in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Laptop Encryption Software Vulnerable To Evil Maid Attacks (Again)

Researchers at Fraunhofer Secure Information Technology (SIT) have shown that laptop encryption programs could be even more at risk to evil maid attacks than previously thought, although this particular example is relegated to people using Microsoft's BitLocker.

  • Fraunhofer SIT Research Findings
  • What TPM and Evil Maid Attack?
  • Does This Mean Encryption Doesn't Work?

Fraunhofer SIT Research Findings

Researchers at Fraunhofer SIT discovered an attack against BitLocker, Microsoft's full disk encryption program that comes with Windows Vista and Windows 7, Ultimate and Enterprise edition operating systems.

The attack uses the fact that BitLocker does not check the integrity of the bootloader*.  In other words, a modified bootloader--programmed to harvest any usernames and passwords entered at the encryption prompt--can be copied over the original one.  Since the integrity of the bootloader isn't checked, the computer doesn't know that something is not right.

*(The bootloader is the software residing in the computer's ROM that will start up a computer and then prompt the Windows OS, in this case, to start up as well.  If something goes wrong with the bootloader, the computer cannot start up, period.

When whole disk encryption is used on a machine, the bootloader is generally modified to ask for the correct username and password to the disk encryption program.  Without the correct passwords, the operating system never loads, since it's encrypted with everything else on the computer...which is the entire purpose behind whole disk encryption.)

What is TPM and the Evil Maid Attack?

An evil maid attack (aka, janitor attack) is a term used to describe a situation that can allow the bypassing of a computer's encryption software.  It merely means that someone needs to have physical access to the protected computer.

For example, the Fraunhofer SIT attack above requires physical access to the computer twice: once to install the modified bootloader--say, via a USB flash memory device--and once more to recover the illicitly obtained username and password--again, via USB memory stick.

TPM stands for Trusted Platform Module.  It was developed by the Trusted Computing Group as a solution (but not a complete one, obviously) to past weaknesses when it came to disk encryption.

Does This Mean Encryption Doesn't Work?

Nope, still works.  As the researchers have noted:

"As an application of the Trusted Computing platform, BitLocker uses only a subset of the functions available, and it does so in a particular way. Our attack applies only to the combination of platform, application, attack scenario, and attack objective discussed here," wrote [the Fraunhofer SIT researchers] Steffan and Trukenmüller

Keep in mind that the attack only works against BitLocker.  If some other encryption package is being used to protect a laptop, the method may not work, even if it makes use of TPM.  (On the other hand, maybe they'd have a vulnerability that's not present for BitLocker.)

These are the important points to keep in mind:

  • No encryption software can provide 100% protection from all attacks (not even ours, AlertBoot).
  • In the above attack, your stolen laptop has to be "infected" and returned to you in order for the attack to work.  If you never recover the laptop, your data is protected (encryption works!  On the other hand, you're out a computer).
  • As a follow up to the above, if you end up recovering a stolen laptop that used disk encryption to protect the contents, don't just go ahead and use it.  Have a security professional check it out for shenanigans against the bootloader.


Related Articles and Sites:
http://news.zdnet.co.uk/security/0,1000000189,39926434,00.htm?s_cid=248
http://www.itpro.co.uk/618547/researchers-break-into-windows-encryption-feature

 
<Previous Next>

Hard Drive Encryption Software On Textron Financial Missing Drive?

Drive Encryption Software: Possibility Is Not Probability

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.