Youtuber cracks BitLocker encryption in minutes with Raspberry Pi Pico

[lexluthermiester]

Have not used it in years no so perhaps things have changed or I just misremembered.

Ok, fair enough.

We generally use opal solutions for no performance penalty at all here... AES256 as well but thats fine for our requirements.

Ouch! Expensive! Effective though.

 

[Bill_Bright]

Personally I keep my my most important files on multiple external storage.

That is a very wise backup ethic.

I agree that is a wise backup policy and hopefully includes at least one copy stored "off-site". However, that is not the point of BitLocker.

Other than passwords, I personally don't keep anything incriminating or that sensitive on my drives that a bad guy could not glean by rifling through the file cabinet in my office (there's that "physical access" issue again!). Bank accounts, insurance records, 7 years of taxes, my military and Social Security records are all in there. I bet that is a similar scenario for most of us.

IMO, for the vast majority of us, the reason to use BitLocker or similar "drive" encryption program is in the event our drives end up in unfriendly hands - that is "physically" in their possession.

If you are a frequent road warrior and have a laptop with sensitive information, BitLocker may be a wise "additional" layer of security for you.

For me, a bad guy would have to break into my house and steal my computer. And since I feel confident I am not a designated target of any law enforcement agency, state-sponsored spy organization or organized crime syndicate, the most likely reason a bad guy would break into my house would be to steal valuables he can fence to get some quick cash for his next "fix".

While that is possible, I am not worried that will happen. Therefore, I do not use BitLocker or any other drive encryption program.

What I always - as in EVERY SINGLE TIME do, however, is "wipe" every "functional" hard drive and "secure erase" any SSD I dispose of - no exception, even if I know where it will end up.

And for drives that no longer work, I take no chances and I physically destroy them. I have access to a hard drive shredder but for those who don't, I recommend drilling at least 3 holes all the way through the harddrive ~1 inch from the center hub. SSDs are much less robust than hard drives so thoroughly smashing with a hammer is fairly easy. Just make sure each memory chip is smashed too.

 

[R-T-B]

Ouch! Expensive! Effective though.

Actually, not really. The drives I've been using are generic Crucial NVMe 2TB P5 Plus drives, as well as some older workstations using 2TB Mushkin Pilot-E Pros. They support OPAL 2.0. Then I just use open source sedutil. It's a bit of a slog to setup, but hey, it's my job as security guy:

GitHub - Drive-Trust-Alliance/sedutil: DTA sedutil Self encrypting drive software

DTA sedutil Self encrypting drive software. Contribute to Drive-Trust-Alliance/sedutil development by creating an account on GitHub.

github.com

User is presented with a master password on each workstation at bootup. We shutdown when done working and drive is locked. Simple.

Just make sure each memory chip is smashed too.

This. The memory chips are what matter for a secure disposal. A truly dedicated attacked can desolder intact memory chips to a new controller board and potentially recover the data.

It's kind of academic for most, but when dealing with say, sensitive records like I do, it's not.

Honestly, I question whether even posting my security solutions is a good idea, but then I remind myself, the best security solutions work even when the attacker knows exactly what they are. And I feel mine would hold up rather well in a equipment theft scenario, at least.

If the mob tries to beat the password out of me all bets are off, but no one made me legally promise that grade of security lol. Fortunately none of what I protect is interesting to those types of people.

 

[Count von Schwalbe]

IMO, for the vast majority of us, the reason to use BitLocker or similar "drive" encryption program is in the event our drives end up in unfriendly hands - that is "physically" in their possession.

And that is why this is actually a problem. Sure, physical access is a barrier, but Bitlocker is really for making physical access less of an issue.

Also, RPi aside, there are dedicated chips that can log all data passing over the traces leading to a dTPM. I saw a proof of concept a few years ago of someone installing these in business-grade laptops in ~5 minutes. Easy enough to do for a targeted attack on a large entity such as a corporation, and permenantly compromise even brand new hardware.

 

[R-T-B]

dTPM

This is why the industry is pushing for on die TPM partially. It's much harder to sniff. Sniffing keys has always been the achiles heel of TPM based security.

The truth is bitlocker is still more than sufficient for most any petty thieves. But yes, for a sophisticated attacker there are options more suitable than it protection wise.

 

[Count von Schwalbe]

This is why the industry is pushing for on die TPM partially. It's much harder to sniff. Sniffing keys has always been the achiles heel of TPM based security.

The truth is bitlocker is still more than sufficient for most any petty thieves. But yes, for a sophisticated attacker there are options more suitable than it protection wise.

Most petty thieves don't really target data anyways, just swap in a new drive and sell the laptop. At least they do around here. I would only be worried about a sophisticated attacker getting my data anyways.

 

[Bill_Bright]

but Bitlocker is really for making physical access less of an issue.

Huh? Please clarify. BitLocker is ALL about accessing the data from a drive the bad guy has in their physical possession.

If you are suggesting BitLocker is to keep intruders from accessing the data "remotely" somehow through your network, then you do NOT understand the purpose for BitLocker! I say again, BitLocker is ALL about physical access. Read Microsoft's description (my bold underline added):

BitLocker is a Windows security feature that provides encryption for entire volumes, addressing the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned devices.

The TPM works with BitLocker to ensure that a device hasn't been tampered with while the system is offline.

It really is not even about a "sophisticated" attacker. The attacker needs to be targeting you specifically and be determined - because they know or at least highly suspect you have valuable information they need or can use or sell.

The vast majority of bad guys - even "sophisticated" bad guys are lazy opportunists. They just don't invest a lot of time and certainly not a lot of money, or risk getting spotted unless they really believe the rewards are going to be worth it - or else they are really stupid or in serious withdrawals - and then could not likely be called sophisticated.

The typical bad guy, if they meet any resistance, they move on to easier pickings. This is why changing our passwords from "password123" and changing the default passwords on our routers is such a basic, simple, but highly effective deterrent. I did not say 100% effective. Nothing is.

Most petty thieves don't really target data anyways

Exactly.

If you are that special that you are being targeted specifically by a sophisticated, dedicated (and not strung-out) bad guy, you are in much bigger trouble than you think! I highly doubt anyone following this thread falls into that category - despite how important, special, experienced or unique they believe they are!

 

[Count von Schwalbe]

Huh? Please clarify. BitLocker is ALL about accessing the data from a drive the bad guy has in their physical possession.

If you are suggesting BitLocker is to keep intruders from accessing the data "remotely" somehow through your network, then you do NOT understand the purpose for BitLocker! I say again, BitLocker is ALL about physical access. Read Microsoft's description (my bold underline added):

I meant bitlocker was to make it less of an issue if a bad guy had physical access. Same thing you are saying. My point is, if it is that easy to bypass with physical access it is kind of pointless.

Like that old saying: "locks only stop the good guys."

 

[Bill_Bright]

My point is, if it is that easy to bypass with physical access it is kind of pointless.

And my point is, it is (1) not "that easy". And (2) that is a big IF. Yet some here are suggesting that is it not only easy, but they immediately blame and label Microsoft as "incompetent" and "untrustworthy" because of that HUGE limitation! I say, "pure biased FUD!" And I am mad about that because these people proclaim to be experts yet they are doing a disservice to the readers - typically to make themselves look better.

So to your point, it is NOT that easy - except, maybe, by a sophisticated, determined, experienced expert bad guy, who is targeting you specifically. And people really, and HONESTELY, need to ask themselves, "how likely is that?"

 

[Count von Schwalbe]

So to your point, it is NOT that easy - except, maybe, by a sophisticated, determined, experienced expert bad guy, who is targeting you specifically. And people really, and HONESTELY, need to ask themselves, "how likely is that?"

My counterpoint is that without a "sophisticated, determined, experienced expert bad guy" there is but little danger to your data, Bitlocker or no Bitlocker.

I feel that this is easy enough for with enough technical acumen to use your data against you. As in, if they are smart enough to want your data this won't stop them.

I am not suggesting that every thief could build these, but not every bank robber can build a gun either.

Yet some here are suggesting that is it not only easy, but they immediately blame and label Microsoft as "incompetent" and "untrustworthy"

I am not necessarily agreeing with them, but I do say that they are not going to be the best at security. There are better encryption tools, there are better antivirus softwares, etc.

because of that HUGE limitation!

? Are you referring to physical access?
Again, I am taking that as a given as Bitlocker is specifically designed to secure against the dangers of allowing physical access.

 

[lexluthermiester]

And my point is, it is (1) not "that easy".

No one said it was. However, it IS doable.

And (2) that is a big IF.

An "if" that should not exist.

Yet some here are suggesting that is it not only easy, but they immediately blame and label Microsoft as "incompetent" and "untrustworthy" because of that HUGE limitation! I say, "pure biased FUD!" And I am mad about that because these people proclaim to be experts yet they are doing a disservice to the readers - typically to make themselves look better.

Calm the hell down and lose the personal jabs or I'm going to lay into YOUR flawed arguments and leave you looking like a buffoon diddling a football, again. Final warning. I did not say ANYTHING to make myself look better, smarter or more knowledgeable. I said what I said because it is FACTUAL and people should KNOW that microsoft is NOT trustworthy.

So to your point, it is NOT that easy - except, maybe, by a sophisticated, determined, experienced expert bad guy, who is targeting you specifically. And people really, and HONESTELY, need to ask themselves, "how likely is that?"

As usual, you're missing the context and the point. How difficult it is to do or what experience level it takes is not the primary issue at hand. The FACT that this vulnerability exists and that it is BUILTIN to the OS in question is a very serious problem, one that everyone needs to be concerned with if they are using bitlocker as a part of their security methodology.

This article is a HUGE redflag and serves as a serious warning to people who care about ACTUAL security. Said warning is simple: Find something different to use! For example, the aforementioned Veracrypt, which has no known or projected vulnerabilities and as NOT been cracked yet.

 

[Bill_Bright]

My counterpoint is that without a "sophisticated, determined, experienced expert bad guy" there is but little danger to your data, Bitlocker or no Bitlocker.

I don't see how it is a "counter" point when that is what I said too.

As usual, you're missing the context and the point. How difficult it is to do or what experience level is takes is not the primary issue at hand. The FACT that this vulnerability exists

As usual, you ignore the context and the point in order to rationalize your clearly extreme and biased claims, demonstrating your obvious disdain for anything Microsoft!

You can hate Microsoft. That is certainly your right. And you are entitled to express your opinion about the company and their products AS LONG AS your opinion is based on the true facts. Not made up falsehoods.

AS I SAID above, no solution is perfect so OF COUSE, there are still vulnerabilities! I never suggested otherwise.

The issue is the FUD you throw out any time someone mentions a Microsoft product - like you did here when you claimed Microsoft is "incompetent", "incapable", and their method is "NOT TRUSTWORTHY".

the aforementioned Veracrypt, which has no known or projected vulnerabilities and as NOT been cracked yet.

And as usual, you post falsehoods because YOU FAILED to verify your facts before posting and just expect others to automatically believe you because you said it! A simple 10 seconds with Google shows:

VeraCrypt audit reveals attacker treasure trove of critical flaws

An audit of VeraCrypt has uncovered critical vulnerabilities which could be exploited by attackers to compromise user data.

Security Evaluation of VeraCrypt

This study was executed by the Fraunhofer Institute for Secure Information Technology (SIT) on behalf of the German Federal Office for Information Security (BSI).

The code base still mainly consists of code from the TrueCrypt project that has been repeatedly criticized for its poor coding style

A mounted VeraCrypt volume is exposed to a multitude of attack vectors including vulnerabilities of the host system. Hence, any volume-access scenario exceeds the protection envelope of VeraCrypt. The development practices and the resulting code quality of VeraCrypt are a cause for concern. Therefore, we cannot recommend VeraCrypt for sensitive data and persons or applications with high security requirements. We recommend to execute similar security assessments also for future versions of the software

NVD - CVE-2019-19501 (nist.gov)

VeraCrypt 1.24 allows Local Privilege Escalation during execution of VeraCryptExpander.exe.

Does that mean VeraCrypt should be avoided. NO! But it people need to realize it has vulnerabilities too.

I say once again, BitLocker is just another layer of security. It is not perfect and not a panacea. Nor did Microsoft ever intend or market it as a perfect solution.

Now I see no point in discussing this further. People can do their research and they can easily verify the truth - if they care to know it - and weed out the falsehoods. Time to move on.

 

[lexluthermiester]

And as usual, you post falsehoods because YOU FAILED to verify your facts before posting and just expect others to automatically believe you because you said it! A simple 10 seconds with Google shows:

VeraCrypt audit reveals attacker treasure trove of critical flaws

Context:

Written by Charlie Osborne, Contributing Writer Oct. 19, 2016 at 2:55 a.m. PT

Hmm..

Security Evaluation of VeraCrypt


NVD - CVE-2019-19501 (nist.gov)

2019 & 2020

ALL of these problems have been solved but, key point, ALL 4 of those problems and one other that you missed where extremely difficult to execute but again, in case you missed it, have been solved. They are easily solvable because, TAA DAA, VeraCrypt does NOT require hardware. It protects software and data stored ON hardware, but does not require any dedicated hardware to operate and do so effectively.

Hmmm...

I'm out, this is like trying trying to have a conversation with Osmium...

 

[R-T-B]

You don't realize this, but you are all varying degrees of correct on the points that matter and basically arguing over trivial crap that doesn't.

I think productive conversation has ceased.