RE: Bitlocker without PIN



Actually not. The hardware Firewire controller in your computer has
direct memory access. Through the Passware kit you connect 2 computers
using firewire. The target computer sees a new Firewire storage device
connecting, and nothing else happens on screen. The attacking computer,
running Passware Kit, makes a live memory dump of all physical memory
over Firewire. Then you'll need a couple of minutes maximum to search
the memory dump to recover the Bitlocker key.

We're talking about a Firewire FEATURE, not a bug.

As I wrote earlier, Passware introduced this at the Passwords^10
conference, and you can see our video recording of their presentation
and live demo (as well as others) here:
ftp://ftp.ii.uib.no/pub/passwords10/

Yes, we were pretty amazed and scared at the same time when we saw it
live. I don't remember, but you'll probably here some comments about
superglue at the Q&A at the end of their presentation.

Best regards,
Per Thorsheim


On Thu, 2011-02-24 at 21:25 +0000, Thor (Hammer of God) wrote:
I assume he's talking about after you have logged on and the computer is locked and you retrieve it from "live" memory a.k.a the memory freezing attack. I would actually like to see that work IRL. If it were that easy, you wouldn't need recovery agents :)


-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of John Lightfoot
Sent: Thursday, February 24, 2011 12:37 PM
To: 'Per Thorsheim'; 'focus-ms'
Subject: RE: Bitlocker without PIN

I agree that transparent Bitlocker is a great security tool.

Per, could you provide more details where you say:

"Using Passware Forensic Toolkit you can extract the bitlocker key using live memory dumping through Firewire (either by using an existing Firewire port, or by inserting an pcmcia/expresscard firewire card). No need to logon to Windows there..."

My understanding of the way Bitlocker works is that when you enable full-disk encryption, Bitlocker creates a small, unencrypted partition that contains the Windows login module. Once you've entered your credentials and they've been validated, the login module uses them to access the TPM for the key to decrypt the rest of the hard drive. I do not believe the encryption key is resident in memory until after the login credentials are verified, so I don't think the firewire hack or other memory scanning techniques would allow you to retrieve the key prior to authentication.

Attachment: signature.asc
Description: This is a digitally signed message part



Relevant Pages

  • Re: [Full-disclosure] Firewire Attack on Windows Vista
    ... Or, if one is already using a firewire device, but has ... "freeze" the memory chip, take it out, put it in their laptop, search ... Firewire chipsets allow drivers to configure a particular memory range ... which is open to access by DMA devices. ...
    (Full-Disclosure)
  • RE: [Full-disclosure] Firewire Attack on Windows Vista
    ... Or, if one is already using a firewire device, but has ... "freeze" the memory chip, take it out, put it in their laptop, search ... Firewire chipsets allow drivers to configure a particular memory range ... which is open to access by DMA devices. ...
    (Bugtraq)
  • Re: Physical Memory Snapshot
    ... If I use this PCI device and say I want to ... Can I be sure that the DMA is atomic? ... the device uses the memory bus, there won't be any writes from the CPU ... This can be avoided by dumping the memory remotely via FireWire. ...
    (Linux-Kernel)
  • Re: FireWire Security issues
    ... I guess we need to get the filters done.. ... We do of course use firewire for remote kernel debugging with great ... > memory, bypassing operating system limitations. ... > involvement of the operating system on the host computer. ...
    (FreeBSD-Security)
  • FireWire Security issues
    ... memory, bypassing operating system limitations. ... physical security measures if they are equipped with "FireWire" ports. ... Systems that counted on physical access limitation such as blocking access ... involvement of the operating system on the host computer. ...
    (FreeBSD-Security)