A security expert has identified that by press the keyboard combination of SHIFT + F10 during a Windows 10 update the user can bypass Bitlocker.
BitLocker Protection Is Bypassed Using a Simple Keyboard Combination When Updating
The windows expert Sami Laiho has discovered a critical issue that during the Windows Feature Update process. The troubleshooting function allows users to bypass the Bitlocker protection by issuing a keyboard combination of SHIFT + F10 which issues a Command Prompt window. This allows malicious users with physical access to the machines to bypass the security protection mechanism and access the hard drive during the process.
The issue is related to the easy privilege escalation which allows non-administrative users to gain access to the system locations even using the Bitlocker encryption security mechanism. The keyboard shortcut combination allows anyone to perform such an attack without the use of any additional tools, file modifications or external hardware.
There are several case scenarios where a malicious user might use this in a live attack. One of them involves a stolen laptop where the criminal can easily trick the machine into a feature update.
Microsoft has the habit of announcing the feature updates publicly which gives attackers a “window” when they can obtain the elevated access to the target systems.
Another type of attack is by using a series of external threats that can be introduced to the machine which can alter the system’s settings and induce changes that can allow the attackers to perform such attacks. Previous versions of the Windows operating systems have also allowed users to bypass Bitlocker however the feature updates there were not so common.
We remind you that BitLocker is the full disk encryption feature which is available in some of the editions of the Microsoft Windows operating system. It uses the AES cipher to encrypt the user data in one of these three modes:
- Transparent operation mode – This mode uses TPM 1.2 hardware for a transparent user experience. The users only need to power up their computer and login to the operating system. The used encryption key is coded into the TPM chip and is released to the boot loader in a secure manner. However this mode is vulnerable to various cold boot attack as it allows attackers to compromise the machine if physical access is available.
- User authentication mode – This mode requires that the user authenticate to the pre-boot environment using a PIN or a password.
- USB Key Mode – The computer owner must use a USB key which contains a special key which is used to boot the protected operating system.
Microsoft has stated that they are working on a security update which will amend the issue.