BitLocker Bypass on Windows 10 Through Upgrades

This is potentially a major security issue for BitLocker protected devices that run Windows 10 … and so far, there’s no fix yet.

A security researcher discovered a new issue in Microsoft’s Windows 10 operating system that allows attackers to gain access to BitLocker encrypted data. A post on the Win-Fu blog highlights the method. Basically, what the method does is exploit a troubleshooting feature that is enabled during the upgrade process.

There is a small but CRAZY bug in the way the “Feature Update” (previously known as “Upgrade”) is installed. The installation of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment).

This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker.

If you press Shift-F10, you open a command prompt window which lets you access the storage devices of the operating system.

Since BitLocker protection is disabled during upgrades, it means that anyone exploiting the issue gets access to all files that are usually encrypted by BitLocker.

BitLocker bypass on Windows 10 through upgrades

bitlocker bypass windows 10

The method works currently when updating the original Windows 10 release build to the November update version 1511 or the Anniversary update version 1607. Furthermore, it works on any new Insider Build that Microsoft puts out, at least for the time being.

The main issue, as noted by Sami Laiho, the researcher who disclosed the issue, is that anyone with local access to the machine may exploit the issue. Administrative access is not required, and so is not special software, settings or hardware on the Windows device.

Since this is a local issue, it is clear that the issue won’t be exploited in the wild. Anyone with local access to a Windows machine on the other hand may exploit the issue. If it is a user, Windows 10 may be configured to accept Windows Insider updates if not prevented by a system administrator.

Companies therefore should disallow the switching on of Windows Insider builds for machines running Windows 10.

This is done in the following way:

  1. Tap on the Windows-key, type regedit.exe and hit the Enter-key.
  2. Navigate to the following Registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsSelfHost\UI\Visibility
  3. Right-click Visibility, and select New > Dword (32-bit) Value.
  4. Name it HideInsiderPage.
  5. Double-click on the new preference and set its value to 1.

You can undo the change at any time by deleting the key, or by setting it to 0.

Companies may also want to disallow unattended upgrades (not updates necessarily) on Windows 10 machines to prevent the issue from being exploited.

Closing Words

The disclosed security issue is problematic for BitLocker protected devices that run Windows 10. The main issue here is of course the revealing of protected files during upgrade processes.

Link to Original Content

Tags: , , ,

Comments are closed.