Phantom Account Security

[VW00 3]

I basically have the same question as this:

I check the same a year ago and its still not replied. Why is nobody from Eset bothering to answer this?

My concern is exactly the same. What is the point of having bit locker enabled and my data encrypted if someone can access my data if my laptop is stolen?

I honestly do not care to recover my laptop but a thieve not accessing my data. If enabling Antitheft puts your data in an unencrypted state I think ESET should properly inform users before activating this. Actually I think this function should be completely removed if that is the case because Windows already have Find my Device services. Its completely unclear how this works and today in 2020, even Windows Home has bitlocker enabled by default on all news systems. That means people except their laptops to be secure if stolen but enabling a second account that can access your files in Windows is like a huge downgrade in security.

I seriously expect some reply from ESET regarding this. Last time I checked this, I was able to access the data and files for other Windows users from the phantom account. This is a huge security hole. You know basically let anyone steal all your files and data as opposed to having a completely encrypted device.

[Marcos 5,074]

Enabling Anti-theft should have no effect on BitLocker-encrypted drives and either a USB flash drive or a password should still be required prior to starting Windows.

Phantom Account is a form of guest account with limited permissions and it will be used as default system account until your device is marked recovered - preventing anyone from logging into other user accounts or accessing users data.

[VW00 3]

19 hours ago, Marcos said:

Enabling Anti-theft should have no effect on BitLocker-encrypted drives and either a USB flash drive or a password should still be required prior to starting Windows.

Phantom Account is a form of guest account with limited permissions and it will be used as default system account until your device is marked recovered - preventing anyone from logging into other user accounts or accessing users data.

Hello Marcos, I'm talking here about the main drive on which the Windows OS is installed. Not a second drive or an external USB drive.

Every new Windows 10 PC, even Windows Home has Bitlocker by default enabled now.

You don't need to input any password in order to start Windows on a machine with Bitlocker. Windows starts as usual and you get the normal Windows lock screen. It's only on the lock screen on which you have to log in with a password. But the phantom account would reside on that Windows lock screen without a password, hence they can log into the drive C without a password.

I never had any computer running BitLocker ask me a password on boot or before starting Windows. The password is only requested to log into the Windows session. Is there something I'm missing here?

The screenshot you posted seems to be related to old computers without TPM that required an external USB or password to unlock it. This is not the case with any computer for years now that have TPM included:

https://www.howtogeek.com/howto/6229/how-to-use-bitlocker-on-drives-without-tpm/

Edited August 17, 2020 by VW00

[Marcos 5,074]

The screen shot was taken from a vm. On my new notebook I have BitLocker enabled and a password is required before the operating system starts loading. Anyways, there is no connection between Anti-Theft and disk encryption. As already said, the purpose of Anti-Theft is to prevent accessing other users' data after logging into the phantom account. Doesn't it work for you and you can access other users' data in all user profiles in c:\users even when logged in the phantom account?

[VW00 3]

23 hours ago, Marcos said:

The screen shot was taken from a vm. On my new notebook I have BitLocker enabled and a password is required before the operating system starts loading. Anyways, there is no connection between Anti-Theft and disk encryption. As already said, the purpose of Anti-Theft is to prevent accessing other users' data after logging into the phantom account. Doesn't it work for you and you can access other users' data in all user profiles in c:\users even when logged in the phantom account?

Unless your laptop is from 2010 I don't see how that is possible. Unless you also enabled a BIOS password on boot which is a different thing. Example, I have another ThinkPad that also has that option and unless you type the boot password or pass your finger on the fingerprint reader Windows will not start and the system will just shut down after a time on idle without input.

I assume the password you are typing to start Windows is that? And not the Windows password. Or did you configured BitLocker in a non-standard way?

If you have TPM on your machine, you don't need to type anything to boot Windows, the encryption key is stored in the hardware. This is the default installation, 99% of ESET customers will have it like that. Just a normal PC  that boots Windows and you need to enter your Windows 10 credentials to sign in. They are all enabled by default with BitLocker today, from Surface, to HP, to Dell, that includes Windows 10 Home.

To answer your question,, I tried this so time, a few years back, and I was able to access the whole drive from the phantom account. Which was not nice. This why I'm asking again if something changed, or maybe this was a Windows flaw, if not, the phantom account should be removed from ESET machines as its putting your data at risk from being stolen. Now even if Windows does not allow you to access other's people data because of permissions, this is not the same as having encrypted files. Windows permissions and privileges can be compromised, as opposed to hacking a bitlocker encrypted drive which is next to impossible unless you have state sponsored hacking tools. I want to rely on encryption to protect my data, not on the OS permissions. 

I'm more curious on what you mentioned typing a password to boot Windows, if you need to type a password to start your Windows system, how would that even work with ESET Phantom accounts? If the system is not starting Windows, you can't log into the phantom account.

I know the theft protection feature is not related to BitLocker, I'm more concerned about the hole it leaves. Now you are able to monitor your laptop and remotely lock it which is nice, but now your data is also at risk. That account should also be password protected, or better, just run the theft functions on the normal account in the background without having to log into Windows. I understand the phantom account is required in order to monitor the person that stole the laptop, but letting the intruder access your hard drive in that way seems very dangerous. On Android this is not the case. The anti theft function does not need a second account, you can still use the phone with your regular pin or lock screen as normal.

I don't have the system with ESET installed to test this now, but my impression is that having the Phantom account lets you access Windows, in with that files on the drive regardless of the Windows user, which defeats the security purpose of having a password on your Windows account. My concern is not recovering the laptop but wiping the data and tracking the thieves. My biggest concern is not the hardware price but data that can be stolen. I suspect this is more important for most people.

[Marcos 5,074]

I've made a test - enabled Anti-Theft, created a phantom account and marked the device as missing. After a reboot the system logged in to the phantom account and I was unable to access other users' files:

[VW00 3]

That is my question precisely like the other person asked as well. Are the files in user1 in your example encrypted (by Bit Locker), hence you are denied access or you are just denied access based on the Windows permission settings because it's a different account, but the files are actually decrypted now in the hard drive and only Windows is stopping you from accessing them? I don't trust Windows permissions as much as I trust Bit Locker.

The reason this is important is because operating system permissions are not 100% secure as opposed to proven encryption that is used everywhere. Example, even on Linux you can gain root access by escalating permissions if you wait until a bug is found. Gaining root access on Android, Linux or Windows is not uncommon. Same is true for Windows. On a normal system this is not an issue as you patch for holes and keep it updates, but that is not the case with a stolen system as you lost control over the device all they have to do is wait until a patch is found that allows them to gain admin privileges from another account, with that, access to everything. But if the data on the user1 account is actually encrypted gaining admin privileges would still be useless as you cannot decrypt the files without the key (Windows passwords?)

I'm not 100% sure about this but I had the impression, data in the drive is encrypted until you put the Windows password which then unlocks the drive C and lets you access it. Windows only loads a part that is not encrypted but the rest of the user data is encrypted until you unlock the system (similar to Android). As long as someone steals your laptops and you are not logged into the account, it's secure. Just like Android which boots and is able to show the lock screen, but the device is not unlocked until you log in.

Closing your laptop lid should lock the device as now Windows will again ask for a password. But my concern is what are the security risks if someone can log in with a guest account (phantom account) without a password.

This is my primary question. Is this restriction based on encryption or just operating system permissions.