Microsoft Dismisses BitLocker Threat

Software maker claims vulnerability exposed by researchers unlikely to occur in "real world."
Microsoft claims recent Internet reports about vulnerabilities in its BitLocker security technology are exaggerated.

Windows 7 screen shot
(Click for larger image and for full photo gallery)

"Success comes at a price," wrote Microsoft senior director Paul Cooke, in a blog post Monday. That price, Cooke wrote, includes "greater scrutiny and misinterpretation of some of the technologies. One of those technologies is BitLocker," he said.

BitLocker is a drive encryption system that Microsoft introduced in 2007 with the introduction of Windows Vista. It's also included in some versions of the new Windows 7 operating system, which debuted in October.

Security bloggers, including researchers at Germany's Fraunhofer Institute for Secure Information Technology, in recent days have published reports that PCs and laptops protected with BitLocker could be compromised in certain circumstances.

But Cooke said those circumstances covered scenarios that were highly unlikely to occur in real life.

"This research is similar to other published attacks where the computer owner leaves a computer unattended in a hotel room and anyone with access to the room could tamper with the computer," wrote Cooke.

"This sort of attack poses a relatively low risk to folks who use BitLocker in the real world," he said.

Still, Cooke reminded Windows users that BitLocker is only one element of Microsoft's multi-tiered approach to security.

"Even with the great enhancements made in Windows 7 such as BitLocker To Go, it still remains that BitLocker alone is not a complete security solution," said Cooke.

"IT professionals as well as users must be diligent when protecting IT resources and the best protection against these sorts of targeted attacks requires more than just technology. It requires end user education and physical security also play important roles," Cooke wrote.

InformationWeek has published an indepth report on Windows 7. Download the report here (registration required).

Editor's Choice
John Edwards, Technology Journalist & Author
Carrie Pallardy, Contributing Reporter
Alan Brill, Senior Managing Director, Cyber Risk, Kroll
John Bennett, Global Head of Government Affairs, Cyber Risk, Kroll
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Brandon Taylor, Digital Editorial Program Manager
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Sponsored by Lookout, Sundaram Lakshmanan, Chief Technology Officer
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing