Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com) 138
An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.
Re: (Score:1)
No. Spooks and (when allowed) the police have been given the keys to Bitlocker by Microsoft. It does not stop institutional hackers.
There's every reason to believe that foreign state actors have acquired similar capabilities by some means.
Oh my god this goes all the way to the top!!!! (Score:2, Interesting)
Someone tell this guy that launching any Windows install DVD in repair mode allows you to do such amazing things as replace the sticky keys executable with cmd.exe, allowing anybody with physical access to launch a command prompt from the login screen by pressing shift a couple times.
Re: (Score:3)
That doesn't get you past bitlocker, though.
Re: (Score:2, Interesting)
ya, funny how that works, and yet updating takes far far less time. It makes me think bitlocker is faking the encryption phase. Time to bitlocker a drive and then stick it on a linux system and see what I can see.
Re: (Score:3, Funny)
$5 says they are just rot13ing it.
Double as in two ROT13s? (Score:2)
So, is that double as in 2 ROT13s of the data?
Re: (Score:2)
So, is that double as in 2 ROT13s of the data?
No! The FS is ROT-13ned and important files' contents with passwords and other sensitive data (read: registry) are ROT-1024ed. The fix they are going to release ROT-?s the data with Unicode 6.0 Emoji characters as keys to each block. Too soon?
Re: Something Smells Fishy (Score:5, Informative)
The reason why is the key is stored on the TPM chip. NTFS.sys can simply use it as a layer in it's I/O stack when filling it's read/write buffers.
Re: (Score:2)
It would take you the same amount of time to read the entire HDD back out using this exploit.
(Assuming the read and write performance of your drive are roughly the same.)
Further, it took you hours to encrypt your drive because it wasn't OPAL v2 compliant and couldn't talk nicely to BitLocker.
OPAL v2 drives simply use the same key in their hardware for BitLocker, so you're not double encryption and you don't need to run a pass over the whole drive when you turn it on. Turning it off just drops you back down
Re: (Score:2)
Either the bypass demonstrated here authenticates in some way
The updater probably just suspends Bitlocker protection during the reboot. This makes the volume encryption key temporarily available without authentication. An administrator can do the same thing by suspending Bitlocker from the command line.
I assume the updater will automatically reenable protection once the installation completes.
Re: (Score:2)
It might be caching the encryption key on disk during the update to avoid the user having to enter their password to decrypt every reboot (if that's how bitlocker works, I've never actually used it)
Re:Something Smells Fishy (Score:5, Informative)
You obviously have no idea how Bitlocker works. It is architecturally similar to many other full-disk encryption packages.
There is a volume encryption key which is used to encrypt the user data on the disk. This key is generally used with a fast symmetric cipher like AES. Once the initial volume encryption is completed, all reads/writes require the key to encrypt or decrypt the data.
The volume encryption key is encrypted with the public key or password for each unique user. Thus, each user has his own means of accessing the volume key, which must be the same for everyone. There is an encrypted copy of the volume key on the hard drive for every user. It could be one, or it could a hundred. (In most enterprises, the TPM is also a "user" who can unlock the drive with its key.)
In this case, the disk can be temporarily "unlocked" if an administrator suspends Bitlocker. When Bitlocker is suspended, the volume encryption key is stored in a cleartext container on disk. That volume will automatically unlock until Bitlocker protection is reenabled, which scrubs the cleartext key.
Microsoft should require administrator consent before suspending Bitlocker, so this is more of a design flaw than an exploit. Manually suspending Bitlocker does require administrator privileges.
Publicity before giving MS a chance to fix it? (Score:3, Funny)
Surely that's not good! Such behaviour is only justified if the software developer refuses to do anything about it
Re: (Score:3)
Not sure I'd call it shear incompetence or shear malice with the track record Microsoft has had. It's more like all thrusters forward, batten-down-the-hatches, damn the torpedoes incompetence guided strictly by the Microsoft corporate philosophy.
Re: (Score:2)
This is either shear incompetence or shear malice, either of which is unacceptable, and therefore deserves instant derision.
So... "Win shear"?
Re: (Score:3)
For the sheeple.
Re:Publicity before giving MS a chance to fix it? (Score:5, Funny)
shear incompetence or shear malice
What a cutting remark.
I feel you're not a programmer, are you? (Score:2)
One of the basic rules of all engineering, but especially software, is that most bugs are as a result of genuine oversight not incompetence. In the case of Windows, which is a massively complex concoction, it is not a surprise when something weird is found. The test in these circumstances is how much effort the organisation who made the mistake puts into resolving it, not how bad the mistake it.
Re:Publicity before giving MS a chance to fix it? (Score:4, Insightful)
Some updates are like a full upgrade in place inst (Score:2)
Some updates are like a full upgrade in place install with the full installer pre boot system in place. It's not like the small updates / old SP's
Re: (Score:2)
Surely that's not good! Such behaviour is only justified if the software developer refuses to do anything about it
Oh, but worry not! The fix is randomly applied to your machine when they feel okay about releasing it to your neighbor's computer for download.
Okay, okay, I'll stop.
As a Microsoft fanboi, glad to see this (Score:5, Funny)
Microsoft is finally backing away from their focus on privacy invasion in Win10 and going back to concentrate on their core competency, lack of security.
I was really starting to get worried. Whew.
Re: Only the lazy and terminally lame dont know? (Score:5, Informative)
BitLocker can be used without TPM. You can supply your key via a USB drive or even use a keyboard to put in the 48-digit recovery key.
Re: (Score:2)
MSFT: Now in the business of making sure the government doesn't need to send out your hard drive to a nameless forensics company.
Just run update.exe, hit Shift+F10, boom goes the dynamite.
Re: (Score:2)
Bitlocker can use a public/private key pair or a password to protect the volume encryption key.
The TPM's private key does not have to be given access to the volume encryption key. It can be kept on a USB drive.
Or it can be used with only a password, and then the only means of unlocking the drive is inside your head.
Key protectors can be added/removed via the command line. It takes less than a minute.
Re: (Score:2)
I have to say it, I'm sorry. Glancing through the comments, I read your title as "Only the lazy terminals..."
Have to throw that one out there. :)
Re: (Score:1)
It's been "broken" for a while now (Score:1)
At least from Windows 7 you could've opened that console from almost every phase of the setup. A new Dell laptop turning on for the first time can be "broken in" the same way. You can insert a backdoor and sysprep it back to the "first-run" state, if you wish so. It's all documented. (I know, physical access, etc.)
It has now became a problem because Windows 10's "big updates" are basically running the full setup of a new system build while migrating the user data. This actually invokes the standard Windows
Re: It's been "broken" for a while now (Score:2)
That is actually a feature. Linux has rescue disks too you know to troubleshoot dead systems
Re: (Score:1)
Windows setup actually *is* a stripped-down version of Windows. And it has a recovery console by design, yeah.
This problem translated to Linux land:
When you upgrade from Debian 8 to 8.1 you get Debian's full setup running and you can press Alt-F2 to get a root console. The update was initiated automatically on a timer. While you have your HDD/SSD secured with cryptsetup the setup itself needs access, so it has to be unlocked. The console allows anyone to do anything if they catch the update running.
Re: (Score:1)
But even Linux needs cryptfs unlocked for updates ;)
... of course, and it requires the owner to digit the password. The question is, how is it possible to do have that "the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system" ? The user is required to digit the password before? Or the OS just disabled it?
How can the OS, decrypt the disk without people giving the decryption key? Is the decrypyion key already saved on the pc?
Re: (Score:2)
As with most full-disk encryption packages (including LUKS), the volume encryption key is stored on the hard drive. All system/user data is encrypted with this key.
The software creates a copy of the volume key for each user. Their copies are encrypted with either their passwords or their private keys.
Encryption users do not necessarily map to user accounts. The TPM is also a user in this context---it uses its private key in whatever manner it was configured, typically after receiving a valid PIN via the key
Re: (Score:1)
I think the trick is that unless systemd has completely destroyed Debian (smug Gentoo user here), Linux updates don't require multiple reboots and even replacing the kernel doesn't need to be done from single user mode.
Windows is just stupid in that regard. Unless I'm updating the kernel, worst case updating my box I might have to restart X Window. If I'm updating the kernel, it's just one reboot with no special single user install environment needed.
Re:Bwahahaha... (Score:5, Insightful)
Just who is going to be at the keyboard during this vulnerability? The PC owner.
No, the person with physical possession of the PC, which could be the person who stole it. Many computers are worth far less than the data they contain.
Re: (Score:2)
Or the guy who just ran update.exe.
Well what did you expect? (Score:3)
Shift-F10 has existed for lots of years know. Requires physical access. Windows build updates require to decrypt the drive.
Re: (Score:2)
"Physical access" doesn't mean much anymore - it could just as well be someone who snatched a copy of a VM.
Re:Well what did you expect? (Score:5, Insightful)
Shift-F10 has existed for lots of years know. Requires physical access. Windows build updates require to decrypt the drive.
"Requires physical access"???? The WHOLE POINT of hard disk encryption is to protect you in the event someone gains physical access to your computer! (Assuming you're not logged in at the time, of course!)
Re: (Score:3)
How often do people walk away from their computers whilst it's updating and they're in an environment where somebody will come and physically compromise their machine? It's sounds like a failrly remote possibility. Somebody might just as likely take a look inside your wallet if you leave that on your desk at work whilst you grab a coffee and use the information they find for identity theft. Yes there's a possibility of a serious exploit, but honestly, what's the liklihood of it being exploited? There ar
Re: (Score:3)
If you have bitlocker configured - with a tpm+pin - it requires a pin to boot the machine (to do the windows upgrade to do the shift + f10 trick), say you do boot it - you'll still need a login - with local admin to run the update. And guess what - if you have local admin you can just switch off the protectors inside the existing version of windows. Plus most well run enterprises aren't going to allow the machine to be patched in this manner.
In other words - if your corporate security policies are even half
Re: (Score:2)
(Assuming you're not logged in at the time, of course!)
Well guess what?? You're logged in as SYSTEM while updates are installing!!! How else do you think updates even work???!
From what I understand, in Windows 10 home edition, you don't need to be logged in as system. Updates happen automatically and you can't easily turn them off. I could be wrong though.
Re: (Score:2)
Did you even read the summary?
Re: (Score:3)
Clearly, you didn't.
Anyone can be set to run updates. Especially in Win10 Home.
So, no, not r00t. Anybody.
Re:Well what did you expect? (Score:4, Insightful)
Not to mention most corporations won't be upgrading machines without using management software. This is such a non story.
Is this surprising? (Score:5, Insightful)
Is this really surprising? From the company that just made accepting every update they want to push mandatory? I didn't trust Microsoft before they did that, now it's just blatant in your face "we own your computer". The fact that anyone trusts BitLocker is what astounds me.
Your Windows 10 friends are:
1) Windows Update Mini Tool [wilderssecurity.com]. Gives you back control of your windows update experience.
2) Windows updates details [live.com]. A spreadsheet maintained with every patch and what it does. Microsoft gets more and more evasive with their explanations of what their patches do, this is a good site for info. And, for heaven's sake, please please please get...
3) VeraCrypt [codeplex.com]. Based on TrueCrypt 7.1, development was continued by the community. Security audits have been done on this code base and, while no non-trivial software can ever be proven completely safe, I trust this software far more than BitLocker (which I actively distrust).
My Windows 7 laptop was safe from the whole Windows 10 upgrade debacle and the "we are going to upgrade your OS unless you happen to catch this message in time and say no" nagware because I carefully and meticulously have always gone over every windows update that goes on my computer. It was with literal astonishment that I learned that update is mandatory in Windows 10. I can't believe people stand for it. I've managed to work around it, but that was really the last straw for me. I have finally migrated mostly to Linux. I have used it for my servers and personal cloud services since the days of SLS but never really adopted for my desktop. I kept it for stuff I couldn't do in Windows. Now I've reversed that, using Linux for everything I can and only using Windows for gaming or software I absolutely can't do in Linux.
Re: (Score:2)
...The fact that anyone trusts BitLocker is what astounds me.
Really?
What astounds me is the ignorance over the attraction of using BitLocker in business, which is the inherent price tag; free.
Trust has fuck-all to do with it when you can check off the "whole-disk encryption" requirement cheaply and move on, regardless of effectiveness.
This is also sadly the reason we'll probably not see a fix for this anytime soon.
Re: (Score:2)
Re: (Score:3, Interesting)
Trust has levels, just like risk does. On my new laptop that came with Windows 10, I trust Windows to be my platform for gaming and for doing quick work or to access emails from my use-this-address-for-forum-registrations accounts. There are just times when I'm playing a game and booted into Windows and can't be bothered to switch over to Linux for some relatively trivial other action. But I don't trust it with banking, personal files, or access to my real email server. I don't trust it to hold SSH priv
Re: (Score:2)
So, since you do not trust Microsoft... Why do you use Win7 at all?
Re: (Score:2)
Windows 10 is what pushed me to Linux on the desktop as well. I game on my one Windows desktop, and run a free and non-spywared OS everywhere else now!
Are you doing it (BitLocker) right? (Score:5, Informative)
Re: (Score:3)
How many people didn't even read the summary, but have an expert analysis on why it's wrong?
Re: (Score:3)
You are wrong. I suggest reading Microsoft's documentation regarding "key protectors" if anything I say is confusing.
The Windows updater runs as system, which means it can do anything an administrator can do.
An administrator can suspend Bitlocker, which temporarily stores the volume encryption key in cleartext so that it will automatically mount.
It is easily conceivable that Windows Update is preparing the updates, suspending Bitlocker, rebooting, completing the installation, and reenabling Bitlocker.
Also,
Re: (Score:2)
Is this a backdoor into Bitlocker or not? (Score:3)
Because the article does not say and that would be the one critical piece of information. Seems to be more people that report without any understanding because otherwise that piece of information would have been in there. Now, getting SYSTEM, but BitLocker protected data is inaccessible is no big deal: Just boot a recovery CD to get the same. If, on the other hand, this allows really bypassing BitLocker (which protects data, _not_ the boot process) meaning access to encrypted data without the password, then BitLocker would have a big bad obvious backdoor. I somehow doubt that is the case.
My money is on shoddy, sensationalist and utterly worthless reporting which has become so common these days.
Re: (Score:2)
A "chkdsk" is anything but "mundane". But I see your point. So that would mean BitLocker is backdoored?
Re: (Score:2)
I see. This means this attack only applies on an already unlocked BitLocker instance while doing upgrades that includes reboots. That is indeed not a backdoor, and more like a non-issue, as any sane person should know that an unlocked crypto-container is not secure. Thanks for the info.
Boot install media and you can do the same thing (Score:1)
There is no security without physical security. Typing a Bitlocker key to unlock your drive before booting may be a PITA but its worth it if you value your privacy.
I loathe Windows 10 and Microsoft for foisting it, (Score:2)
but, how is this news? You can Shift + F10 to get a CLI using a Windows 10 install disk locally too (written, on Windows 10, at work).
Pointless being worried. (Score:3)
How the fuck is this a "bug" ??? (Score:2)
It's been a publicised setup feature since at least Windows 2000, WIndows XP and Windows Server 2003!
Description of the Windows Setup Function Keys
https://support.microsoft.com/... [microsoft.com]
Re: (Score:2)
Well, it's lucky we didn't!
Re: (Score:1)
you can boot the system from a USB and do whatever you want.
This just means that bitlocker is fake security
Re: (Score:3)
but you can't get the data easy with the out the bit locker key. Systems with TPM can auto unlock bit locker and boot to the login screen if set that way.
Re: (Score:2)
Ummm, did you read the summary?
Re: (Score:2)
Only if it's in an AD environment and joined to a domain controller, and even then the domain administrators have control of your updates, not you. Otherwise for home users it just starts automatically; the only requirement is for the machine to be turned on so that it can apply a new update. And that's the whole point of this: If the NSA (or whoever) wants to eventually decrypt your bitlocker encrypted HDD without any need for brute force tactics, all they have to do is wait for a new major patch from MS (
My system never reboots (Score:1)