Security researcher says Microsoft built a Bitlocker backdoor, releases exploit

https://www.techspot.com/news/112410-security-researcher-microsoft-secretly-built-backdoor-bitlocker-releases.html

84•nolok•1h ago

Comments

superkuh•56m ago

As long as Microsoft will continue to use dark patterns to convert local accounts to online accounts and automatically, without user consent, encrypt the storage drives preventing any computer use until the user goes to aka.ms and through the hoops, this is a good thing.

No one should have their data encrypted and kept from them without consent unless they do something. Microsoft does that now. They may not be requring a monetary ransom like others, but it is a ransom nevertheless.

I know this is controversial. Bitlocker helps protect one's property and information when used intentionally. And that being impacted is a shame.

mynameisvlad•41m ago

You only need to use the aka.ms link if you lost your recovery key. That feature also can be disabled without disabling Bitlocker as a whole.

superkuh•36m ago

How would a user that never set it up in the first place have a recovery key? I honestly am asking and don't know.

I recently (last week) had to drive over to a parent's house and "fix" their (pre-online accounts) win 11 computer used for sewing because it had become a blue screen saying aka.ms was required. They did not know how it happened and are not very technical users so I imagine they were tricked by some click-through dialog. It is not something they would ever do intentionally. All that computer ever does is run sewing pattern/control software.

mynameisvlad•28m ago

The non-cloud methods for recovering the key have been the same since Bitlocker was released 19 years ago.

https://support.microsoft.com/en-us/windows/find-your-bitloc...

superkuh•22m ago

I think there's been some miscommunication. If the bitlocker activation happens during tricking the user into going from a local account to online account, it is without the user's consent or real participation. They haven't printed out a copy of the key or moved it to a usb drive. They aren't aware their drives are being encrypted. They can't set up recovery keys now because the computer itself only shows the blue aka.ms screen. None of those 2/4 options are applicable.

There other 2 options are enterprise or online account (the very thing we're talking about) don't apply in this context.

mynameisvlad•20m ago

You can set up recovery keys at any point in time, not just at creation. Just because people don't do it doesn't mean it isn't and hasn't been available for almost 2 decades.

whycome•21m ago

The nagging to upgrade is insane. Even the 'dismissal' option is a dark pattern still designed to make you click the wrong thing

archerx•48m ago

Maybe I’m an outlier but I don’t want my drives encrypted at all. I rather have all my data be accessible if things go catastrophic, I.E. having to pull the drive out of a broken computer and put it in another computer to access the files. I just want it to be plug and play.

lstodd•43m ago

What's not plug and play if using some sensible fde like idk, dm-crypt? You are only a passphrase away from mounting that drive in any other system you plug it into.

Glohrischi•43m ago

My harddrives (laptop, work laptop, desktop, server) contain emails, browser sessions, saved passwords, personal data from family and friends.

I do not want someone stealing my laptop on a train ride potentially being able to have all of that data.

With a proper real backup strategy, i have everything save. I do not need easy access to a hard drive from a broken computer.

But hey you do you :)

xingped•36m ago

Cool. Everyone's threat model is different. As long as we're not writing passwords on sticky notes attached to the monitor, I don't think there's any need to be throwing stones.

brookst•33m ago

Hey now, I use rot13 on my sticky notes.

loneboat•25m ago

Gotta bump that encryption up - rot26 is twice as secure.

NBJack•36m ago

Are you saying you bring your desktop on a train ride as well? Laptops with encryption make sense; if you need to encrypt your desktop, I have questions.

msh•31m ago

Burglars are a thing.

JoshTriplett•10m ago

Also a reason to have off-site backups. Many people have done backups to local servers, only to discover that they have no way to recover their data because thieves stole everything.

The_President•31m ago

Simple hypothetical: "A disaster hits and the workstation owner is unable to return to the location the workstation is stored. During that time period the workstation is stolen by a gang of looters."

treis•15m ago

Ah yes a typical Tuesday for me

aniceperson•43m ago

the point is having a choice and the choice actually doing what it claimed.

skeledrew•42m ago

Same here. If anything happens I want a decent chance to be able to recover my data. The most I may do is create encrypted files, and some of them I've forgotten the passwords for, which makes me even more wary.

tekne•42m ago

I mean... you can use an encryption scheme compatible with this (if you know the password).

I suppose this makes some sense for home computers (burglars and police raids are rare) but for a laptop, you really don't want thieves getting all your details.

Ironically -- this probably was paranoid a few years ago, but now -- "ChatGPT, use this prepared prompt to extract all useful info from this hard drive"

The_President•35m ago

Additional problem is if physical access is obtained, illegal material could be covertly added to the drive then picked up by the built in scanners in your OS. Depends on how important you are.

hiq•10m ago

If "things go catastrophic" your hard drive is not usable at all anymore. At the very least some files can't be recovered at all. So you need backups in any case. Once you have backups, you might as well encrypt your hard drives, especially if you store these in different locations (which you should).

An advantage of encryption is that it makes it easier to give away or resell devices. With recent encryption schemes (well the ones on Linux, given this article), I feel confident that overwriting the encryption keys gets me close enough to not leaking my data once I get rid of an old hard drive.

seanieb•40m ago

At what point will Security professionals start turning down roles that involve “securing” MS Products? I’m already at this point.

Securing Microsoft products is busy work while waiting to have it undercut by the next wave of MS’s insane tech debt and greed. And now backdoors!

microtonal•36m ago

As opposed to iOS, which does iCloud backups that are not E2E encrypted by default, so that law enforcement can request your chats (except Signal because they opt out), browser history, etc.?

You can enable ADP for E2E encrypted backups, but it's probable not going to help you much, because the people you are communicating with likely didn't.

This is not to defend Microsoft, more to say that all these companies were part of PRISM.

seanieb•26m ago

> This is not to defend Microsoft

But you are defending MS, conflating a bunch of things, mainly full disk encryption and cloud backups.

There's a big difference between Apples cloud backup which has documented behavior and a backdoor. I'm also fairly confidant in Apple's full disk encryption, they've gone to court to defend it. There also a lot more data points we can use to judge Apple vs Microsoft on privacy and security, and MS comes out looking bad.

gruez•15m ago

>You can enable ADP for E2E encrypted backups, but it's probable not going to help you much, because the people you are communicating with likely didn't.

That just sounds like a fundamental issue with security in general, not specific to Apple/Microsoft.

embedding-shape•33m ago

Seems this traces back almost a week, from Nightmare-Eclipse who is the researcher who found this:

Tuesday, 12 May 2026 - "Here are the links, yes, two vulnerabilities this time [YellowKey] [GreenPlasma] [...] Next patch tuesday will have a big surprise for you Microsoft"

Wednesday, 13 May 2026 - "I can't wait when I will be allowed to disclose the full story, I think people will find my crashout very reasonable and it definitely won't be a good look for Microsoft."

Author's blog: https://deadeclipse666.blogspot.com/

First post in March 2026 is "[...] someone violated our agreement and left me homeless with nothing. They knew this will happen and they still stabbed me in the back anyways, this is their decision not mine."

I'm not sure what to make of it, is this someone essentially "leaking" things from the inside? Sure sounds like it, and others are able to reproduce the results.

krisbolton•20m ago

I read it as the author is / was going through the vulnerability disclosure process with Microsoft and they're annoyed for unclear reasons and decided to publicly disclose, rather than being an insider.

Alifatisk•17m ago

Can’t wait to read the blogpost of what have truly happened and motivated this person to expose M$ like this

BLKNSLVR•31m ago

Title sounds conspiratorial, but it lines up well with the controversy around TrueCrypt's discontinuation which, I believe, specifically called out BitLocker as an alternative to use in future.

otakucode•26m ago

That was my immediate first thought. "Oh, is Bitlocker Not Safe Anymore?"

ekjhgkejhgk•24m ago

I'm not aware of the connection between truecrypt and bitlocker, want to enlighten us?

akersten•5m ago

Long time ago TrueCrypt suddenly and abruptly shut down with a vague goodbye message saying "everyone please move on and use bitlocker instead"

Prevailing theory is they were pressured to put in a backdoor and couldn't disclose it, so they had to make a seemingly ridiculous statement to call attention that "something is very wrong"

alamortsubite•8m ago

You're probably thinking of VeraCrypt, which is a fork of TrueCrypt. I don't think BitLocker is related.

markant•18m ago

"Security professionals generally recommend avoiding reliance on any single encryption system and instead evaluating well-reviewed full-disk encryption alternatives such as VeraCrypt".

If they put a backdoor into FDE it would make more sense to advise people to stop using windows at all and using Linux instead. If they put a backdoor in FDE you can be sure there is not just one backdoor in the operating system itself. You shouldn't trust proprietary software at all. You shouldn't even trust open source if it isn't properly audited.

tptacek•10m ago

I don't use Microsoft products generally but not with even with your computer would I run VeraCrypt.

RapidFire Lite – Zero-dependency API load tester in pure Python

100 Best Novels of All Time

The Wild Cyberwest

Show HN: Proper, a Rails-shaped Python web framework

Simulacra Levels and Their Interactions

KV Cache Is Becoming the Memory Hierarchy of Inference

Show HN: I made a printable graph papaer templates website

LocalLightChat – New AI Chat UI that handles 500k tokens on a 15 year old laptop

HuggingFace

Nerds, ninjas, and neutrons: The story of The Nuclear Emergency Support Team

The Kind of AI Adoption I Believe In

A few ways of specifying per-theme colours in only CSS

How to Share the AI Windfall

XS: A programming language. Anywhere, anytime, by anyone

Show HN: Freelang – a direct-to-assembly syscall lang with rad concurrency

Reddit Is Blocking Some Users from Accessing Its Website from Mobile Devices

The Programming Language for Agents

Three's a party: US, China, and now Russia are on the prowl in GEO

What Software Is Made Of

Show HN: Whisper Large V3 Turbo Stream API

EV charging station fire caused by remote technician, report finds

South Korea says it will pursue all options to avoid Samsung strike

Europe Just Unveiled a Serious Rival to SpaceX's Starship

AVX-512

Datacenters slurping up so much juice they boosted prices 75%

Google users fight for refunds as unauthorized API usage bills soar

Is Britain Ungovernable?

The filesystem is the API (with TigerFS)

Brown vs. Board of Education (May 17th, 1954)

PyPI packages are increasing rapidly