Why is BitLocker activation alone not enough?

Against the backdrop of growing threats to corporate data, hard drive encryption is no longer an option, but a necessity. BitLocker, Windows' built-in encryption tool, provides robust protection for data on hard drives. To manage BitLocker encryption centrally, many organisations rely on Microsoft BitLocker Administration and Monitoring (MBAM).

It offers a user-friendly interface and helpful tools for setting up and monitoring BitLocker encryption. However, with the announced and timely discontinuation of extended support for the MBAM tool, many organisations are looking for efficient and reliable alternatives to manage their hard drive encryption. In addition, a popular configuration of Microsoft BitLocker, namely the sole use of a TPM chip, turned out to be insecure.

In this blog article, we would like to show you alternatives to the MBAM tool and discuss an alarming attack on encrypted hard drives using TPM as well as mitigation strategies.

A. MBAM IS A SOLID FOUNDATION, BUT WHAT COMES NEXT?

MBAM has proven itself when it comes to managing hard drive encryption. Users appreciate the detailed reporting functions, the simple recovery of keys and the seamless integration into the existing Windows infrastructure. But what happens when MBAM reaches the end of its life cycle - the so-called "End of Life" (EOL)? 

Regular support for MBAM ended on 9 July 2019. Since then, there has been the option of extended support from Microsoft, but this option only offers a limited respite. Extended support continues to guarantee security through important updates, but does not provide any new patches or functions. However, the problem of future-proofing and expandability still remains. Microsoft has extended Extended Support one last time until April 2026, after which it will finally come to an end.

B. ALTERNATIVES: MICROSOFT INTUNES, MICROSOFT SCCM AND OTHERS

In addition to MBAM, there are other solutions for managing BitLocker, including tools such as Microsoft Intunes and System Center Configuration Manager (SCCM). Intunes offers a simplified, user-friendly interface, while SCCM is known for its deep integration into the Windows environment and extensive management options.

Each alternative has its pros and cons, which makes choosing the right solution a strategic decision.

SCCM is complex and not easy to implement, especially if you only want to use the BitLocker management option. Intunes is chargeable and can only be obtained from the cloud. Both alternatives represent an option for continuation, but the decision is not easy.

C. THE COMFORT QUESTION: TPM AS BITLOCKER PROTECTOR

Regardless of the management solutions mentioned, the Trusted Platform Module (TPM) is a widely used option for BitLocker users and administrators to protect the keys. It stores the keys securely and ensures a transparent user experience, as encryption takes place in the background on devices equipped with a TPM without the need to enter additional passwords. This convenience is often seen as a major advantage, but what about security?

D. THE PHYSICAL ACHILLES HEEL?

As secure as the TPM may be in many scenarios, there are attacks that rely on physical access and can compromise a TPM even with simple means. Research and practical attacks have shown that encryption can be bypassed with inexpensive hardware and the corresponding expertise. This poses a serious threat to security and should be a wake-up call for those who rely solely on TPM-based BitLocker protection mechanisms.

Let's take a look at recent events on this topic: Recently, an IT security researcher published a new attack strategy against Bitlocker-encrypted systems with TPM. Part of this publication was not only the open source software that can read the key to Bitlocker from a TPM, but also the fact that the researcher designed a hardware module based on a RaspberryPi Pico specifically for this purpose and published the schematic drawings for it. The combination of the two makes it easy for third parties to carry out this attack themselves.

Before publication, the attack vector was already known, but it was assumed that a great deal of knowledge and time was required to successfully carry out this type of attack. This has now changed!

By using the published tools, it is possible to read a Bitlocker key from a modern Lenovo laptop in under 60 seconds.

E. THE ATTACK SCENARIO

Bitlocker uses the built-in TPM chip to securely store keys. To make an encrypted hard drive readable, the key must be transferred from the TPM to the CPU. To do this, certain values are checked and if successful, the key is transmitted. This is exactly where the attack vector comes in.

In order to intercept data between the CPU and the TPM chip, contacts would have to be soldered to a specific data line in the mainboard and an attempt made to record the data traffic.

Unfortunately, many modern laptops have these data lines routed out of the mainboard to the housing for debugging options. Using the hardware mentioned above, it is possible to tap these lines and read the Bitlocker key using the modified RapsberryPi Pico without having to pull out a soldering iron or make any other changes to the laptop. The signals and the key are transmitted in plain text, which simplifies the process considerably.

F. Quo Vadis?

The question that arises is: how to deal with the growing risk and what strategies should be used to effectively defend against both current and future threats? While TPM seems promising for day-to-day protection and usability, it is essential to be aware of the limitations and integrate additional layers of security. 

With technological advances and the ever-changing threat landscape, organisations need to be proactive and prepare for a future that demands more than just basic encryption management.

G. IS THERE A SAFER WAY?

When it comes to the security of data on the hard drives of your company devices, the combination of a Trusted Platform Module (TPM) and a Personal Identification Number (PIN) is often favoured as one of the most secure options. By adding a PIN to the hardware-based encryption of the TPM, an additional level of authentication is created that significantly increases the level of security. The PIN serves as a "something you know" factor which, in conjunction with the "something you have" factor of the TPM, provides stronger protection against unauthorised access.

H. THE CHALLENGE OF USER-FRIENDLINESS AND QWERTY

The implementation of TPM in combination with a PIN seems to be a robust security concept at first glance, but there are practical challenges that need to be considered. One of these concerns the user experience during pre-boot authentication (PBA), where users are prompted to enter their PIN. A common hurdle is the English keyboard layout used during PBA, which can cause problems for users as they work with different keyboard layouts. Confusion when entering the PIN due to keyboard differences can lead to failed attempts and frustration.

I. COMPLEX IMPLEMENTATION IN COMPANIES

Another challenge is the scalability and management complexity of rolling out TPM plus PIN to large organisations. Setting a PIN requires individual actions from each end user, making the process tedious and time-consuming. In addition, IT teams need to ensure that users do not forget their PINs and that there is an efficient recovery procedure in the event of forgetting or loss.

J. JUST ANOTHER PASSWORD

Last but not least, the use of an additional PIN brings with it the problem of users having to memorise another password - something that can become a significant security risk in this day and age of password overload. This makes password management more complicated and users may be inclined to choose simple or recurring PINs, which would undermine the security benefit.

K. Level up

DriveLock offers functions for the use of TPM+PIN that accompany the user during rollout. As an administrator, you specify a central password policy and the user is prompted to select a password or PIN during rollout. Very simple and guided.  

Even zero-touch deployments are possible. This allows your system management solution to do its work and provision a new system and only when the end device is delivered to the user is the extended protection activated by TMP + PIN.

L. LESS IS SOMETIMES MORE - THE WAY OUT OF THE PASSWORD TSUNAMI

DriveLock Pre-Boot Authentication offers even more convenient functions. It is multi-user capable and allows users to use their individual Windows ID to authenticate themselves. Single Sign-On to Windows is also possible, which prevents duplicate password entry. For even more security, smartcards or tokens, such as the Yubikey, can be used as a second factor.

M. FORGOTTEN PASSWORDS AND ROTATING KEYS

No matter whether Microsoft or DriveLock PBA. If a user forgets their password, DriveLock provides you with comprehensive recovery options.  

For example, if the end user needs the BitLocker recovery key, this is automatically replaced after a successful login and the next time the server is contacted. This prevents the recovery key from being exploited.

N. „Friendly Takeover“ 

If you already have a large number of encrypted systems, the question of migration inevitably arises. DriveLock can easily take over systems. The impact on the user varies depending on the protector used. 

If TPM alone is used as a protector, the end user will not notice the takeover at all. If TPM and PIN are used, the user is only prompted to enter a new password. This would also be the case when switching from TPM to TPM+PIN. 

When switching to DriveLock PBA, this is activated and the login data of the user currently logged in is automatically synchronised to the PBA user database during this process.

o. DRIVELOCKS BITLOCKER MANAGEMENT - DIE BESSERE ALTERNATIVE

With the discontinuation of support for the Microsoft BitLocker Administration and Monitoring (MBAM) tool, many organisations are looking for efficient and reliable alternatives to manage their hard drive encryption. DriveLock is one such alternative that seamlessly and effectively takes over their BitLocker management.

In this blog article, we have highlighted the key features and benefits of DriveLock and how this tool enables a smooth transition from MBAM and other solutions, while simplifying management and maintaining or even increasing security standards. With DriveLock BitLocker Management, complexity meets simplicity and security does not come at the expense of user-friendliness.