The enthusiast managed to gain access to data encrypted by the built-in Windows BitLocker tool. This took less than a minute, and the cost of purchasing additional equipment did not exceed $10. However, outside of experimental conditions, doing something like this is in many cases not an easy task, if at all feasible.
Steal a BitLocker master key in 43 seconds
The author of the YouTube channel stacksmashing demonstrated how to decrypt data on a BitLocker-protected drive using a TPM sniffer built on the Raspberry Pi Pico platform. To solve the problem, not counting preliminary preparation, it took the enthusiast exactly 43 seconds, and the cost of purchasing additional equipment did not reach $10.
Raspberry Pi Pico is a microcontroller board and the most compact device of the Raspberry Pi family. The device was introduced in January 2021 and at the start of sales was offered at a recommended retail price of $4.
BitLocker is the standard and most accessible means of encrypting storage devices (more precisely, individual volumes of their components), built into the Windows operating system. The tool allows you to protect the data on your drives from unwanted eyes and hands using a physical key or password. If an SSD or hard drive protected by BitLocker is stolen, an attacker will most likely not be able to access the information stored on it.
BitLocker Use Cases
For greater reliability, BitLocker can be used in conjunction with a Trusted Platform Module (TPM). This device, which can be either soldered on the motherboard or supplied as a separate module, provides the creation and storage of cryptographic keys (including those used to decrypt BitLocker data), as well as system integrity validation. The presence of a TPM 2.0 module in a computer is one of the Windows 11 hardware requirements.
Proprietary BitLocker technology is supported on Windows Vista, 7, 8, 8.1, 10 and 11 Pro, Enterprise, Pro Education/SE and Education editions, as well as all Windows server systems starting with Windows Server 2008.
How the experiment proceeded
To extract the key needed to decrypt data on the SSD (Volume Master Key) from the external TPM module, the YouTuber took advantage of a vulnerability in the design of the ten-year-old Lenovo laptop on which the experiment was conducted.
He found that when the PC boots, data between the TPM module and the central processing unit (CPU) is transferred in an unencrypted format over the low-speed LPC (Low Pin Count) bus. That is, the master key can be intercepted at the time of its transmission from the TPM to the processor by connecting to the LPC bus. To do this, it is enough to understand exactly how data exchange occurs between the TPM and the CPU.
The blogger discovered that on the laptop motherboard, not far from the M.2 connector for installing an SSD, there was an LPC connector that could be connected to to intercept (sniff) data.
The device for reading this data was based on the Raspberry Pi Pico platform - it was only necessary to solder several spring-loaded contacts to it to connect to the LPC bus, as well as prepare software for decoding the TPM module signal.
Upon completion of the preparatory activities, the blogger began the experiment. Having started the timer on the smartphone, he sequentially removed the top cover of the laptop, connected the sniffer to the LPC bus connector and started the computer, after which the master key appeared on the PC display almost instantly. The procedure took a total of 43 seconds.
Subsequently, it was only necessary to remove the encrypted SSD, connect it to another machine, and use a BitLocker partition reading tool (for example, DisLocker for Linux) indicating the previously extracted key.
Possible countermeasures
As Tom's Hardware notes, an attack similar to the one carried out by the blogger can be carried out on machines with more modern motherboards that support external TPMs, but it will require a little more effort. Computers with a TPM integrated directly into the processor (as implemented in modern AMD and Intel CPUs) are not vulnerable to such attacks.
The Microsoft Knowledge Base section on BitLocker provides a list of countermeasures that can help protect against attacks like the one demonstrated on the stacksmashing channel when using pluggable TPMs.
So, firstly, the company’s specialists suggest using one of the multi-factor authentication options: TPM together with an external hardware key (for example, a USB token), TPM with a PIN code, which is entered every time you boot; If desired, the hardware key and PIN can be used together to increase the overall security of encrypted data.
Using any of these methods can be associated with some inconvenience for both the user and the administrator, which Microsoft honestly warns about. For example, a user may simply forget his PIN code, and it will be more difficult for an administrator to keep the software of a remote machine up to date due to the need to regularly enter a PIN code to start it, including after exiting hibernation mode. However, the last problem is solved using the Network Unlock mechanism, which is also described in the documentation.
The second security measure Microsoft offers is to protect computer ports that have Direct Memory Access (DMA). These, in particular, include PCI bus ports or the previously mentioned LPC.
It is worth noting that most of the approaches to protecting DMA interfaces proposed in the documentation involve making changes to Windows group policies, which requires certain knowledge and skills from the user/administrator.
In general, according to the documentation, the most complex set of protective measures is required in cases where it is assumed that the attacker who decided to obtain the BitLocker encryption keys has a relatively high level of skill and a long time of access to the attacked machine. The more authentication factors a computer operator uses, the more difficult and costly it will be for an attacker to bypass security measures. In the case of using a combination of TPM and a complex PIN code, achieving the goal set by it is “virtually impossible,” it follows from the documentation.
• Video:
Steal a BitLocker master key in 43 seconds
The author of the YouTube channel stacksmashing demonstrated how to decrypt data on a BitLocker-protected drive using a TPM sniffer built on the Raspberry Pi Pico platform. To solve the problem, not counting preliminary preparation, it took the enthusiast exactly 43 seconds, and the cost of purchasing additional equipment did not reach $10.
Raspberry Pi Pico is a microcontroller board and the most compact device of the Raspberry Pi family. The device was introduced in January 2021 and at the start of sales was offered at a recommended retail price of $4.
BitLocker is the standard and most accessible means of encrypting storage devices (more precisely, individual volumes of their components), built into the Windows operating system. The tool allows you to protect the data on your drives from unwanted eyes and hands using a physical key or password. If an SSD or hard drive protected by BitLocker is stolen, an attacker will most likely not be able to access the information stored on it.
BitLocker Use Cases
For greater reliability, BitLocker can be used in conjunction with a Trusted Platform Module (TPM). This device, which can be either soldered on the motherboard or supplied as a separate module, provides the creation and storage of cryptographic keys (including those used to decrypt BitLocker data), as well as system integrity validation. The presence of a TPM 2.0 module in a computer is one of the Windows 11 hardware requirements.
Proprietary BitLocker technology is supported on Windows Vista, 7, 8, 8.1, 10 and 11 Pro, Enterprise, Pro Education/SE and Education editions, as well as all Windows server systems starting with Windows Server 2008.
How the experiment proceeded
To extract the key needed to decrypt data on the SSD (Volume Master Key) from the external TPM module, the YouTuber took advantage of a vulnerability in the design of the ten-year-old Lenovo laptop on which the experiment was conducted.
He found that when the PC boots, data between the TPM module and the central processing unit (CPU) is transferred in an unencrypted format over the low-speed LPC (Low Pin Count) bus. That is, the master key can be intercepted at the time of its transmission from the TPM to the processor by connecting to the LPC bus. To do this, it is enough to understand exactly how data exchange occurs between the TPM and the CPU.
The blogger discovered that on the laptop motherboard, not far from the M.2 connector for installing an SSD, there was an LPC connector that could be connected to to intercept (sniff) data.
The device for reading this data was based on the Raspberry Pi Pico platform - it was only necessary to solder several spring-loaded contacts to it to connect to the LPC bus, as well as prepare software for decoding the TPM module signal.
Upon completion of the preparatory activities, the blogger began the experiment. Having started the timer on the smartphone, he sequentially removed the top cover of the laptop, connected the sniffer to the LPC bus connector and started the computer, after which the master key appeared on the PC display almost instantly. The procedure took a total of 43 seconds.
Subsequently, it was only necessary to remove the encrypted SSD, connect it to another machine, and use a BitLocker partition reading tool (for example, DisLocker for Linux) indicating the previously extracted key.
Possible countermeasures
As Tom's Hardware notes, an attack similar to the one carried out by the blogger can be carried out on machines with more modern motherboards that support external TPMs, but it will require a little more effort. Computers with a TPM integrated directly into the processor (as implemented in modern AMD and Intel CPUs) are not vulnerable to such attacks.
The Microsoft Knowledge Base section on BitLocker provides a list of countermeasures that can help protect against attacks like the one demonstrated on the stacksmashing channel when using pluggable TPMs.
So, firstly, the company’s specialists suggest using one of the multi-factor authentication options: TPM together with an external hardware key (for example, a USB token), TPM with a PIN code, which is entered every time you boot; If desired, the hardware key and PIN can be used together to increase the overall security of encrypted data.
Using any of these methods can be associated with some inconvenience for both the user and the administrator, which Microsoft honestly warns about. For example, a user may simply forget his PIN code, and it will be more difficult for an administrator to keep the software of a remote machine up to date due to the need to regularly enter a PIN code to start it, including after exiting hibernation mode. However, the last problem is solved using the Network Unlock mechanism, which is also described in the documentation.
The second security measure Microsoft offers is to protect computer ports that have Direct Memory Access (DMA). These, in particular, include PCI bus ports or the previously mentioned LPC.
It is worth noting that most of the approaches to protecting DMA interfaces proposed in the documentation involve making changes to Windows group policies, which requires certain knowledge and skills from the user/administrator.
In general, according to the documentation, the most complex set of protective measures is required in cases where it is assumed that the attacker who decided to obtain the BitLocker encryption keys has a relatively high level of skill and a long time of access to the attacked machine. The more authentication factors a computer operator uses, the more difficult and costly it will be for an attacker to bypass security measures. In the case of using a combination of TPM and a complex PIN code, achieving the goal set by it is “virtually impossible,” it follows from the documentation.
• Video:
