Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
TrueCrypt
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== The "Stoned" bootkit === The "Stoned" [[bootkit]], an [[Master Boot Record|MBR]] [[rootkit]] presented by Austrian software developer Peter Kleissner at the [[Black Hat Briefings|Black Hat]] Technical Security Conference USA 2009,<ref>{{cite web | url = https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-PAPER.pdf | title = Stoned bootkit White Paper | publisher = Peter Kleissner | work = Black Hat Technical Security Conference USA 2009 | access-date = 5 August 2009 }}</ref><ref>{{cite web | url = https://www.blackhat.com/presentations/bh-usa-09/KLEISSNER/BHUSA09-Kleissner-StonedBootkit-SLIDES.pdf | title = Stoned bootkit Presentation Slides | publisher = Peter Kleissner | work = Black Hat Technical Security Conference USA 2009 | access-date = 5 August 2009 }}</ref> has been shown capable of tampering TrueCrypt's MBR, effectively bypassing TrueCrypt's [[full disk encryption|full volume encryption]].<ref>{{cite web | url = http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption--/news/113884 |archive-url=https://web.archive.org/web/20090801080610/http://www.h-online.com/security/Bootkit-bypasses-hard-disk-encryption--/news/113884|archive-date=1 August 2009| title = Bootkit bypasses hard disk encryption | publisher = Heise Media UK Ltd. | work = The H-Security (H-Online.com) | access-date = 5 August 2009 }}</ref><ref>{{cite news |author=David M Williams |date=7 September 2009 |title=The dark side of open source software is Stoned |publisher=iTWire |url=http://www.itwire.com/opinion-and-analysis/the-linux-distillery/27503-the-dark-side-of-open-source-software-is-stoned }}</ref><ref>{{cite web | last =Hunt | first =Simon | title =TrueCrypt vs Peter Kleissner, Or Stoned BootKit Revisited.. | publisher =Simon Hunt | date =4 August 2009 | url =http://simonhunt.wordpress.com/2009/08/04/truecrypt-vs-peter-kleissner-or-stoned-bootkit-revisited | access-date =24 May 2014 }}</ref><ref>{{cite news |author=Uli Ries |date=30 July 2009 |title=Bootkit hebelt Festplattenverschlüsselung aus |language=de |publisher=Heise Online |url=http://www.heise.de/newsticker/meldung/Bootkit-hebelt-Festplattenverschluesselung-aus-748859.html }}</ref><ref>{{cite news |date=30 July 2009 |title=Windows-Hacking: TrueCrypt Verschlüsselung umgangen |language=de |publisher=Gulli News |url=http://www.gulli.com/news/windows-hacking-truecrypt-2009-07-30 }}</ref> Potentially every [[hard disk drive|hard disk]] encryption software is affected by this kind of attack if the encryption software does not rely on hardware-based encryption technologies like [[Trusted Platform Module|TPM]], or if the attack is made with administrative privileges while the encrypted operating system is running.<ref>{{cite web | url = http://www.stoned-vienna.com/downloads/TrueCrypt%20Foundation%20Mail%2018.%20Juli%202009.tif | title = Stoned bootkit attacking TrueCrypt's full volume encryption | publisher = TrueCrypt Foundation mail in response to Peter Kleissner on 18 July 2009 | access-date = 5 August 2009 }}</ref><ref name="TPM support">{{cite web | url = http://www.truecrypt.org/faq#tpm | archive-url = https://archive.today/20130416052646/http://www.truecrypt.org/faq | url-status = dead | archive-date = 16 April 2013 | title = Some encryption programs use TPM to prevent attacks. Will TrueCrypt use it too? | publisher = TrueCrypt Foundation | work = TrueCrypt FAQ | access-date = 24 August 2011 }}</ref> Two types of attack scenarios exist in which it is possible to maliciously take advantage of this bootkit: in the first one, the user is required to [[Execution (computing)|launch]] the bootkit with administrative privileges once the PC has already booted into Windows; in the second one, analogously to [[hardware keylogger]]s, a malicious person needs physical access to the user's TrueCrypt-encrypted hard disk: in this context this is needed to modify the user's TrueCrypt MBR with that of the Stoned bootkit and then place the hard disk back on the unknowing user's PC, so that when the user boots the PC and types his/her TrueCrypt password on boot, the "Stoned" bootkit intercepts it thereafter because, from that moment on, the Stoned bootkit is loaded before TrueCrypt's MBR in the boot sequence. The first type of attack can be prevented as usual by good security practices, e.g. avoid running non-trusted [[executable]]s with administrative privileges. The second one can be successfully neutralized by the user if he/she suspects that the encrypted hard disk might have been physically available to someone he/she does not trust, by booting the encrypted operating system with TrueCrypt's Rescue Disk instead of booting it directly from the hard disk. With the rescue disk, the user can restore TrueCrypt's MBR to the hard disk.<ref>{{cite web | last =Kleissner | first =Peter | title =TrueCrypt Foundation is a joke to the security industry, pro Microsoft | publisher =Peter Kleissner | date =21 July 2009 | url =http://www.peterkleissner.com/?p=11 | access-date = 5 August 2009 | archive-url = https://web.archive.org/web/20100818024921/http://www.peterkleissner.com/?p=11 | archive-date = 18 August 2010}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)