRockyH says:

    HI Steve, no that is not the case. If the machine is killed the drive is still encrypted.

Skip to main content