Windows 10 Leak Lets Attacker Bypass BitLocker and Gain Administrative Privileges

Windows expert Sami Laiho writes that he has found a vulnerability in Windows 10 that allows a local attacker to bypass BitLocker encryption and gain administrative access. Microsoft has since released a patch.

Laiho reports on his blog that his method has to do with so-called ‘feature updates’ of Windows 10, which, for example, include the Anniversary Update and updates to new Insider builds. These updates are implemented by creating an image and installing it using Windows’ pre-installation environment, Laiho said. During this process it is possible to get to the command prompt via the already known key combination shift and f10. In this way, an attacker can access the files on the hard drive, which are normally encrypted by BitLocker. In addition, this method provides System-level access, which is intended for administrators only.

In an accompanying video on the blog, Laiho shows an example of how he replaces the stickykey command, sethc.exe, with the command prompt during the update. As a result, before logging into his restricted account, he can access a command prompt with administrator privileges by pressing shift five times. That’s normally the way to activate Sticky Keys. This way he can add his account to the local administrators.

According to Laiho, the method can be used by an attacker who only has to wait for the next update or access the Insider program. He states that use of the vulnerability can be prevented by not performing unattended updates and by ‘monitoring closely’ the Insiders. Another possibility is to use an ltsb version of Windows. However, this does not seem to be the most workable option, as this version has certain limitations. Laiho states that this method should work from Windows 7, but that the ‘in-place’ way of updating does not exist with that version.