none
Passware cracked BitLocker Drive Encryption - is Microsoft going to fix this? RRS feed

  • Question

  • A colleague of mine sent me an article a couple weeks ago that claimed that BitLocker can be cracked.  All a person needs is $795 (USD) and they could buy Passware Forensic edition, and they could then crack BitLocker.  The article is here:  http://arstechnica.com/microsoft/news/2009/12/first-commercial-tool-cracks-bitlocker.ars?utm_source=rss&utm_medium=rss&utm_campaign=rss

    Acording to the Ars Technica article:  "Passware Kit Forensic version 9.5 can recover encryption keys for hard drives protected with BitLocker in just a few minutes. It scans a physical memory image file of the target computer and extracts all the encryption keys for a given BitLocker disk. As a result, Passware has crowned itself the creator of the first commercially available software to crack BitLocker Drive Encryption."

    As a longtime fan of BitLocker (since the Vista release candidate in September 2006), I've encrypted many drives with it--internal, external, you name it.  So it was quite a shock, and huge disappointment, to see this article that claimed that BitLocker can be compromised in a matter of minutes.  The article said all a person needs is a credit card and $795 of available credit on it.  While Passware, and the article, claim that the purpose of the products is to help law enforcement conduct forensic investigations, Passware doesn't do any type of background checks on the purchaser, so what's to stop a rogue individual with a stolen credit card from buying this?

    To add insult to injury, when I visited the Passware site, they have a $495 version of their product that claims to also crack BitLocker and obtain the recovery keys.  Thus the cash expense to a rogue individual is $300 USD less than the original article states.

    If it is indeed true, is Microsoft ACTIVELY AND AGGRESSIVELY working on a hotfix for this?  I would think this should certainly qualify for an out-of-band patch to be released, even before the next "update Tuesday."

    An update in the Ars Technica article does claim that the software isn't a "crack" in that physical access to a running machine is required, but if I stole an encrypted external hard drive and plugged it into my computer, wouldn't this "physical memory image" get loaded into memory?

    Links to Passware products that claim to crack BitLocker:
    http://www.lostpassword.com/kit-enterprise.htm ($495 USD)
    http://www.lostpassword.com/kit-forensic.htm ($795 USD)

    Best regards,
    Matt
    Friday, December 11, 2009 3:31 PM

Answers

  • Matt,

    See the Windows Team Blog for more information on the claim you mentioned. Here is an excerpt from the blog:

    "to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk.  Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA)."

    -Tony Mann
    Windows Client IT Pro Audience Manager for Web Forums, Windows Client Forum Owner
    Monday, December 14, 2009 4:40 PM

All replies

  • Matt,

    See the Windows Team Blog for more information on the claim you mentioned. Here is an excerpt from the blog:

    "to say it "breaks" BitLocker is a bit of a misnomer. The tool "recovers encryption keys for hard drives" which relies on the assumption that a physical image of memory is accessible, which is not the case if you follow BitLocker's best practices guidance. The product, like others used legitimately for data recovery and digital forensics analysis, requires "a physical memory image file of the target computer" to extract the encryption keys for a BitLocker disk.  Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA)."

    -Tony Mann
    Windows Client IT Pro Audience Manager for Web Forums, Windows Client Forum Owner
    Monday, December 14, 2009 4:40 PM
  • It will Crack the Bitlocker, in order to use it you have to access running PC and also it depend on PC as well some laptop have Memory reset funtion that will reset memory funtion when something is inserted. You also should apply best practive protection for technology that you use. Example of this software is like that you have Car that engine is running and door is open eventhough you have the must powerfull system alarm, I could get into your car and stole it but if I close the door and turn engine off and run larm system then it will work.

    This device will store contain in memory not physical harddisk and if you PC is off then nothing will happen.

    Friday, December 25, 2009 12:01 PM