Full disk-encryption is viewed by some enterprises as a cure all for laptop security. Many organizations have requirements that at least some systems be encrypted – especially those that are used by individuals that might have access to sensitive and/or proprietary information. Taking things a step further, many organizations are moving towards a model where all of their corporate-owned laptops are encrypted by default.
When full-disk encryption is deployed, it is assumed to be a black-box panacea for all data security issues. Like any tool or system designed for security, however, full-disk encryption is by no means bulletproof. Unfortunately, full-disk encryption is often implemented but rarely verified or tested. The vulnerabilities, configuration oversights and potential weaknesses of different technologies and implementations are only infrequently discussed and worse still, are rarely understood.
Terry Gold caught up with Tom Kopchak, a security researcher with Hurricane Labs, who demonstrated at Security B Sides in Las Vegas how he was able to subvert a popular full-disk encryption product in just a few minutes. Tom states that he did this because “one of our customers was interested in having us evaluate the security of their full disk encryption deployment as part of their regular penetration test schedule.” –
Multi-factor authentication solutions, such as smart cards, can be used in conjunction with full-disk encryption for a better, more secure solution.
What were you expecting to find going into this engagement?
I did not necessarily expect there to be any groundbreaking findings for this test, as the prospects of gaining access to a fully encrypted machine without any ancillary information seemed very unlikely. I am confident that anyone in my position that had been asked to do the same testing would have felt similarly.
What were your initial thoughts on strategy and how did you decide to approach the test?
The objective of the penetration test was to simulate an attack on my client’s encrypted data and ultimately see if and how I could be successful in decrypting it given the controls that they had in place. I decided to approach the entire penetration test as a forensic investigation. This was done to preserve the original state of the machine as evidence, which proved to be a critical step in the overall success of my work.
Before we get into details, can you highlight your technical approach?
Using drive images and a forensic writeblocker, I was able to use several hard drives to create physical snapshots of the machine. After the initial drive image, the source drive remained untouched – and for all intents and purposes uncompromised. All of my work was performed on a series of scratch disks.
And ultimately, what did you find?
Well, I was able to accomplish the objective. Further, I was able to take it from several hours down to just a few minutes. Also, moving away from reliance on knowledge-based credentials for Windows Login, such as passwords, can mitigate the attack. In part, going with a hardware token with PKI could have helped stop this particular attack.
Tell us about how you simulated the attack?
The first stage of the test was reconnaissance; much like an actual attacker would approach an unfamiliar machine that they had obtained…..