1

If bitlocker was configured for a user not to input a PIN; and the device got lost/stolen; is there a risk of the data on the hard disk being exposed?

With no PIN enabled; is that essentially as good as having no hard disk encryption at all?

Am i right in assuming that not enabling PIN; is a self decryption device?

Architect
  • 631
  • 1
  • 6
  • 9

1 Answers1

4

Am I right in assuming that not enabling PIN; is a self decryption device?

Yes you're right in that without the PIN enabled decryption will occur automatically without any user input/authentication required.

However this does not equal having no hard disk encryption at all. The data on the disk is still encrypted which means that if an attacker physically removes the disk to read it or boots onto another OS (from a USB), they will not be able to read the data on the disk. This could deter casual attackers with limited technical abilities.

More sophisticated attackers may be able to recover the encryption keys by other methods and thus will be able to decrypt the disk. This may be accomplished by first booting the operating system and then extracting the keys from memory. Alternatively the may attempt to extract the keys directly from the TPM chip. Or they might attempt to exploit unpatched vulnerabilities in the OS or services that launch on startup (like RDP or SMB) after booting to achieve Remote Code Execution on the machine. F-Secure has also demonstrated that it is possible to sniff the key off the SPI bus.

nobody
  • 11,251
  • 1
  • 41
  • 60
  • if a user authenticated to the OS; and then it locked-out due to inactivity (or the user locked the screen) and say the device was stolen at this stage; can the malicious user exploit un-patched vulnerabilities (via RDP or SMB) before bypassing the OS authentication? or can this be exploited with a locked screen? – Architect Jul 09 '20 at 08:55
  • @Architect Yes it can be exploited with a locked screen because services like RDP and SMB operate over the network so as long as the device is connected to a network (and if it isn't the attacker can connect it to one) the vulnerabilities should be exploitable. Locking the device doesn't stop the services. – nobody Jul 09 '20 at 09:14
  • I think that Bitlocker can also fully manage SED when the hardware supports it. In the case that SED is in OPAL mode, and TPM-only is used (so no PIN), the TPM chip unlocks the disk when powered on in the same machine. Switching the data cable only will mean access to an unlocked disk as shown by Daniel Boteanu (KPMG, Black Hat talk). I think that's called a Hot Plug Attack. https://www.blackhat.com/docs/eu-15/materials/eu-15-Boteanu-Bypassing-Self-Encrypting-Drives-SED-In-Enterprise-Environments.pdf – Bob Ortiz Feb 25 '21 at 17:03