Archive
Passware release Bitlocker/Truecrypt Decryption Tool
Following on from my post “10 Things You Don’t Want To Know About Bitlocker”, “TPM Undressed” and “Firewire Attacks Revisited” it recently came to my attention that Passware, Inc. A feisty California company has released a version of their forensic software which will decrypt Bitlocker and TrueCrypt protected hard disks via the classic Firewire vulnerabilities.
A full write-up can be found on the Passware site, but simply, given a machine that’s running, but has encrypted drives (for example one using Bitlocker in TPM-only mode, or a machine which is suspended, not hibernated). As to how to do it, well they have implemented the exploit in a very neat and usable way:
Firewire Attacks Revisited
For those who follow these kinds of things, you’ll remember that back in 2004 an enterprising group of people (Maximilian Dornseif, Michael Becher, and Christian Klein) gave a series of talks on how to bypass many kinds of computer security using the FireWire ports. This attack, though obvious from reading the specification of the Firewire / i.LINK / IEEE 1394 bus, simply used a computer acting as a “rogue” device to read and modify any memory location on a target PC.
Yes, ANY memory location, and that’s quite supported, even required by the FireWire/iLink specification, which needs direct-memory-access for some devices (like iPODs) to function.
Enterprising people have written attacks that use this “exploit” to get around encryption products, and locked workstations on Mac, Linux and PC.
Who?
 | EVP Cyber Product Innovation for Mastercard. Formally the Chief Technology Officer for Intel Secure Home Gateways, CTO for McAfee Enterprise Endpoint, CTO McAfee Innovation team, and Founder/CTO SafeBoot Corp. |
Simon Says - Musings of a Technology CTO 
Comments