Schneier on Security
A blog covering security and security technology.
« Friday Squid Blogging: Squid Mosaic |
| Santa's Naughty–Nice Database Hacked »
December 21, 2009
Defeating Microsoft BitLocker
Defeating BitLocker, even with a TPM.
Posted on December 21, 2009 at 8:30 AM
• 24 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
This makes me remember a mantra I once heard at a training course: physical access = game over.
This attack requires 2 consecutive physical accesses and it won't necessarily work if there's a second factor. An astute user might also notice the attack as it changes the user experience, and security software might notice the presence of the attack.
This is James Bond stuff. It's possible, but it's got a high bar to cross. And it's not anything specific about Bitlocker, it's an attack general to FDE solutions.
@Larry: This is a very low bar if you are not trying to hide the data theft -- then you just take the machine with you.
Ouch! Yeah I didn't know that about RAM.
One could also just install a hardware keylogger between the keyboard and the computer.
True, but it might take the "maid" longer to install a hardware keylogger in a laptop than to install a modified bootloader from a USB drive.
I wouldn't consider two physical accesses to be a large barrier, if the attacker can get there the first time, the second time doesn't need to be as subtle.
The second access could be law enforcement arresting a suspect now that they have his secret key. Or just as easily "bad guys" going back to steal the laptop, they could even snatch it in the open when the owner is carrying it. Even if the owner or his security software can detect the tampering, if he hasn't had a chance to find and remove the stolen copy of his key, the computer is still vulnerable until he does.
It's true, like the article says, this isn't about a weakness in Bitlocker so much as it is about raising the awareness that even Bitlocker with TPM is still vulnerable to these types of attacks.
"physical access = game over."
Not all the time there are rare exceptions.
There are ways that even hardware access will not work but these are very very expensive to design and more costly to implement than standard hardware, as it involves considering how to obviate all man in the middle attacks within the box as well as most side channels.
But as a general rule of thumb with 99.99...% of hardware, yup I'd definately go with it until proved otherwise 8)
Question: would the evil maid attack be possible if the laptop's hard drive were removed?
The Evil Maid attack will work if the HD is absent during the first part (installing the keylogger), this only requires access to the machine hardware.
The second part of the attack requires access to the HD, obviously you need the data in order to remove it, however, it is possible that this part of the attack could be done remotely.
Evil Maid attack is, IMO, impossible to protect against in a reasonable fashion. The only way is to leave the computer physically protected at all times (store it in a locked titanium case with a (trusted) armed guard at all times.
How would the evil maid attack work if your machine is properly locked down - that is, boot from USB disabled, full disk encryption and a password on BIOS setup?
Ah, I see that they say they can remove the hard drive and install a logger then. However, I use a netbook; getting to the hard drive is quite difficult and takes a long time. I suppose if the evil maid were quite familiar with that particular model, they might get it open, modify the drive and close it again in 15 minutes, but I think it would be tight.
Isn't the core value of Bitlocker to protect the drive contents if the laptop is stolen? I've never considered it a way of protecting a laptop that temporarily falls into hostile hands.
I have my BIOS locked down and USB boot disabled. If my laptop had been out of my sight for long enough for this attacker to reboot, swap hard drives and mess with the bootloader (at least a 30 minute operation given the complexity of the Vaio construction) and then reboot to the Bitlocker screen, I'd assume automatically it had been compromised.
There's a couple of improvements possible which obviate the second physical visit.
Fraunhofer et al. have presumably decided to store the stolen data on disk because the bootloader at this stage does not have a network stack available. However, many of the latest network cards have a partial network stack built into the card's firmware, to facilitate sophisticated boot-over-LAN scenarios. These are accessible to the bootloader.
With such a card, it may be possible to remotely transmit the stolen key and (largely untraceably) compromise the system from a single visit (having, of course, copied the disk on the first visit.) And the attackers can easily check if this will work, during their first visit.
Another approach, in the event of an air-gapped system, might be to use one of Kuhn's TEMPEST enhancement techniques, broadcasting the signal via RF noise on the video cable. With only a few bytes to send, a suitably encoded format could give excellent reception characteristics with just a fraction of a second of transmission before resuming normal booting.
Similar methods that have been described in the past also include a modulated signal from accessible LEDs or screen brightness; both have been shown to be able to be recorded by telescope at a considerable distance, and with good optics, a high speed camera and a little DSP, it is not even necessary to have complete line of sight as reflections of the signal can be fairly easily pulled out of background lighting due to the different superimposed frequencies.
I like your TEMPEST idea. I mentioned RF noise this to Clive as a covert communication mechanism for hostage takers or leaking keys from compromised bank or root certificate servers. Of course, PC's are typically so vulnerable that exotic attacks like this are unnecessary.
I like the paper in the first link because it covers the vast majority of threats and attack models in one paper. Useful for whoever wants to design the next scheme.
I also wanted to mention a new attack that was more insidious than any Evil Maid attack so far. It's in a paper titled "Bootjacker: compromising computers using forced restarts," by Univ. of Illinois students. This technique instantly powers off a machine to exploit RAM persistance like cold boot. The difference is that a new system is loaded from USB or CD immediately that hooks into the user session that is *still present* in memory. The difference is that the new instance is under the full control of the attacker. They executed this attack during many activities, like image compression or file encryption, without causing any changes (that took many clever tricks) and the whole attack takes under 1 min. That's 1 min to totally own a live session with no signs that it occurred. Say, during someone's bathroom break at starbucks or while a hot babe distracts the CTO at a trade show.
"This attack requires 2 consecutive physical accesses"
Nope, only one. The second access is confiscation of your hardware...
Isn't the obvious solution to stop the evil maid?
It shouldn't be too hard - I mean how many hotels have maids with a dueling scar wearing a nehru jacket with a preference for white cats and laser equipped Selachii ?
>The second access could be law enforcement arresting a suspect now that they have his secret key. Or just as easily
I guess they could just use COFEE in the beginning so that one legal visit is all they need
Also about Physical Access=Game Over, this is the reason i do not encrypt the boot drive and employ all this PBA stuff, just create a partition with the important stuff and the music and other documents, can just hang around My Documents, I think it makes practicing plausible deniability easier - you don't have to log on to two OS's and pretend to work there or worse still some technology that reads ur MBR for encryption
Using raid0 for an encrypted volume as a security feature?
This is not meant as a protection against attacks using sophisticated hardware bugs. It is my opinion though that the greatest threat will still be software based since its cheaper and readily available. Simply allowing for more people to attack your computer.
Thats why I wonder how this idea affects security. Using the partition in the laptop together with a partition on a SD-card in a Linux software RAID0 configuration. By this I mean setting up an encrypted volume spread on two physical devices with the bootloader on the SD-card.
The idea is that when you leave, you just plug out the SD-card leaving the computer in a non bootable and a non decryptable state. That is even if you have a weak password you need the whole volume to decrypt it.
Sending the user-provided PIN and/or key over the air in whichever way is an interesting option, but this alone won't accomplish the attacker's objective. To get the actual key for decryption, the attacker needs the PIN/key _and_ the TPM, and the TPM won't cooperate while the bootloader modifications are in effect. The second visit thus remains necessary.
Okay, so if the problem is physical access to hardware components...
Why not use a 'house of cards' defense mechanism, whereby if the hardware is tampered with, the computer self-destructs? For example, installing screws that secure the hard drive in the case which, if removed, will strip the holes and render it *impossible* to replace the drive? Or at least, without replacing the entire computer case itself. Inconvenient, sure, but compared with the cost of lost data? Potentially viable in some scenarios.
@savanik - I've also had this thought. How about an internal microswitch or light detector that flash wipes a firmware stored password when the case is opened? The password must be manually keyed in to reinitialize the computer. Also you could use unique security screws covered by opaque tamper-evident security seals to secure the case.
But really, most people's data isn't valuable enough to justify these forms of attack.
"But really, most people's data isn't valuable enough to justify these forms of attack."
Hmm I would not bet on it.
It depends on what you mean by valuable and to whom.
My main concern would be illegal material and blackmail / extorsion.
That is the "evil maid" does not have to be taking things off of the drive but putting them on...
In Russia and China it was not uncomon for business travelers to have their luggage "go missing" for a short while.
Likewise the French Government is known to have had an entire department devoted to getting comercialy sensitive information. And they worked on the "Hover Principle" of collect it all just in case.
And as we know various bits of the US Gov are currently "imaging" peoples hard drives looking for "illegal material"
Or to put it another way the TSA et al does not have to catch terrorists, a few "suspect kiddy porn" arrests are just as good a reason to be "protecting the USA from terpitude (moral or otherwise).
In the UK it can now be argued that "materials/information likely to be of use to a terrorist" is so broad in nature it could cover ordinary accademic works such as Bruce's books, patents, Health and Safety information (CAS etc), product data sheets, holiday photos etc etc...
So arguably most people are likley to have something "valuable" to somebody on their computer hard drive. As with all these things it is a matter of perspective.
Good points, Clive. People who say something would never be targeted must think hard before they speak. A previous Schneier post comes to mind about thieves stealing metal of bridges and everything just to make a few bucks in scrap fees. Or the fact that in one of my old neighborhoods people would be knifed for $30 shoes and the few bucks in the wallet. Assets didn't seem worth much to owners or seem to be at risk, but one man's trash was another man's treasure in the worst way.
So, defenders should ask these questions when risk assessing their assets: "What would I loose if I lost them? What are they worth to *someone else?* How could someone hurt me, esp. financially, with this information?" Asking these questions usually reveals answers that justify very robust drive encryption even for ordinary folks with "nothing to hide."
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.