All an attacker need to do is hold SHIFT+F10 during Windows 10 update procedure.
Security researcher Sami Laiho discovered this simple method of bypassing BitLocker, wherein an attacker can open a command-line interface with System privileges just by holding SHIFT+F10 while a Windows 10 PC is installing a new OS build.
The command-line interface (CLI) then grants the attacker full access to the computer's hard drive, even when the victim has enabled BitLocker disk encryption feature.
Learn Insider Threat Detection with Application Response Strategies
Discover how application detection, response, and automated behavior modeling can revolutionize your defense against insider threats.Join Now
Laiho explains that during the installation of a new build (Windows 10 upgrade), the operating system disables BitLocker while the Windows PE installs a new image of the main Windows 10 OS.
"The installation [Windows 10 upgrade] of a new build is done by reimaging the machine and the image installed by a small version of Windows called Windows PE (Preinstallation Environment)," Laiho says in his blog.
"This has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt. This sadly allows for access to the hard disk as during the upgrade Microsoft disables BitLocker."
Windows 10 in-place upgrades make this Issue Easy to Exploit
The SHIFT+F10 feature has existed with earlier versions of Windows as well, and could also be used to bypass BitLocker on Windows 7 and 8, but the feature has become a real flaw only with the advent of Windows 10's in-place upgrades.
The attacker needs physical access to the target computer during a relatively short time frame, bypass BitLocker encryption, and then gain administrator access to the device – the issue that may also affect Internet of Things (IoT) devices running Windows 10 as well.
Why is this worrying? Most of you have a bad habit of leaving your PC unattended during the Windows OS update procedure. It's also because Windows updates take very long to get installed.
During this time, any insider or threat actor (known or unknown to you) can open the CLI debugger interface and perform malicious tasks with the user admin privileges, despite BitLocker's presence, and that too without the need of any additional software.
"The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine," Laiho adds. "And of course that this doesn't require any external hardware or additional software."During his tests, Laiho successfully brought up the CLI troubleshooting interface while performing an update from Windows 10 RTM to version 1511 (November Update) or version 1607 (Anniversary Update), and during updates to any newer Windows 10 Insiders Build, up to the end of October 2016.
You can also watch the video demonstration of this attack on Laiho's blog.
Laiho informed Microsoft of the issue, and the company is working on a fix.
How to Mitigate this Issue?
As some countermeasures, Laiho recommended users not to leave their PCs unattended during the update procedure.
The Windows security expert also advised users to remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being, as the LTSB versions of Windows 10 does not automatically do upgrades.
Windows 10 users with System Center Configuration Manager (SCCM) can block access to the command-line interface (CLI) during Windows update procedures by adding a file name DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.