BitLocker Vulnerability

Click For Summary

Discussion Overview

The discussion revolves around a reported vulnerability in Microsoft's BitLocker encryption system, focusing on the implications of password management and data security. Participants explore the nature of the vulnerability, its exploitation sequence, and related issues of personal data consent on platforms.

Discussion Character

  • Debate/contested
  • Technical explanation
  • Meta-discussion

Main Points Raised

  • One participant clarifies that BitLocker does not use a password but rather an encryption key, suggesting the vulnerability is related to how passwords are handled in applications rather than BitLocker's encryption itself.
  • Another participant outlines a sequence of events required to exploit the vulnerability, emphasizing the need for physical access to the device and the lack of multi-factor authentication in certain services.
  • Several participants discuss issues related to posting and consent for personal data usage on the forum, with some expressing confusion about the consent requirements and their relation to BitLocker.
  • A participant mentions a potential technical aspect of the vulnerability involving the corruption of a registry key that affects crash dump file management, although they express uncertainty about the need for physical access.

Areas of Agreement / Disagreement

Participants express differing views on the nature of the BitLocker vulnerability and its implications, with no consensus reached on the technical details or the relationship to personal data consent issues.

Contextual Notes

There are unresolved questions regarding the technical specifics of the vulnerability, including the necessity of physical access and the implications of GDPR on data consent practices.

Computer science news on Phys.org
Mistitled: Bitlocker does not have a password, it has an encryption key, and this vulnerability has nothing to do with Bitlocker's encryption key. In order to exploit this vulnerability something like the following sequence needs to happen:
  1. You enter your password into some application
  2. That application stores your password in memory
  3. You hibernate your device before the password is overwritten in memory
  4. Your device is stolen
  5. Despite the fact that your device has been stolen you do not change all your passwords
  6. The thief invests effort in parsing your hibernation file for unencrypted passwords
  7. The thief identifies what service the password relates to
  8. The thief obtains the other relevant credentials (e.g. a user name) - bearing in mind that Bitlocker is still protecting the rest of the information on the disk apart from the hibernation file
  9. The service does not impement MFA (multi-factor authentication), allowing the thief to log in using only the credentials he has discovered
 
Yes, PF sometimes doesn't allow you to change your post. I tried editing before first posting it.
 
WWGD said:
Yes, PF sometimes doesn't allow you to change your post. I tried editing before first posting it.
Usually it's only after a 24-hour period expires. Weird.
 
berkeman said:
Usually it's only after a 24-hour period expires. Weird.
Equally weird, I was asked here, in other sites, for the first time I can remember, to give consent to the site Im in, to use my personal data.
 
WWGD said:
Equally weird, I was asked here, in other sites, for the first time I can remember, to give consent to the site Im in, to use my personal data.
This was at PF? You were asked to give consent to use your personal data? Like Cookies or something else? Do you think it was because you used Bitlocker to sign in?
 
berkeman said:
This was at PF? You were asked to give consent to use your personal data? Like Cookies or something else? Do you think it was because you used Bitlocker to sign in?
Here in PF as well as when I tried to use any app.
 
. @pbuk , as I understood, the vulnerability/hack consists in corrupting a registry key that deals with the management of crash dump files, so that these are written in the dump files unencrypted. Though not sure if direct physical access is needed. @berkeman : From what I read, it seems these dialog boxes arise from a change of laws (GDPR) , re the use, consent to access and use personal information, as a way to pay for "free" apps.
 

Similar threads

4 Chrome Vulnerabilities: Update Now
  • · Replies 1 ·
Replies
1
Views
2K
More Hacking Threats. NSA Reports....
  • · Replies 2 ·
Replies
2
Views
1K
10-year old security vulnerability in sudo fixed (CVE-2021-3156)
  • · Replies 8 ·
Replies
8
Views
2K
How Vulnerable Are Large Language Models to Malicious Data Poisoning?
  • · Replies 5 ·
Replies
5
Views
962
Dealing with the new security règime
  • · Replies 6 ·
Replies
6
Views
2K
My Avast Premium Security Gives Me This Scary Message
  • · Replies 7 ·
Replies
7
Views
2K
Why is the Dominos Pizza Website not Secure?
  • · Replies 31 ·
2
Replies
31
Views
5K
Internet Secrets estimated to survive for 15 years
  • · Replies 14 ·
Replies
14
Views
2K
Microsoft's Sleazy Tactics: What Windows Users Need to Know
  • · Replies 82 ·
3
Replies
82
Views
6K
Are MacBooks the best choice for physics?
  • · Replies 2 ·
Replies
2
Views
2K