We use disk encryption software to
secure our data. But is it really secure? iViZ Vulnerability Research team discovered
a new class of vulnerability which bypassed the security of Microsoft
Bitlocker, McAfee Safeboot and several others.
Very recently iViZ discovered and
showed to the world how hard disk encryption can be rendered practically useless.
Hard Disk encryption tools including the BIOS password authentication routines
use interruptions for reading password from the user during boot time before
the operating system is initialized. The vulnerability lies due to the fact
that the data read from user is copied at a static location in memory and is
never removed even after use by the authentication program.
|
iViZ discovered that it is possible to steal the password
of the disk encryption tools by running an exploit locally. Once an attacker
gets the password, the encryption is rendered useless.
|
Breaking Microsoft Bitlocker
Bitlocker is the disk encryption feature introduced in Microsoft Vista. It has the capability to authenticate users in several ways, including with a password (PIN), when configured to work with the TPM chip. The password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
Bitlocker's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.
Breaking True Crypt
The password checking routine of TrueCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords. Truecrypt's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.
Breaking McAfee Safeboot
The password checking routine of SafeBoot Device Encryption fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
SafeBoot's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copy the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.
Bitlocker is the disk encryption feature introduced in Microsoft Vista. It has the capability to authenticate users in several ways, including with a password (PIN), when configured to work with the TPM chip. The password checking routine of Microsoft Bitlocker fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
Bitlocker's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.
Breaking True Crypt
The password checking routine of TrueCrypt fails to sanitize the BIOS keyboard buffer before AND after reading passwords. Truecrypt's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copies the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e. It is also possible for a root user to reboot the computer by instrumenting the BIOS keyboard buffer in spite of the full disk encryption.
Breaking McAfee Safeboot
The password checking routine of SafeBoot Device Encryption fails to sanitize the BIOS keyboard buffer after reading passwords, resulting in plain text password leakage to unprivileged local users.
SafeBoot's pre-boot authentication routines use the BIOS API to read user input via the keyboard. The BIOS internally copy the keystrokes in a RAM structure called the BIOS Keyboard buffer inside the BIOS Data Area. This buffer is not flushed after use, resulting in potential plain text password leakage once the OS is fully booted, assuming the attacker can read the password at physical memory location 0x40:0x1e.
No comments:
Post a Comment