Microsoft BitLocker encryption cracked in just 43 seconds with a $4 Raspberry Pi Pico

DragonSlayer101

Posts: 296   +2
Staff
What just happened? Bitlocker encryption in Windows OS improves data security by protecting system files and personal data using the AES encryption algorithm. It's an important measure for people who need additional security, enabling PC users to safely encrypt and protect data from potential attackers. However, new research shows that it can be easily cracked using inexpensive, off-the-shelf hardware.

In a YouTube video, security researcher Stacksmashing demonstrated that hackers can extract the BitLocker encryption key from Windows PCs in just 43 seconds using a $4 Raspberry Pi Pico. According to the researcher, targeted attacks can bypass BitLocker's encryption by directly accessing the hardware and extracting the encryption keys stored in the computer's Trusted Platform Module (TPM) via the LPC bus.

The attack was possible due to a design flaw found in devices with dedicated TPMs, like modern laptops and desktops. As explained by the researcher, BitLocker sometimes uses external TPMs to store key information, such as the Platform Configuration Registers and Volume Master Key. However, as it turns out, the communication lanes (LPC bus) between the CPU and external TPM remain unencrypted on boot-up, allowing threat actors to sniff any traffic between the two modules and extract the encryption keys.

To carry out his proof-of-concept attack, Stacksmashing used a ten-year-old laptop with BitLocker encryption and then programmed the Raspberry Pi Pico to read the raw binary code from the TPM to gain access to the Volume Master Key. Thereafter, he used Dislocker with the recently-acquired Volume Master Key to decrypt the drive.

It is worth noting that this is not the first time we're hearing about somebody bypassing BitLocker encryption. Last year, cybersecurity researcher Guillaume Quéré demonstrated how the BitLocker full volume encryption system can allow users to eavesdrop on any traffic between the discrete TPM chip and CPU via an SPI bus. However, Microsoft claimed that defeating BitLocker encryption is a long and cumbersome process that requires lengthy access to the hardware.

This latest development has now shown that BitLocker can be bypassed much more easily than previously thought, and raises pertinent questions about existing encryption methodologies. It remains to be seen whether Microsoft will root out this particular vulnerability from BitLocker, but in the long run, security researchers need to do a better job of identifying and fixing potential security loopholes before they become a problem for users.

Permalink to story.

 
This is specific to external discreet TPM chips though isn't it? Modern CPU's have TPM built-in. I assume it doesn't affect those? Unless the communication still goes over something that can be interfaced with?

Would be interesting for them to test a modern device that meets the minimum requirements for Windows 11 (8th gen Intel onwards) and see if that's something they can break with this method.
 
I thought TPM was supposed to add an extra layer of security and it was important that everyone throws away any hardware that doesn't have it so they can get new hardware with it and then use Windows 11.

So, let me get right on that and enable TPM on my system and then install Windows 11.....


Oh wait, hell no. That's not going to happen.
 
Microsoft BitLocker encryption cracked in just 43 seconds with a $4 Raspberry Pi Pico

Sure after the weeks of RND and development and it only works on specific Motherboards.

I am still VERY impressed on how this guy managed to defeat Bit locker. I know some Forensic Analysts that would be very interested in his process.
 
I thought TPM was supposed to add an extra layer of security and it was important that everyone throws away any hardware that doesn't have it so they can get new hardware with it and then use Windows 11.

So, let me get right on that and enable TPM on my system and then install Windows 11.....


Oh wait, hell no. That's not going to happen.
Only if you have an older PC with external TMP chip on a mobo.
CPU makers implemented tpm in CPUs. There is no way to do what this guy did
on a proper system that is not very old.
 
To iterate as stated above, this should be used to protect removed drives.
Rule number one , If hacker has access to your device consider it broken.
Treat visa card like cash, treat phone like cash. yet people leave them around in the open.

Plus if I had sensitive files bitlocker is a Secondary protection - ie it would be encrypted before going to hard drive .
Plus I have it , but never use it , as don't know enough , that if I can't log in due to some boot drive FU ( think MBR old windows , you had to recreate from backups ) . Then you have lost everything

Ie for me too many things can go wrong and it's too hardware , software dependant to trust it
 
So it's only for external TPM chips considering most modern CPU's now have TPM built in this hack doesn't make for a very concerning problem I don't know of many businesses that are still using 10yr old laptops for anything and if they are it's because they're cheap bastards and you probably wont find much of interest on there at any rate
 
No surprises considering tpm always ran on an ancient bus, and now a ton of systems have it built into the cpu instead as ftpm, so this attack vector is completely out of the window (though you could instead try and break into the trusted execution environment the CPU sets up gor running the TPM, but if there is no bugs or exploits with that, then it is nuch tougher or practically impossible, people haven't even been able to break the vendor lock on things like epyc cpu's, never mind targetting a portion that is supposed to be cryptographically secure), so this video seems to be one made for rageclicks.....
 
Yet another "security measure" shown to be totally worthless. Microsoft ought to drop the requirement on this worthless piece of crap for Windows 11 and who knows what other version of Windows, IMMEDIATELY.

Not worthless - this should only affect older computers where the CPU did not have a built in TPM module.
 
Yet another "security measure" shown to be totally worthless. Microsoft ought to drop the requirement on this worthless piece of crap for Windows 11 and who knows what other version of Windows, IMMEDIATELY.
The Hacker has to have physical access to the hardware. As soon as a hacker has physical access to a device it doesn't matter how good the security is all security can be bypassed with enough time. People raging about security exploits that required the hacker to have full access is stupid. Starting with full access removes all the other security measure people should take to ensure their data is secure.
 
Looks like the criminal elements are working overtime.
Just a few weeks ago, China cracked Apple Air Drop.
I have a very high level of tech enthusiasm, and a very low level of tech knowledge
so I am curious, is there always going to be breaches of this type? And will we always be at its mercy?
 
Yet another "security measure" shown to be totally worthless. Microsoft ought to drop the requirement on this worthless piece of crap for Windows 11 and who knows what other version of Windows, IMMEDIATELY.

Yes, Microsoft's TPM requirement for Win 11 is arbitrary and capricious. If you really need Bitlocker, make sure you are using secure PIN.
 
This is one of the reasons why I use full disk encryption that requires either a password, security token or PIN. I use LUKS on my Linux workstation. I have to enter the password first before the OS will even boot up.
 
Yet another "security measure" shown to be totally worthless. Microsoft ought to drop the requirement on this worthless piece of crap for Windows 11 and who knows what other version of Windows, IMMEDIATELY.
Just goes to show you, nothing is fail safe. They were never worried about security when they put in the requirement, just how they could make more money.
 
I am still VERY impressed on how this guy managed to defeat Bit locker. I know some Forensic Analysts that would be very interested in his process.

You can count that there are company's out there selling working or live exploits for such occasions.

It's a big hefty business model - I.e NSO group that only licences to goverments for example.

Imagine the price you can charge if you are able to provide a working, zero day Iphone hack for example.

It's in the millions.[/quote]
 
Yet another "security measure" shown to be totally worthless. Microsoft ought to drop the requirement on this worthless piece of crap for Windows 11 and who knows what other version of Windows, IMMEDIATELY.
Yeah, you clearly understood the implications properly.
 
Back