« "Halo 3" Records More Than $300 Million in First-Week Sales Worldwide
openSUSE 10.3 Public Release »
Security

PGP backdoor? Undocumented Bypass in Whole Disk Encryption

Oct 4, 2007   6 pm
These icons link to social bookmarking sites where readers can share and discover new web pages.
  • Digg
  • del.icio.us
  • Technorati
  • Furl

An encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state.

PGP Corporation’s widely adopted Whole Disk Encryption product apparently has an encryption bypass feature that allows an encrypted drive to be accessed without the boot-up passphrase challenge dialog, leaving data in a vulnerable state if the drive is stolen when the bypass feature is enabled.



If this flag is set, the boot process does not interrogate a user. It simply starts the operating system. The feature can be accessed via the command line (ignore line wrap): 

"%programfiles%\PGP Corporation\PGP Desktop\PGPwde.exe"
    –add-bypass –passphrase [passphrase here]

The feature is also apparently not in the documentation that ships with the PGP product, nor the publicly available documentation on their website, but only mentioned briefly in the customer knowledge base. Jon Callas, CTO and CSO of PGP Corp., responded that this feature was required by unnamed customers and that competing products have similar functionality."

Anyway, You can remove any backdoor passwords using the "–remove-bypass" switch and you can check to see if backdoors are setup using the "–check-bypass" switch. For example:

C:\>"%programfiles%\PGP Corporation\PGP Desktop\PGPwde.exe"
    –remove-bypass

Failed to locate user: ☺user
View: Full Story
Tags: ,
This entry was posted on Thursday, October 4th, 2007 at 6:14 pm and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

1 Comment so far »

  1. Bryan said

    am October 4 2007 @ 10:21 pm

    Calling this a “backdoor” is irresponsible and wholly inaccurate.

    Using this feature requires the user to already have the password and already be logged on to the drive. If you already have the password, and you’ve already logged in to Windows, you already have access to the data. You can’t bypass the encryption without the password. You have to manually turn this on. It only lasts for one reboot.

    Some Windows security patches require a reboot. We’ve all seen this.

    Without this feature administrators could never push out patches (or install software) that require a reboot in the middle. When the machine rebooted, it wouldn’t restart until someone typed in the passphrase. This may be impossible if the user is remote or you have 10,000 users.

    That means the update may not get installed correctly, leaving the computer vulnerable to an exploit.

    Some customers choose to use this feature to minimize that risk. PGP gives them that option, if they choose to use it. However, its use is discouraged — and that’s why it was under-documented, so people don’t get themselves in trouble by using it inappropriately.

    Our customers’ trust is extremely important to us here at PGP, and we work very hard to earn it every day. We’re the only encryption company that publishes its source code so our customers and crypto experts can be confident there are no backdoors.

    It’s unfortunate to see something like this potentially jeopardize that trust.

Comment RSS · TrackBack URI

Leave a comment

Name:

eMail:

Website:

Comment: