BitLocker, the encryption technology built into Windows, has taken some hits recently. A new exploitation showed that a computer's TPM chip was removed to extract its encryption keys, and many hard disks break BitLocker. Here is a guide to avoid BitLocker's pitfalls.
Note that these attacks all require physical access to your computer. This is the entire encryption point ̵1; to protect a thief who stole your laptop or someone who accesses your desktop computer from viewing your files without your permission.
Default BitLocker is not available on Windows Home
While almost all modern consumer operating systems are shipped with encryption by default, Windows 10 still does not provide encryption on all computers. Mac, Chromebook, iPads, iPhones and even Linux distributions provide encryption to all their users. But Microsoft still doesn't share BitLocker with Windows 10 Home.
Some computers may come up with similar encryption technology, which Microsoft originally called "device encryption" and now sometimes calls "BitLocker device encryption". We cover it in the next section. However, this device encryption technology is more limited than full BitLocker.
How an attack can exploit this : There is no need for exploitation! If your Windows home computer is not encrypted, an attacker can remove the hard drive or start another operating system on your computer to access your files.
Solution : Pay $ 99 for an upgrade to Windows 10 Professional and enable BitLocker. You can also consider trying another encryption solution like VeraCrypt, the successor of TrueCrypt, which is free.
RELATED: Why does Microsoft cost $ 100 for encryption when everyone else gives it away?
BitLocker Sometimes Transfer Your Key to Microsoft
Many modern Windows 10 computers come with a type of encryption called "device encryption". If your computer supports this, it will automatically be encrypted when you log in to your computer with your Microsoft account (or a domain account on a corporate network). The recovery key is then automatically loaded into Microsoft's servers (or organization's servers on a domain).
This protects you from losing your files – even if you forget your Microsoft account password and can't log in, you can use the account recovery process and regain access to your encryption key.
How an attack can exploit this : This is better than no encryption. However, this means that Microsoft may have to submit your encryption key to the government with a guarantee. Or worse, an attacker can theoretically abuse a Microsoft account's recovery process to access your account and access your encryption key. If the attacker had physical access to the computer or hard disk, they could use this recovery key to decrypt your files without the need for your password.
The Solution : Pay $ 99 for an upgrade to Windows 10 Professional, enable BitLocker through the control panel and choose not to upload a recovery key to Microsoft servers when prompted.
RELATED: How to enable full disk encryption on Windows 10
Many Fixed State Drives Break BitLocker Encryption
Some solid state devices advertise support for "hardware encryption." If you use such a device in your system and enable BitLocker, Windows will rely on your run to perform the job and not perform the usual encryption techniques. It's just one problem: researchers have discovered that many SSDs don't implement it correctly. For example, Crucial MX300 protects your encryption key with a blank password by default. Windows can say that BitLocker is enabled, but it can't be that much in the background. It's scary: BitLocker shouldn't be silent confidence in SSD to do the job. This is a newer feature, so this problem only affects Windows 10 and not Windows 7.
How an attack can exploit this : Windows can say that BitLocker is enabled, but BitLocker can sit idiotically and let your SSD fail so your data is securely encrypted. An attacker may bypass the incorrectly implemented encryption in your solid state device to access your files.
The solution : Change the "Configure hardware-based encryption for free data drives" option in the Windows group policy to "Disabled." You must encrypt and re-encrypt the device afterwards in order for this change to take effect. BitLocker stops trusted drives and will do all the work in software instead of hardware.
RELATED: You can't rely on BitLocker to encrypt your SSD on Windows 10
TPM chip can be removed
A security researcher recently demonstrated another attack. BitLocker stores your encryption key in the computer's Trusted Platform Module (TPM), which is a special hardware that should be tamper-resistant. Unfortunately, an attacker can use a $ 27 FPGA card and some open source to extract it from the TPM. This would destroy the hardware, but would allow to extract the key and bypass the encryption.
How an attack can exploit this : If an attacker has your computer they can theoretically bypass all the nice TPM protection
The solution : Configure BitLocker to demand a pre -boot-PIN in group policy. "Require Start PIN with the TPM" option forces Windows to use a PIN to unlock the TPM at startup. You must enter a PIN when the computer starts before Windows starts. However, this locks the TPM with additional protection, and an attacker cannot extract the key from the TPM without knowing your PIN. TPM protects against broken power attacks so that attackers cannot only guess each PIN one by one.
RELATED: How to enable a pre-boot BitLocker PIN on Windows
Sleeping Computers Are More Exposed
Microsoft recommends that you turn off hibernation when using BitLocker for maximum security. Sleep mode is good – you can get BitLocker to need a PIN when you wake up your computer from sleep or when you start it normally. But in idle mode, the computer continues with its encryption key stored in RAM.
How an attack can exploit this : If an attacker has your computer, they can wake it up and log in. On Windows 10, they may need to enter a numeric PIN. With physical access to your computer, an attacker can also use direct memory access (DMA) to grab the contents of the system's RAM and get the BitLocker key. An attacker can also perform a cold start attack – restart the running computer and grab the keys from RAM before they disappear. This can even involve the use of a freezer to lower the temperature and slow down the process.
Solution : Hibernate or shut down the computer instead of sleeping. Use a startup PIN to make the startup process safer and block cold start attacks. BitLocker also needs a PIN code when resuming from hibernation if it is set to require a PIN at startup. Windows also lets you "disable new DMA devices when this computer is locked" through a group policy setting, providing some protection even if an attacker gets your computer while it is running.
RELATED: Should You Turn Off, Sleep or Sleep in Your Laptop?
If you want to read more about the subject, Microsoft has detailed documentation to get Bitlocker on its site.