14 DAY TRIAL // Microsoft disputed claims by various third-parties indicating that they were able to break the encryption technology build into the high-end and enterprise editions of Windows 7 and Windows Vista. Paul Cooke, Microsoft director, Windows Client Enterprise Security, stresses that one tool advertised to break BitLocker Drive Encryption does anything but actually break the technology Microsoft has built into the Ultimate and Enterprise SKUs of Windows 7 and Vista. According to Cooke, the tool in question is designed to recover encryption keys for hard drives. However, it is in the design that lies its fault, as the utility is simply useless in the context in which the physical image of memory is inaccessible. And in order to make the said physical memory image inaccessible, all that customers need to do is turn off their computers.
“The product, like others used legitimately for data recovery and digital forensics analysis, requires ‘a physical memory image file of the target computer’ to extract the encryption keys for a BitLocker disk. Our discussions of Windows BitLocker have always been to communicate that it is intended to help protect data at rest (e.g. when the machine is powered off). If a forensics analyst or thief/adversary has physical access to a running system, it may be possible to make a copy of the computer's memory contents by using an administrative account on the system, or potentially through hardware-based methods such as direct memory access (DMA),” Cooke states.
At the same time, Microsoft also dismisses a second scenario in which BitLocker might be attacked and bypassed, noting that it requires the attacker to have physical access to the computer, and more than once. Of course that it is a standard rule of security, that once an attacker gains physical access to a computer, no technology will be able to keep the contents of that machine safe. Cooke notes that such an attack is extremely unrealistic in the real world, being extremely targeted, and as such it poses a relatively low risk to customers.
“Even with BitLocker's multi-authentication configurations, an attacker could spoof the pre-OS collection of the user's PIN, store this PIN for later retrieval, and then reboot into the authentic collection of the user's PIN. The attacker would then be required to gain physical access to the laptop for a second time in order to retrieve the user's PIN and complete the attack scheme. These sorts of targeted threats are not new and are something we've addressed in the past; in 2006 we discussed similar attacks, where we've been straightforward with customers and partners that BitLocker does not protect against these unlikely, targeted attacks,” Cooke adds.
But the fact of the matter is that Windows 7 and Vista’s BitLocker Drive Encryption is in no way a silver-bullet solution to protect user data no matter the context. Microsoft advises customers to follow strict guidelines when it comes to BitLocker-protected laptops, and to combine the level of protection delivered by the technology with physical security measures.