Windows 10 Anniversary Update – BitLocker Bypass Warning

If your Windows 10 PC tells you there is an update pending – it might be the Windows 10 Anniversary Update (not that you can distinguish this from any other update – until it’s applied, as far as I could see).

If it is, beware to physically secure your laptop as it disables BitLocker!

bitlocker bypass image

Following the principle of responsible disclosure, I reported the issue to Microsoft (4th August 2016)…

I am sending you this email, for a Windows 10 laptop, on which BitLocker security was bypassed.

Configuration.

  • Windows 10;
  • BitLocker;
  • Dell TPM;
  • BitLocker protection with PIN switched to on.

Every time I switch my PC on, I am prompted for the BitLocker PIN.  Good.

Scenario

Yesterday, I turned my PC off, and it decided to apply the latest Windows updates [anniversary update]. The updates were applied, the PC switched off, and I put the machine away for the night.

Today, I turned the PC on and was ready to type my BitLocker PIN in.

HOWEVER, it went straight to a screen saying “applying security updates”.

During this it re-booted twice.

Then I was taken to the Window 10 logon screen. From here I could log in and access my files.

The BitLocker PIN protection was thus completely bypassed.

Please let me know if you need any further information to investigate this.

I was quite surprised by Microsoft’s reply…

RE: BitLocker Bypass TRK:0189001958

Thank you for contacting the Microsoft Security Response Center (MSRC).  During an upgrade scenario [there] is a known issue and the team is aware of it.  The scenario is very specific and unlikely.

Which then went on to say it’s not a really proper vulnerability:

For an in-depth discussion of what constitutes a product vulnerability please see the following:

“Definition of a Security Vulnerability”
<https://technet.microsoft.com/library/cc751383.aspx>

I’ll let Cyber Matters readers judge…

Just because the scenario is unlikely, does that mean it is not a vulnerability?

In summary, I switched my PC off, it decided to apply the updates and the next day it rebooted into user mode without me needing to enter the BitLocker pin.

Does that seem like a vulnerability to you?

Advice: If applying the Windows 10 Anniversary Update, make sure your machine is physically secure during the entire process.

Underlying Concern

What is more of a concern is the implication that Software – the operating system in this case – is able to control the PIN protecting the TPM. So what is to stop malware of some form undertaking this task – enabling an attacker disable boot protection just before stealing a machine?

Now, I’m not a disk encryption expert, but know some Cyber Matters readers are. Is this a common problem with all disk encryption products, or is that threat mode is unique to Microsoft BitLocker?