Hackers crack Bitlocker – really?

Sorry for being so late on that but I was enjoying the gorgeous weather in Switzerland and was skiing the last few days.

There were claims end of last week that researchers "cracked" Bitlocker. One of the corresponding articles you can find in eWeek.

What did they actually do? Well, they attacked the key that resides in memory. So, they are attacking a running machine. Let's start with looking into the risks. What do you want to achieve with Bitlocker? You want to make sure that if you lose your notebook, nobody is able to access the data on the disk. So, if the system is shut down, the claimed attack does not work anymore. Now, it comes to the states in between. If a machine is in the sleep state, we consider it running, so yes, it is vulnerable to this attack. We can now argue whether it is a good idea that the standard behavior of a Windows Vista machine is going to sleep if you close the lid. As Bitlocker is not enabled by default, I think we can argue around this but it is not optimal if you protect your machine with Bitlocker. If you find a machine in Hibernate, Bitlocker kicks in during the resume and needs the keys – this means a hibernated machine is not vulnerable to the attack.

What does this mean for you? There is an easy countermeasure to all these attacks: Put your machine to hibernation and you are done.

So, if you want more information on this, go to the Windows Vista blog. Last but not least, we published the Data Encryption Toolkit for Mobile PCs and there is a Bitlocker chapter in it, which you might want to read if you use it.

I am using Bitlocker with TPM – and Hibernation


Comments (4)

  1. Anonymous says:

    Hi Shoaib,

    thank you (as always) for your feedback. If I think about the thread of being able to read the memory let’s say 3-5 minutes after I hibernated. This would mean that I hibernate, somebody immediately steals my notebook and immediately is able to reag my RAM. Is this really the biggest risk you want to address? If you are in the intelligence business, this might be it. If you are in the commercial sector – I doubt it


  2. Shoaib Yousuf says:

    Hi Roger,

    Good to see you back. It seems like you had a great time.

    Excellent comments, I was reading an excellent post by SANS Security team – Dshield: http://www.dshield.org/diary.html?storyid=4006.

    In this post they have mention the abstract of the white paper released which states: "Contrary to popular assumption, DRAMs used in most modern computers retain their contents for seconds to minutes after power is lost, even at operating temperatures and even if removed from a motherboard…"

    If attacker has physical access even if you shut down your notebook – keys can still be restored.

    What your comments on it?



  3. Shoaib Yousuf says:

    Hi Roger,


    True, end of the day it all matters how valuable data you are carrying?



  4. portugalvaloda@gmail.com says:

    I don't think anyone gives a twinkie where you were skiing

Skip to main content