SHIFT + F10, Linux gets you Windows 10's cleartext BitLocker key

Don't panic, because this one's a bit esoteric. Do feel free to face-palm anyway


Microsoft is working on a patch for a bug or feature in Windows 10 that allowed access to the command line and, using a live Linux .ISO, made it possible steal BitLocker keys during OS updates.

The command line interface bypasses BitLocker and permits access to local drives simply by tapping the Shift and F10 keys.

BitLocker encryption is disabled as part of the Windows pre-installation environment.

Exploitation scenarios are limited and users should not be overly alarmed, as attackers would need to have laptops in hand during the update, or be in a position to trigger an update in order to pop open the command line interface.

Noted Windows trainer and senior technical fellow with software house Adminize Sami Laiho reported the flaws to Microsoft and says Redmond is rushing out a fix.

"There is a small but crazy bug in the way the feature update (formerly known as upgrade) is installed," Laiho says.

"The installation of a new build is done by re-imaging the machine [via] Windows Pre-installation Environment [which] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a command prompt."

"This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker."

Regular updates are not affected.

Worryingly, a security operations tech for an international enterprise environment told The Register that attackers could use the mess to steal BitLocker's encryption keys by booting a live Linux image from the CLI. A BitLocker support chap known as @Nu11u5 on Reddit says BitLocker dumps its keys in cleartext during the process [PDF] allowing Linux tools like Dislocker to pull the codes.

"There are a few layers to BitLocker encryption," Nu11u5 says.

Disk volume data is encrypted using a Full Volume Encryption Key (FVEK), itself encrypted by the Volume Master Key (VMK). The Master Key is encrypted using a Protector, such as a TPM PIN or password.

Additional copies of the VMK encrypted can exist with different Protectors for the purpose of a backup method of data access.

BitLocker Protectors can be temporarily disabled so keys can be decrypted and data accessed. This works using a VMK copy known as a Clear Key that is written in cleartext to disk alongside other Protectors. The BitLocker unlock process immediately looks for these keys on boot and automatically uses those it finds.

With Protectors disabled, Windows boots and accesses data from the volume as it if was not encrypted, warning users that BitLocker is disabled.

Users can only create a Clear Key for this through the command line utility after the VMK is manually decrypted by someone who knows the password.

manage-bde C: -protectors -disable

Windows 8 and newer versions of Windows will re-enable the BitLocker Protectors and secure delete the Clear Key after one boot.

The security tech says the function is handy for admins needing set and forget rebooting.

“From a SysAdmin perspective disabling the Protectors is very useful for performing unattended reboots," they say.

"[The attack] was done during an operating system upgrade that required the disk to be accessed by a pre-boot environment which otherwise would not be able to get the Protector keys released from TPM."

A non-TPM Protector could be used instead, they say, but at a cost to user experience such as the 48-digit BitLocker volume Recovery Password, which could be easily misplaced as well.

The only fix Laiho says works for now is to ensure Windows 10 boxes are physically secure during upgrades, which means doing next to nothing for the majority of users.

Laiho has created a proof-of-concept video to demonstrate the bug. ®

Youtube Video


Other stories you might like

  • New York City rips out last city-owned public payphones
    Y'know, those large cellphones fixed in place that you share with everyone and have to put coins in. Y'know, those metal disks representing...

    New York City this week ripped out its last municipally-owned payphones from Times Square to make room for Wi-Fi kiosks from city infrastructure project LinkNYC.

    "NYC's last free-standing payphones were removed today; they'll be replaced with a Link, boosting accessibility and connectivity across the city," LinkNYC said via Twitter.

    Manhattan Borough President Mark Levine said, "Truly the end of an era but also, hopefully, the start of a new one with more equity in technology access!"

    Continue reading
  • Cheers ransomware hits VMware ESXi systems
    Now we can say extortionware has jumped the shark

    Another ransomware strain is targeting VMware ESXi servers, which have been the focus of extortionists and other miscreants in recent months.

    ESXi, a bare-metal hypervisor used by a broad range of organizations throughout the world, has become the target of such ransomware families as LockBit, Hive, and RansomEXX. The ubiquitous use of the technology, and the size of some companies that use it has made it an efficient way for crooks to infect large numbers of virtualized systems and connected devices and equipment, according to researchers with Trend Micro.

    "ESXi is widely used in enterprise settings for server virtualization," Trend Micro noted in a write-up this week. "It is therefore a popular target for ransomware attacks … Compromising ESXi servers has been a scheme used by some notorious cybercriminal groups because it is a means to swiftly spread the ransomware to many devices."

    Continue reading
  • Twitter founder Dorsey beats hasty retweet from the board
    We'll see you around the Block

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading
  • Confirmed: Broadcom, VMware agree to $61b merger
    Unless anyone out there can make a better offer. Oh, Elon?

    Broadcom has confirmed it intends to acquire VMware in a deal that looks set to be worth $61 billion, if it goes ahead: the agreement provides for a “go-shop” provision under which the virtualization giant may solicit alternative offers.

    Rumors of the proposed merger emerged earlier this week, amid much speculation, but neither of the companies was prepared to comment on the deal before today, when it was disclosed that the boards of directors of both organizations have unanimously approved the agreement.

    Michael Dell and Silver Lake investors, which own just over half of the outstanding shares in VMware between both, have apparently signed support agreements to vote in favor of the transaction, so long as the VMware board continues to recommend the proposed transaction with chip designer Broadcom.

    Continue reading

Biting the hand that feeds IT © 1998–2022