Windows 10

Windows security expert and infrastructure trainer Sami Laiho has discovered a simple method of bypassing BitLocker during the Windows 10 update procedure.

Laiho says that by holding SHIFT + F10 while a Windows 10 computer is installing a new OS build, an attacker can open a command-line interface with SYSTEM privileges.

SHIFT + F10 for the win!!!

This CLI debugging interface grants the attacker full access to the computer's hard drive, despite the presence of BitLocker.

The reason is that during the Windows 10 update procedure, the OS disables BitLocker while the Windows PE (Preinstallation Environment) installs a new image of the main Windows 10 operating system.

"This [update procedure] has a feature for troubleshooting that allows you to press SHIFT+F10 to get a Command Prompt," Laiho writes on his blog. "The real issue here is the Elevation of Privilege that takes a non-admin to SYSTEM (the root of Windows) even on a BitLocker (Microsoft's hard disk encryption) protected machine."

Microsoft working on a fix

Laiho says that he informed Microsoft of the issue and the company's engineers are working on a fix.

During his tests, the Windows 10 security expert says he successfully brought up the CLI troubleshooting interface when performing an update from Windows 10 RTM to version 1511 (November Update) or version 1607 (Anniversary Update).

The CLI also popped up during updates to any newer Windows 10 Insiders Build version, up to the end of October 2016.

How can this be exploited?

The most obvious exploitation scenario is when a user leaves his computer unattended during the update procedure. Windows updates have a reputation of taking ages to install, and in most companies, employees tend to take a break, go out for coffee, or leave the computer to update while they leave for home.

During this time, a malicious insider or threat actor can open the CLI debugger and perform malicious operations under a root user, despite BitLocker's presence.

But there are other scenarios where Laiho's SHIFT + F10 trick can come in handy. For example when police have seized computers from users who deployed BitLocker or when someone steals your laptop.

Windows 10 defaults make this issue easy to exploit

In an email conversation with Bleeping Computer, Laiho reveals that because of certain defaults in Windows 10 configurations, computers might be forced to performed an update, even if a user is not present, or has logged on for a long period of time.

"At some point, every computer that is not managed by WSUS/SCCM or such will force the installation of a new version of Windows," Laiho tells Bleeping Computer. "Microsoft has decided that these will be forced by default."

"So Windows will download and install whether the owner is there or not. When will it happen, that I can’t say for sure, but there will be certain times when this will be more probable based on this [Windows 10 release schedule]. My aim with this blog is to, of course, make sure they fix it before the next big wave hits."

"Based on my contacts about this, the biggest issue is a user who has a limited user account and will use this to elevate himself to an admin," Laiho adds. "This can be done in two ways: either when a real upgrade happens or by social engineering an admin to change his computer to be part of the Windows Insiders program. These upgrades take place even two times in a single week."

Some countermeasures and recommendations

Because of this, Laiho recommends that users not leave their computers unattended during a Windows 10 update and that users remain on Windows 10 LTSB (Long Time Servicing Branch) versions for the time being.

"The LTSB-version of Windows 10 is not affected by this as it doesn’t automatically do upgrades," Laiho said.

Furthermore, Laiho says that Windows SCCM () can block access to the command-line interface during update procedures if users add a file named DisableCMDRequest.tag to the %windir%\Setup\Scripts\ folder.