none
BitLocker (TPM and PIN)? RRS feed

  • Question

  • I finally decided, that for added security and protection of my laptop, I went ahead to set the policy to use TPM+PIN protection with Standby Modes disabled (Sleep and Hibernate).

    However, I usually lock my laptop when I am away from my desk and when I travel away from my office, I keep it fully shutdown.

    Can a DMA attack still be performed when just at the Lock Screen even if the TPM+PIN protection setting is enabled along with Standby Modes disabled as well?

    Does the laptop have to be fully shutdown to prevent such attacks?

     











    • Edited by A.Slayton Thursday, August 8, 2019 6:40 PM
    Thursday, August 8, 2019 6:30 PM

All replies

  • In the past, when a BitLocker protected device is unlocked, the encryption key is stored in the computer's memory. Attackers can then plug a specially crafted 1394 or Thunderbolt device into an BitLocker protected computer's external port so that it can search the memory for the encryption key and steal it.

    But now, Microsoft outlines various ways that Windows 10 users can protect themselves from these types of attacks. This includes utilizing the Kernel DMA Protection feature built into Windows 10 1803 if available. For those whose hardware does not support this feature, Microsoft has provided other methods that can be used to mitigate DMA attacks.

    "For Windows version 1803 and later versions, if your platform supports the new Kernel DMA Protection feature, we recommend that you leverage that feature to mitigate Thunderbolt DMA attacks," stated Microsoft's support document. "For earlier versions of Windows or platforms that lack the new Kernel DMA Protection feature, if your organization allows for TPM-only protectors or supports computers in sleep mode, the following is one DMA mitigation option."

    Detailed information here:

    https://docs.microsoft.com/en-us/windows/security/information-protection/kernel-dma-protection-for-thunderbolt

    So, don’t worry.

    Regards


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Friday, August 9, 2019 2:20 AM
    Moderator
  • My laptop does not support Kernel DMA Protection. 

    My question is, can a DMA attack still occur at the Windows lock screen even with TPM+PIN policy is set? Or the laptop has to be fully shutdown to prevent such an attack?

    My assumption would be yes, because once the laptop is powered on and the BitLocker PIN is entered, it will boot into Windows logon screen which would mean that the recovery key is loaded into memory. But I may be wrong on this, that is why I would like to confirm.




    • Edited by A.Slayton Friday, August 9, 2019 4:17 AM
    Friday, August 9, 2019 4:13 AM
  • The key is in RAM and can be read out using cold boot attacks or DMA attacks. DMA attacks can be overcome using the GPOs against DMA attacks. I am not aware that Kernel DMA protection has something to do with bitlocker. To my knowledge, you can do without and nevertheless protect against DMA attacks, please see this GPO: https://getadmx.com/?Category=Windows_10_2016&Policy=Microsoft.Policies.VolumeEncryption::DisableExternalDMAUnderLock_Name

    As for cold boot attacks: these will be harder if your device uses both secure boot and soldered RAM (RAM that is not removable). If you don't, you should consider to always put your device to hibernation or shut it down whenever untrusted people would have ample time alone with your device to carry out attacks.

     
    Friday, August 9, 2019 8:24 AM
  • Yes, shuttling down would do the trick whenever I’m traveling . In the office or at home, not a big issue to just lock the screen because it’s a high secure environment. Thanks !
    Friday, August 9, 2019 2:49 PM