Slashdot Mirror
Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker (bleepingcomputer.com)
An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.
Really?
Unverifiable crypto, did anyone trust bitlocker before this easy exploit?
Someone tell this guy that launching any Windows install DVD in repair mode allows you to do such amazing things as replace the sticky keys executable with cmd.exe, allowing anybody with physical access to launch a command prompt from the login screen by pressing shift a couple times.
Something smells fishy here... To turn BitLocker on took several hours while the entire HDD was encrypted.
Considering how many business laptops are set up with domain users as administrator, I don't think your argument holds much water.
A non-admin user can't initiate or start the update process. If your IT department is doing that while the monkey is sitting at the machine, they deserve what they get.
Props to GNAA.
That's fine for Enterprise or domain joined win 10 installs. But for those not so attached, the updates most certainly can kick off without an admin starting the process, as my kids have informed me of more than once.
This is just further validation of why I choose to run VeraCrypt. Box is dead in the water as soon as it reboots until I enter a password.
Surely that's not good! Such behaviour is only justified if the software developer refuses to do anything about it
Microsoft is finally backing away from their focus on privacy invasion in Win10 and going back to concentrate on their core competency, lack of security.
I was really starting to get worried. Whew.
While NTAUTHORITY/SYSTEM cmd.exe does sounds like a problem, is it really? Won't you get the same effect by running "PSEXEC -i -s CMD" ?
And pigs, while having your laptop in their posession, why would they do any of this?! If any of the known tricks fail, and you are a valuable espionage target or something... And MS won't give them the key for some reason... Sounds like a plot for a bad movie... lol
They'd send the laptop to some nameless forensics company, who then would dump the key from TPM by one or other expensive method, depending on how well-connected they are? (decap the chips, infiltrate the UEFI, cheat the TPM to unlock the key, read the key out through a sidechannel, use a magical key from manufacturer)
Why are people pretending that UEFI, TPM and bitlocker are fit for purpose?
Microsoft feverishly working on a more complicated replacement keyboard shortcut to bypass encryption and give anyone root access during updates.
At least from Windows 7 you could've opened that console from almost every phase of the setup. A new Dell laptop turning on for the first time can be "broken in" the same way. You can insert a backdoor and sysprep it back to the "first-run" state, if you wish so. It's all documented. (I know, physical access, etc.)
It has now became a problem because Windows 10's "big updates" are basically running the full setup of a new system build while migrating the user data. This actually invokes the standard Windows setup 'upgrade' on your live system.
you can boot the system from a USB and do whatever you want.
This just means that bitlocker is fake security
Just who is going to be at the keyboard during this vulnerability? The PC owner.
Shift-F10 has existed for lots of years know. Requires physical access. Windows build updates require to decrypt the drive.
Open Source Java Web Forum with LDAP authentication
Best zero-day of the day!
but you can't get the data easy with the out the bit locker key. Systems with TPM can auto unlock bit locker and boot to the login screen if set that way.
Is this really surprising? From the company that just made accepting every update they want to push mandatory? I didn't trust Microsoft before they did that, now it's just blatant in your face "we own your computer". The fact that anyone trusts BitLocker is what astounds me.
Your Windows 10 friends are:
1) Windows Update Mini Tool. Gives you back control of your windows update experience.
2) Windows updates details. A spreadsheet maintained with every patch and what it does. Microsoft gets more and more evasive with their explanations of what their patches do, this is a good site for info. And, for heaven's sake, please please please get...
3) VeraCrypt. Based on TrueCrypt 7.1, development was continued by the community. Security audits have been done on this code base and, while no non-trivial software can ever be proven completely safe, I trust this software far more than BitLocker (which I actively distrust).
My Windows 7 laptop was safe from the whole Windows 10 upgrade debacle and the "we are going to upgrade your OS unless you happen to catch this message in time and say no" nagware because I carefully and meticulously have always gone over every windows update that goes on my computer. It was with literal astonishment that I learned that update is mandatory in Windows 10. I can't believe people stand for it. I've managed to work around it, but that was really the last straw for me. I have finally migrated mostly to Linux. I have used it for my servers and personal cloud services since the days of SLS but never really adopted for my desktop. I kept it for stuff I couldn't do in Windows. Now I've reversed that, using Linux for everything I can and only using Windows for gaming or software I absolutely can't do in Linux.
Some updates are like a full upgrade in place install with the full installer pre boot system in place. It's not like the small updates / old SP's
If you are doing BitLocker correctly, you have to type in a password every time you boot the computer. If you are doing is really right, that password is only a PIN used to unlock the actual encryption key stored in a Trusted Platform Module (hardware protected crypto storage device). This means that although a computer may update itself automatically if it gets powered up by an adversary, thus opening an opportunity for the diagnostic shell to have access to a temporarily disabled BitLocker, this could only happen if the adversary knows (or can coerce) the BitLocker password from you. While some may believe that there is a backdoor to BitLocker, this particular diagnostic window is not it because it should never be accessible by an adversary.
Windows security expert and infrastructure trainer
Idiot discovers Shift-F10.
the Department of Redundancy Department.
Another plus to VeraCrypt were the results and actions taken from their recent audit:
http://blog.quarkslab.com/security-assessment-of-veracrypt-fixes-and-evolutions-from-truecrypt.html
https://ostif.org/the-veracrypt-audit-results/
Obviously if you're thinking of switching to VeraCrypt over bitlocker make sure you consider their security model (though most of this applies to any full disk encryption software).
https://veracrypt.codeplex.com/wikipage?title=Security%20Model
It's almost like reimaging the computer every time there's a service pack is a poorly thought out process requiring a multitude of compute time while opening the system to unnecessary risks.
Because the article does not say and that would be the one critical piece of information. Seems to be more people that report without any understanding because otherwise that piece of information would have been in there. Now, getting SYSTEM, but BitLocker protected data is inaccessible is no big deal: Just boot a recovery CD to get the same. If, on the other hand, this allows really bypassing BitLocker (which protects data, _not_ the boot process) meaning access to encrypted data without the password, then BitLocker would have a big bad obvious backdoor. I somehow doubt that is the case.
My money is on shoddy, sensationalist and utterly worthless reporting which has become so common these days.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
So what the article is saying is that full disk encryption isn't, if you are using Bitlocker. Can anyone confirm this?
You can get an administrative shell by booting from installer media and pressing Shift+F10 without ever kicking of an install or upgrade. I typically use this to run diskpart to create a VHD to try out new Windows Insider builds via multiboot without borking my primary OS installation.
There is no security without physical security. Typing a Bitlocker key to unlock your drive before booting may be a PITA but its worth it if you value your privacy.
Only if it's in an AD environment and joined to a domain controller, and even then the domain administrators have control of your updates, not you. Otherwise for home users it just starts automatically; the only requirement is for the machine to be turned on so that it can apply a new update. And that's the whole point of this: If the NSA (or whoever) wants to eventually decrypt your bitlocker encrypted HDD without any need for brute force tactics, all they have to do is wait for a new major patch from MS (which at the current rate happens about every 6 months) and they have a perfect opportunity to decrypt your entire HDD. That's well within the statute of limitations for ANYTHING they'd be interested in nailing you for, even for petty crimes like shoplifting.
BTW that's an interesting way for a GNAA post to be upmodded.
Windows has had this functionality in its installers since W2K.
It's not a bug, it's a feature. Requested by one of your 3 letters agency.
I don't know why, but my system never reboots to install the next build and I use the insider builds. Have way too many other bugs I actually want fixed to report it though.
if you don't want to wait for MS:
http://www.linuxmint.com/
Ummm, did you read the summary?
There are two types of people in the world: Those who crave closure
I mean this new-fangled stuff from the future?
28th May 2014 Truecrypt says 'switch to Bitlocker'
Well, it's lucky we didn't!
Nothing to see here - Bitlocker is not compromised - but there is a small window of opportunity.
In common with most disk encryption tools designed for enterprise use, after initial authentication to unlock the encryption keys and boot the OS AND after logging into the OS with valid credentials - Bitlocker will allow a temporary suspension of the "Protectors" (IE Need to enter a PIN etc.) for x reboots. This is to allow for patching and upgrades to be done by enterprise management tooling without requiring an end user to be present (so patches etc. can be scheduled for out of hours).
The issue here is that the WinPE instance that is being used during the upgrade process is using its default shell code - which has the SHIFT+F10 enabled. Changing it to a custom shell (as already done for MDT or SCCM OSD) can turn off the SHIFT+F10 feature.
The time exposed to danger is just when the WinPE session is running, doing the upgrade and before it reaches the next reboot point in the process. Yes - it is an issue, but a small one and quite easy to resolve by using a custom shell in WinPE to launch the upgrade process.
One of the basic rules of all engineering, but especially software, is that most bugs are as a result of genuine oversight not incompetence. In the case of Windows, which is a massively complex concoction, it is not a surprise when something weird is found. The test in these circumstances is how much effort the organisation who made the mistake puts into resolving it, not how bad the mistake it.
When you are using an outdated operating system on your computer, you may want to upgrade it to a newer version or even a different one. With all of the emerging technologies that are being developed, you may want to consider upgrading your operating system so you have new features and a more efficient computer. Read more http://go.shr.lc/2fKIj3p
... it used to be shift + F8.
Which is why I never stopped putting important information in veracrypt containers.
Physical access = root
Done.
More like buttlicker, amirite?
but, how is this news? You can Shift + F10 to get a CLI using a Windows 10 install disk locally too (written, on Windows 10, at work).
Given that you have to have physical access to the machine to do this then this being an exploit is the least of your worries and your security failed long before the keyboard was touched.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
So, is that double as in 2 ROT13s of the data?
A user doesn't have to initiate it. Thanks to Microsoft's infinite wisdom, Windows 10 will update automatically whether you like it or not.
It's been a publicised setup feature since at least Windows 2000, WIndows XP and Windows Server 2003!
Description of the Windows Setup Function Keys
https://support.microsoft.com/...
You have to be decrypted to start the install process.
According to the summary.