31

I have recently lost a USB flash drive that contained some important information. Fortunately, it was protected by Bitlocker. I felt the impulse to ask exactly how secure it is.

Most answers on this site related to Bitlocker seem to be about built-in storage on a computer. This answer says there was a possible cold boot hack. Is it more secure to protect a USB flash drive with Bitlocker, since you cannot use that kind of hack on a USB flash drive?

Also, that answer is 6 years old. There must have been some new developments. With the current technology that Bitlocker uses, do I need to worry that the information on my USB flash drive could be decrypted?

schroeder
  • 125,553
  • 55
  • 289
  • 326
trisct
  • 415
  • 1
  • 4
  • 6
  • 1
    A clarification: a cold boot attack will work on a USB flash drive as well as it will on built-in storage. If either storage device is attached to a running (or sleeping) computer, a cold boot attack could be feasible. If either device is removed from the computer and attacked individually, or if the computer is turned off for a while, a cold boot attack is infeasible on either device. – marcelm Dec 02 '19 at 19:57
  • It *should* be, but bugs in BitLocker or in the storage devices can happen, of course: https://borncity.com/win/2018/11/06/ssd-vulnerability-breaks-bitlocker-encryption/ – caw Dec 04 '19 at 23:14

2 Answers2

38

A cold boot attack is impossible on an offline device. The only way an attacker could use a cold boot attack on your portable storage device is if they also had physical access to your computer as it was plugged in the disk unlocked.

A cold boot attack relies on encryption keys being stored in RAM, and the persistence of that RAM once the computer is hard reset.

In short, you shouldn't worry too much unless there's a nation state after your data. Even then, I'd trust BitLocker unless there's a backdoor.

Richard Hum
  • 723
  • 7
  • 12
  • 15
    If you have some data a nation state wants, you'll worry about the [$5 wrench hack](https://xkcd.com/538/) before they'll bother cracking your xxx-bit encryption. – Nelson Dec 03 '19 at 09:46
19

There are several possible attacks on Bitlocker, and apparently a software is available to the police that supports recovery of the password (but requires sniffing the RAM while the device is mounted and unencrypted).

The primary weakness is the recovery key stored in both AD and the TPM chip - but if your attacker has only the USB stick, those don't apply.

As often, the question cannot be answered with a yes/no answer without knowing your threat model - who do you want to protect yourself against?

Against common cybercriminals, Bitlocker can be assumed secure at this time, at least we know of no attack on a USB stick that is practical.

Against the NSA I wouldn't trust Bitlocker. It would surprise nobody if they had convinced Microsoft to include some backdoor or weakening of the cryptography used or if they knew of a way to unlock the recovery key from the TPM or could simply "convince" your AD admin to give them the key stored there.

Against Mossad, FSB, the like, you are somewhere inbetween and should make your own decision.

Then again, most nation state actors and high-level criminals would probably not bother with defeating the cryptography in your device. They'd simply cut off your fingers or hurt your friends until you remember the password.

Tom
  • 10,201
  • 19
  • 51
  • 1
    Actually I use it to store my passwords for the online accounts I have... not bad enough that every intelligence agency in the world would come for me. Thanks for the scenarios you came up with though. I am sure people here would be interested. – trisct Dec 02 '19 at 08:32
  • And I asked this question originally because I was worried that someone might find it, and take it to data recovery (or simply format it somehow) and find my files or fragments of my files. – trisct Dec 02 '19 at 08:51
  • 18
    "They'd simply cut off your fingers or hurt your friends until you remember the password." [Obligatory XKCD](https://www.xkcd.com/538/) – JFL Dec 02 '19 at 09:22
  • @trisct - to the best of my knowledge, no easy, readily available recovery method exists for Bitlocker encrypted volumes. – Tom Dec 02 '19 at 10:30
  • Yeah, known passwords are generally not any stronger than the kneecaps of whoever knows them. – Delioth Dec 02 '19 at 19:44
  • 3
    @trisct you don't need to worry about a random person **trivially** getting your information after it has been protected by BitLocker. Defeating BitLocker is non-trivial. It is infeasible for most random strangers, even if they have the resources, because it is expensive to spend that kind of time to do something like this to a random USB. TPeople who are in-the-know on security will throw away the random USB. – Nelson Dec 03 '19 at 09:50
  • Related question: Does a bitlocker-encrypted volume contain any information that would give a clue by which computer it had been encrypted? I mean not the OS or bitlocker version, but some installation specific details. Makes a diference between devices stolen deliberately and devices lost randomly. – U. Windl Dec 03 '19 at 21:39