Microsoft’s BitLocker is, for all we know, a proper disk encryption software. It encrypts data at rest against attacks originating outside the running system. If you use BitLocker and your computer is stolen while turned off, there is essentially no way of reading data from the disk without having the proper key(s)—your BitLocker PIN, a key file on a USB stick, or both. If an attacker gets access to the machine while it is running, there may be ways of compromising it through Windows or in other ways, but such attacks are clearly outside the scope of disk encryption.
We know, however, another class of attacks against disk encryption: evil maid attacks. This term describes a general strategy rather than a particular implementation. If you leave your computer unattended, let’s say in a hotel room, an attacker, let’s say an evil maid, might manipulate it such that your data will be compromised as soon as you return and provide it with your encryption keys. There are various ways of doing so, for instance installing a hardware keylogger if your keys are based on passwords, or altering the unencrypted boot code to install a Trojan horse that will leak your keys later.
BitLocker is different from other software-based disk encryption products, such as TrueCrypt, in that it supports Trusted Computing technology for added security. If used with a Trusted Platform Module (TPM)—a small chip inside your computer—BitLocker needs not only your key(s) but also another key stored inside the TPM to decrypt your data. First and foremost this implies that stealing just your disk is futile if the target is your data, since without the TPM part of the key will be missing.
But this is not all the TPM does. It also watches the boot process to ensure your system hasn’t been tampered with before releasing its part of the encryption key. This won’t solve the hardware keylogger problem, but many people seem to believe that this would be sufficient to prevent software-based variants of evil maid attacks. After all, you can either boot the unaltered system and get your data encrypted or boot a system that has been tampered with, which will fail to obtain the key from the TPM, right?
Well, almost. BitLocker needs to interact with you, the user, to obtain its keys. As the TPM merely records properties of boot components, it will not prevent the software asking for your keys from being altered, or the altered software from being executed. This means that an attacker can alter code on your computer to obtain your PIN or USB key. The TPM only ensures that the cannot boot right into Windows in its altered state. But if the attacker can get away with a single forced reboot—think bluescreen—the malicious code may remove itself before and just leave your keys somewhere on the disk for later retrieval.
The TPM as it is and as it is being used by BitLocker is therefore not sufficient to fend off evil maid attacks, not even the software-based subset. We discussed such and similar attacks in a paper published earlier this year. Now we also demonstrate the BitLocker version of an evil maid attack in a short video starring two of my Fraunhofer colleagues, Jan and Jan. Hence we call this attack the evil Jan attack.
The evil Jan attack does not imply that the BitLocker is broken as a disk encryption scheme. It does not even imply that the TPM would be entirely useless. Our attack has a particular objective, getting unauthorized access to encrypted data in a targeted attack. We show that this remains quite feasible despite the use of the TPM. Attacks with different objectives and side conditions may still get considerably harder due to Trusted Computing. For instance it seems no longer possible for an attacker with physical access to the computer to install malicious software into the running operating system in a single pass.