BitLocker Password Exploit Is 'Very Unlikely,' Sisk Says

Redmond responded Tuesday to an independent security vendor's discovery of a hard-drive encryption vulnerability affecting Microsoft's BitLocker function, Intel/HP's BIOS and several other products and programs.

Microsoft acknowledged the threat, which was described by representatives of Kolkata, India-based iViZ at the Defcon 16 event. Redmond offered some explanations and workarounds.

"We recognize that the claim detailed in the presentation by the researcher about BitLocker is correct," wrote Bill Sisk, security response communications manager for Microsoft, in an e-mail sent today. "This theoretical attack is only possible in targeted situations, and while probable, [it's] very unlikely."

Sisk's comments come as a retort to an announcement on Monday from iViZ, a security penetration testing company. iViZ said that it had discovered a new class of a preexisting vulnerability that allows attackers to steal computer boot passwords. The exploit bypasses the security of preboot authentication software, such as Microsoft's BitLocker hard-disk encryption tool.

The premise of iViz's argument lies in the fact that programmers who might be unaware of such bugs tend to code boot password features in a way that doesn't expunge critical information from the hard drive. It's a circumstance that could lead to "inadvertent leakage and theft," according to the company's announcement. Even the most thorough hard-drive encryption scheme may not be able to block this vulnerability.

To that end, Sisk added that the software giant has addressed such issues in Windows Vista Service Pack 1, and he encouraged "customers to update their systems accordingly."

BitLocker, first released in January 2007, is designed to guard personal and private data on mobile PCs. It comes with other protection options that can be customized to meet the needs of various end users.

"Like all full volume encryption products BitLocker has a key-in memory when the system is running in order to encrypt/decrypt data, on the fly, for the drive/s in use," wrote Sisk. "If a system is in 'Sleep mode' it is, in effect, still running."

In that vein, Microsoft encourages IT pros concerned about such bugs to consult best practices on data encryption in BitLocker, previously published by Redmond here.

Among other things, Microsoft's guidance expounds on the balance of security and usability when using BitLocker in hibernate mode.

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.

Featured

  • digital illustration of a glowing padlock at the center, surrounded by abstract icons of books and graduation caps

    2025 Cybersecurity Predictions for K-20 Education

    What should K-12 and higher education institutions expect on the cybersecurity front in the coming year? Here's what the experts told us.

  • glowing AI text box emerges from a keyboard on a desk, surrounded by floating padlocks, warning icons, and fragmented shields

    Study: 1 in 10 AI Prompts Could Expose Sensitive Data

    Nearly one in 10 prompts used by business users when interacting with generative artificial intelligence tools may inadvertently disclose sensitive data, according to a study released by data protection startup Harmonic Security Inc.

  • Stock market graphs and candlesticks breaking apart with glass-like cracks

    Chinese Startup DeepSeek Disrupts AI Market

    A new low-cost Chinese artificial intelligence model is wreaking havoc in the technology sector, with tech stocks plummeting globally as concerns grow over the potential disruption it could cause.

  • Abstract widescreen image with geometric shapes, flowing lines, and digital elements like graphs and data points in soft blue and white gradients.

    5 Trends to Watch in Higher Education for 2025

    In 2025, the trends shaping higher education reflect a continuous transformation of the higher education landscape to meet the changing needs of students and staff, while maintaining sustainable and cost-effective institutional practices.