2

In simple words: Does Bitlocker (without Pin) transforms the normal "Windows User login" into something secure?

So if you activate Bitlocker (without a pin before booting) you are forced to use the original unaltered Windows installation to retrieve the key from the TPM Module. Meaning, if you try to start the computer with e.g. a Linux USB-Livestick you cannot access the hard disks.

Is this correct?

kiara
  • 671
  • 1
  • 6
  • 9

2 Answers2

3

Your understanding is mostly correct. Using Bitlocker in TPM-only mode (not the same as just "without PIN" because you could use another form of authentication, such as an external key on a USB device) means the disk encryption key will only be available if the OS boots up normally; if the boot process is modified by malicious code, or if the normal OS isn't booting at all (because you're booting to Linux or something instead) then the TPM won't reveal the key.

Bitlocker, in any mode, doesn't really "transform the normal Windows User login into something secure", except in the sense that you can't easily attempt offline cracking of the (weak) password hash the way you normally can. In fact, in TPM-only mode, it is vital that you have a strong Windows password on all login-enabled accounts, because the attacker can still attempt online brute-forcing of that password (though Windows will limit how fast they can try). However, it does mean that simply getting the hard disk without the rest of the machine will be useless to an attacker, and that getting the entire machine but with no idea what the login passwords are and no special attack hardware will be nearly as bad. On the other hand, even without Bitlocker, an attacker could encrypt data that is protected with a key derived from their login password (using DPAPI and/or EFS) and therefore require the attacker to get their login password (although in that case brute-forcing the NTLM hash is probably the easiest option, and with BitLocker you can't do that).

Note that there are limitations of TPM-only Bitlocker. For one thing, it's much easier to bypass using a hardware attack, such as freezing the RAM (once the encryption key is retrieved from the TPM) and physically removing it from the running system, then using external hardware to read the key out. TPM-only mode is also incompatible with any kind of intentional modification of the boot process, so any time the user (or OS) wants to install a patch that modifies the bootloader or similar, it must briefly "disable" Bitlocker by writing a clear-text key to the disk. This key is removed after successful reboot, but it provides a window where an attacker could bypass Bitlocker entirely. Finally, "TPM-only" Bitlocker still usually has a "recovery key" that the user is told to store somewhere; if the attacker gets that then they can bypass Bitlocker regardless of the other protections used.

CBHacking
  • 40,303
  • 3
  • 74
  • 98
  • 2
    It's worth noting that BitLocker in TPM-only mode is, by itself, insufficient to prevent a moderately skilled attacker from gaining access to the data on a stolen computer, because they could utilise malicious EFI firrmware / boot apps or a malicious bootloader to dump the keys. Secure Boot needs to be enabled so that BitLocker can utilise PCR measurements to prevent these kinds of attacks. – Polynomial Jan 22 '20 at 06:44
  • 2
    Also, physically freezing the RAM isn't really an attack that anyone does these days. It's much easier to buy an FPGA development board and build [pcileech](https://github.com/ufrisk/pcileech) for it, then use it to dump the system memory at runtime. Alternatively, you can just plug in a malicious Thunderbolt device and dump memory via DMA that way, although there's a [group policy option](https://docs.microsoft.com/en-gb/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings#disable-new-dma-devices-when-this-computer-is-locked) to help mitigate this. – Polynomial Jan 22 '20 at 06:48
  • 1
    Ah dammit, I meant to mention Secure Boot. With that said, tampering with the boot code in a way that doesn't prevent the TPM from unsealing the BitLocker key sounds tricky; I haven't looked into the state of research in this area for a few years though. – CBHacking Jan 22 '20 at 18:04
  • AFAIK you can replace the bootloader with a stub that loads the Windows BCD (which then invokes BitLocker) and that stub can give you access to all memory. The TPM itself doesn't have any way of identifying that this happened unless you enable Secure Boot, because that's where the PCR measurements come in. – Polynomial Jan 29 '20 at 00:35
  • @Polynomial Pretty sure the TPM's PCRs record everything since the CPU was reset. The BIOS/EFI and its configuration are in there, as are the MBR/boot sector. I know I've tripped BitLocker by just changing firmware setup config options that didn't even change the boot device. As such, I expect replacing either the bootloader or the device firmware to prevent the TPM from unsealing the BitLocker key. See https://link.springer.com/chapter/10.1007/978-1-4302-6584-9_12 – CBHacking Jan 29 '20 at 01:41
  • Sorry, I should've been clearer - the scenario I was talking about is without Secure Boot being enabled. As I understand it the PCRs don't *themselves* validate anything - they provide boot measurement, but you need something to validate those measurements, and you need a root of trust in order to perform that validation in a way that can't just be patched away by a malicious EFI executable or bootloader. – Polynomial Jan 31 '20 at 22:40
0

This is recent research by security specialists of the Dolos Group to determine if an attacker can access the organization network from a stolen device and also perform lateral network movement. They were handed a Lenovo Laptop preconfigured with the standard security stack for this organization. No prior information about the laptop, test credentials, configuration details, etc were given. They stated it was a 100% Blackbox test. Once they got hold of the device, they headed straight to work and performed some reconnaissance of the laptop (BIOS settings, normal boot operation, hardware details, etc) and noted a lot of best practices were being followed, negating many common attacks. For example:

  • Pcileech/DMA attacks were blocked because Intel’s VT-d BIOS setting was enabled.
  • All BIOS settings were locked with a password.
  • The BIOS boot order was locked to prevent booting from USB or CD.
  • Secureboot was fully enabled and prevented any non-signed operating systems.
  • Kon-boot auth bypass did not work because of full disk encryption.
  • LAN turtle and other Responder attacks via USB ethernet adapters returned nothing usable.
  • The SSD was full disk encrypted (FDE) using Microsoft’s BitLocker, secured via Trusted Platform Module (TPM)

With nothing else working, they had to take a look at the TPM and they noticed from the reconnaissance that the laptop boots directly to the Windows 10 Login screen. This is a TPM-Only implementation.

That, coupled with the BitLocker encryption means that the drive decryption key is being pulled only from the TPM, no user-supplied PIN or password was needed which is the default for BitLocker. The advantage of using TPM-Only is, it eliminates the use of a second factor (Pin + Password) thereby convincing users to use to have their devices encrypted. You may want to see How to enable Bitlocker Pre-Boot Authentication via the Group Policy.

They stated that the introduction of additional security such as a password or a PIN would have thwarted this attack. – This means, they recommend using TPM + Pin or TPM with a Password. This means, with a PIN you pretty much eliminate all forms of attack, and each time your device is switched on, your device will not be grabbing the Key from the TPM. An additional PIN is required to unlock the drive, so without the PIN you cannot even boot windows as described in this guide. But it’s another authentication layer that some users may find obtrusive.

For those using VPN with Pre-Logon, after gaining access to the device, without requiring access, this could lead to a lot of lateral movement within the network.

Summary: TPM is very secure and an attack on it is near impossible. The flaw is BitLocker does not utilize any encrypted communication features of the TPM 2.0 standard, which means any data coming out of the TPM is coming out in plaintext, including the decryption key for Windows. If an attacker grabs that key, they should be able to decrypt the drive, get access to the VPN client config, and maybe get access to the internal network.

Until this is fixed, I will recommend using TPM + Pin or Password!!! This guide will help in configuring BitLocker PIN bypass: How to configure Network Unlock in Windows. You may want to learn how to deploy Microsoft BitLocker Administration and Monitoring Tool.

Reference

schroeder
  • 123,438
  • 55
  • 284
  • 319
TechUser
  • 1