Can BitLocker Be Cracked?

Passware Company recently issued next version of their software named Passware Kit Forensic, which, among all other features is stated (by online magazines and community, not by the company) to be able break Microsoft BitLocker protection, introduced in Windows Vista. Those of you who don't know what is BitLocker may read about it at BrightHub. Well, is it a failure of Microsoft Corporation to protect your data, does Passware know how to bypass Microsoft Bitlocker? Or is it another canard, brought to life be journalist? In my opinion it is the latter. No, the company really issued the software which is able under certain circumstances recover the key used by Windows BitLocker drive encryption. But what are the requirements to do so and how secure is BitLocker after the software is released?

Firstly, the malefactor has to have in possession your hard drive or an exact copy of that drive at the very least. Actually this is the situation which Vista or Windows 7 BitLocker is to protect you from. Possession of the encrypted data itself doesn’t matter if you use this technology.

Secondly, the hacker has to have full memory dump to recover the key from it. It is not actually a flaw in software – many others (if not all) cryptographic algorithms may be “cracked” that way.

But what it does mean? It does mean that the rogue must have physical access to your computer while it is turned on and unlocked, because if your computer is turned off it is out of risk (at least if you have encrypted system drive). So are you supposed to hand your computer over to the hacker? It seems like there is no alternative. And even if hacker gets your computer in this state – why not just to decipher the hard drive contents or, what’s even more obvious, why not to copy its contents to another place while it is decrypted? Why one will need to acquire the software to do it hard way? The only way to use this feature for forensic purpose is to decrypt those notebooks which are hibernated and no encryption is applied to a partition where hiberfil.sys file residues.

So is this software totally useless to hackers? Unfortunately, no. I was able to think about at least one scenario which may, theoretically, lead to information disclosure. There is another technology piece which is named FireWire. Interfaces based on it are included in many of modern computers, both desktops and laptops. One of the features of the technology is an ability of a person with the access to a FireWire port of a targeted computer to access the computer’s memory directly no matter whether he has rights on it or no. and that is not Microsoft’s implementation of the protocol or drivers, it is the core feature of the technology, so every operational system is the subject to memory reading. And as a result every cryptosystem which holds keys in the memory while encrypting/decrypting data is a subject to such “crack”, which is not actually a crack or a vulnerability: the BitLocker and others similar systems are designed to protect inactive computers. It doesn’t provide any protection to a computer which is on. But what can you do to prevent even powered up computer?

1) Turn off every FireWire device you have on your computer unless you need it. There are not many advantages for FireWire before USB 2.0, and there is huge drawback. So turn it off.

2) Prevent your computer from stealing or physical access. If it is a notebook then put it in hibernation or turn it off every time you don’t need it or go away from it.

3) Encrypt with the Microsoft BitLocker not only drive with the sensitive data but also a system drive to prevent malicious user from accessing your hiberfil.sys, which contains memory dump for your computer if you use hibernation. Use TPM if it is possible: BitLocker without TPM is less secure.

And take care, of course.