Bitlocker is among the most simply accessible encryption options accessible at present, being a built-in characteristic of Home windows 10 Professional and Home windows 11 Professional that is designed to safe your knowledge from prying eyes. Nonetheless, YouTuber stacksmashing demonstrated a colossal safety flaw with Bitlocker that allowed him to bypass Home windows Bitlocker in lower than a minute with an inexpensive sub-$10 Raspberry Pi Pico, thus getting access to the encryption keys that may unlock protected knowledge. His exploit solely took 43 seconds to steal the grasp key.
To do that, the YouTuber took benefit of a design flaw discovered in lots of methods that characteristic a devoted Trusted Platform Module, or TPM. For some configurations, Bitlocker depends on an exterior TPM to retailer crucial info, such because the Platform Configuration Registers and Quantity Grasp Key (some CPUs have this built-in). For exterior TPMs, the TPM key communications throughout an LPC bus with the CPU to ship it the encryption keys required for decrypting the information on the drive.
Stacksmashing discovered that the communication lanes (LPC bus) between the CPU and exterior TPM are utterly unencrypted on boot-up, enabling an attacker to smell crucial knowledge because it strikes between the 2 items, thus stealing the encryption keys. You may see his methodology within the video under.
With this in thoughts, the YouTuber determined to check an assault on a ten-year-old laptop computer with Bitlocker encryption. His particular laptop computer’s LPC bus is readable by means of an unpopulated connector on the motherboard, positioned proper subsequent to one of many laptop computer’s M.2 ports. This identical sort of assault can be utilized on newer motherboards that leverage an exterior TPM, however these sometimes require extra legwork to intercept the bus visitors.
To learn knowledge off the connector, the YouTuber created an inexpensive Raspberry Pi Pico gadget that would hook up with the unsecured connector simply by making contact with the metallic pads protruding from itself. The Pico was programmed to learn the uncooked 1s and 0s off from the TPM, granting entry to the Quantity Grasp Key saved on the module.
Stacksmashing’s work demonstrates that Home windows Bitlocker, in addition to exterior TPMs, aren’t as protected as many suppose as a result of the information lanes between the TPM and CPU are unencrypted. The excellent news is that this flaw seems to be a problem regulated to discrete TPMs. If in case you have a CPU with a built-in TPM, like those in fashionable Intel and AMD CPUs, you need to be protected from this safety flaw since all TPM communication happens inside the CPU itself.