4

My SSD is currently encrypted by bitlocker right now. So let say if I leave my laptop on locked state (Win+L). Is it possible for someone to get access to my data?

Few thing I noted are:

  • If someone tried to boot from external USB after restart, he will fail as he will be asked to enter bitlocker password after a restart

  • Since I am in locked screen right now and has done the booting part earlier, currently my disk is unlocked

  • It is not possible to brute force because of limit in password attempts in locked screen

  • Lets ignore the case there is already a malware in my PC or someone has already replaced sticky keys by command prompt

So is my data safe if my laptop got stolen while in locked screen?

VarunAgw
  • 367
  • 1
  • 4
  • 14

2 Answers2

5

No, it's not secure.

You're vulnerable to:

  • Cold boot attacks (freeze memory and extract the contents, get BitLocker encryption keys and all your other sensitive data)
  • DMA attacks via FireWire, CardBus, ExpressCard, Thunderbolt, etc.
  • Installation of a physical keylogger (many laptop keyboards can be easily removed) or backdoor hardware.

In general, if an attacker has physical access to your device, you're screwed.

Polynomial
  • 132,208
  • 43
  • 298
  • 379
  • 1
    An average thief doesn't know cold boot or DMA attacks. And I don't have anything important enough to be useful for a professional hacker. So I think I am safe enough. Anyway thanks for answer – VarunAgw Mar 19 '15 at 20:09
  • 2
    @VarunAgw the question as usual is who are you defending against. If it's a random thief with no intention to go after your data then yeah you're safe and with decent probability would be even if you didn't bitlocker the drive. If it's anyone willing to invest about 600$ and a couple hours of work into the project, then no you're not safe see for example https://www.elcomsoft.com/efdd.html. for some ideas. – DRF Mar 20 '15 at 07:59
  • The first and third points don't require the PC to be on and locked and are therefore invalid with regards to the question asked. – wensveen Jan 07 '21 at 15:10
  • @MaksimShamihulau DMA attacks are absolutely not prevented by BitLocker. Windows has features such as Kernel DMA Protection, Credential Guard, and Virtualisation Based Security / Core Isolation, which can help somewhat here, but they need to be enabled manually. The Kernel DMA Protection feature is the most critical one, since it prevents DMA operations on connected devices until a user logs in. – Polynomial Feb 19 '21 at 14:36
  • First off, don't leave unattended your pc and on leave turn off or hibernate to make sure RAM is nulled to prevent Cold Boot and DMA attacks. a) To prevent `Cold Boot` attack, use Bitlocker with TPM Only. 2) To prevent DMA attacks, use Bitlocker with TPM + PIN. So, to cover both types of attacks use Bitlocker with TPM + PIN and hibernate/turn off pc. – Maksim Shamihulau Feb 19 '21 at 14:38
  • @Polynomial I didn't finalize my comment, so I deleted it. – Maksim Shamihulau Feb 19 '21 at 14:39
  • @MaksimShamihulau That advice is still not practical, since the whole premise of most coldboot and DMA attack scenarios is that the attacker might use distraction to get at your machine while it is sleeping or locked (not powered off or hibernated). You shouldn't rely upon your machine always being in an ideal state when an attack happens. You need to disable sleep states in the firmware config and enable kernel DMA protection, at minimum, if you're trying to protect yourself in that threat model. Using TPM+PIN vs. passphrase in your FDE is mostly irrelevant with respect to DMA attacks. – Polynomial Feb 19 '21 at 14:51
  • @Polynomial I don't see the how TPM + PIN after turning on a pc can be DMAed, since one can't get pass PIN prompt and encryption keys are not in RAM yet. My point is how to protect pc with ease in regard if somebody wants to steal your pc with sensitive data. – Maksim Shamihulau Feb 19 '21 at 15:10
  • @MaksimShamihulau If the system is switched off, it doesn't matter whether BitLocker is using TPM + PIN or a passphrase to unlock the disk, because the disk isn't unlocked and there's nothing to steal. If the system is switched on, it doesn't matter whether TPM + PIN or a passphrase is used to unlock the disk, because all of the data is already loaded into memory and the volume master key must be present. The BitLocker configuration is entirely irrelevant to the effectiveness of the DMA attack. – Polynomial Feb 21 '21 at 04:53
  • @MaksimShamihulau What makes a DMA attack successful is the ability of an attacker to register a DMA-capable device on the system at a time when sensitive information is in memory, and access that sensitive information by DMA requests. Kernel DMA Protection prohibits this by blocking new device registration and DMA requests via the IOMMU when the system is in a locked state. That is the correct mitigation to DMA attacks. BitLocker is a separate matter. – Polynomial Feb 21 '21 at 04:56
2

In addition to Polynomial's answer it's worth noting that the network interfaces will still be up and active and any access through that route (shares, remote management services etc.) may permit access to stored data regardless of screen locking. Either remote network sessions, or someone plugging in a device to your network ports could provide a surprising level of access.

David Scholefield
  • 1,824
  • 12
  • 21