This is a little silly because this assumes that BitLocker is configured for TPM-only rather than requiring a TPM PIN/password.
If there's a TPM password, this attack becomes infeasible because the TPM won't release the keys without the password. And you generally can't brute force the TPM without triggering the hardware lockout.
The company's IT department can require TPM+Password in Group Policy so that every system in the organization uses TPM+Password, but I guess you could have a stubborn CEO who demands a less secure policy.
As of Windows 8, it was possible to replace ciphertext on a BitLocker-encrypted drive to compromise known Windows binaries.[0] This would allow the attacker to take control of the system on next boot, though I don't know if those attacks are still practical.
If someone has this level of access and time with the device, implanting a bug and/or setting up a fake machine shouldn't be difficult.
How many here would recognize that Evil Maid has swapped out your work machine with an identical model? It would be rigged to boot into an identical login screen and send your password back to the guy with the real laptop. That's what happens when everyone has the same shiny new machines (Apple). Give me a machine with a few scratches and custom boot screen.
That's true, but the victim would immediately recognize something wrong when they boot into their system and find that none of their files are there and they're not connected to their company's VPN.
At that point, it's a race between how quickly the attackers can exploit temporary access to the CEO's network resources and how quickly the CEO and their IT folks figure out that they need to cut off the stolen laptop's network access and user credentials.
Just show an error message--ideally one that implies there was no connectivity at all (ex. "We can’t sign you with this credential because your domain isn’t available."). That way, if the users happens to contact IT, they won't think there is anything anomalous about the lack of logged attempts.
Ha that's what I did decades ago in school with a fake login screen. When the password has been logged just read c:\con\con, crash the machine and it reboots into the real login screen.
You don't need login to succeed, just fail convincingly.
Remote desktop with an HDMI (LVDS?) capture card, so that everything is in place. Alternatively, network mount the SSD once you get the encryption key and boot from that, syncing the blocks on demand. You can even show the 'installing updates' screen to do the HDD sync while it's 'updating'. No wifi connection? no problem - the planted one has an internal 5G modem.
Not if you give 1 out of thousands of errors windows loves to give. There's one where when you login all your user profile stuff is gone! People are very used to windows breaking.
That moment when when the CEO is back in the hotel room, and realizes he just authenticated to a laptop that was not his would be an ideal moment for the assassin that looks very similar to him to exit the hotel bathroom, pop the CEO, dress in his clothes, and proceed to the bank for wire transfer shenanigans.
Huh, this actually raises a very good point. We need a mechanism to verify that the machine itself is legitimate before the user interacts with in. Maybe some sort of QR code containing the current time signed by the TPM that could be verified by the users phone?
If you break the display they will be less likely to discover it. They will be more concerned with trying to find a cable to hook it up to an external display buying you time. If you make it power off at intervals they will assume it was damaged not replaced.
> I guess you could have a stubborn CEO who demands a less secure policy.
More common than one would think. Also, more common than one would hope: CEOs who insist on their favorite MacBookPro which they share with family. :-)
> This is a little silly because this assumes that BitLocker is configured for TPM-only rather than requiring a TPM PIN/password.
That is how like half the world are doing it.
The level of pain to reset the TPM password when 1% of your company forgets their password after each holiday / weekend drinking / password change on Friday / because they're late for a meeting is just too high.
Yes, EFS[0] works on a per-user basis. But it runs at the filesystem level and doesn't protect system binaries, so it's weaker than BitLocker, which encrypts the full volume and protects system binaries.
If there's a TPM password, this attack becomes infeasible because the TPM won't release the keys without the password. And you generally can't brute force the TPM without triggering the hardware lockout.
The company's IT department can require TPM+Password in Group Policy so that every system in the organization uses TPM+Password, but I guess you could have a stubborn CEO who demands a less secure policy.
As of Windows 8, it was possible to replace ciphertext on a BitLocker-encrypted drive to compromise known Windows binaries.[0] This would allow the attacker to take control of the system on next boot, though I don't know if those attacks are still practical.
[0] https://cryptoservices.github.io/fde/2014/12/08/code-executi...