Holding Shift + F10 During Windows 10 Updates Opens Root CLI, Bypasses BitLocker

An anonymous reader quotes a report from BleepingComputer: Windows security expert and infrastructure trainer Sami Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges. This CLI debugging interface also grants the attacker full access to the computer's hard drive data, despite the presence of BitLocker. The CLI debugging interface is present when updating to new Windows 10 and Windows 10 Insiders builds. The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. A malicious insider can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence. But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop. Windows 10 defaults help police/thieves in this case because these defaults forcibly update computers, even if the user hasn't logged on for weeks or months. This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker. The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system. "This [update procedure] has a feature for troubleshooting that allows you to press SHIFT + F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine." Laiho informed Microsoft of the issue and the company is apparently working on a fix.

Oh my god this goes all the way to the top!!!!

Someone tell this guy that launching any Windows install DVD in repair mode allows you to do such amazing things as replace the sticky keys executable with cmd.exe, allowing anybody with physical access to launch a command prompt from the login screen by pressing shift a couple times.

Re:Something Smells Fishy

ya, funny how that works, and yet updating takes far far less time. It makes me think bitlocker is faking the encryption phase. Time to bitlocker a drive and then stick it on a linux system and see what I can see.

Re:Is this surprising?

[Excelcia]

Trust has levels, just like risk does. On my new laptop that came with Windows 10, I trust Windows to be my platform for gaming and for doing quick work or to access emails from my use-this-address-for-forum-registrations accounts. There are just times when I'm playing a game and booted into Windows and can't be bothered to switch over to Linux for some relatively trivial other action. But I don't trust it with banking, personal files, or access to my real email server. I don't trust it to hold SSH private keys for logging into any of my Linux servers. And there is no way I'll give my Windows 10 access to my high security files like my KeePass key file or database. I'll put that on my phone before Windows 10 will get it.

That being said, regardless of the low trust I have in Windows 10, I will not just roll over and let Microsoft update my computer whenever they want to. My computer gets the updates that I choose. I also will not leave my Windows partitions without encryption that precedes Windows in the boot sequence. That will not happen, and no one else should do this either.