Breaking Bitlocker – Bypassing the Windows Disk Encryption [video] (opens in new tab)

(youtube.com)

111 pointstkems2y ago69 comments

69 comments

Very interesting video. For those who can't watch, he creates a PCB with a RPi Pico and some data pins which can sniff the BitLocker key as it's sent from the TPM chip back to the CPU. I was surprised to see that this was sent in plaintext, so although his board probably will only work for that particular motherboard, the method would be sound for other computers as well.

I'll leave the comments about MS requiring TPM chips for Win11 to others.

ghostpepper2y ago

It's a bit of a chicken-egg problem when the TPM is the root of trust for the entire system. Sure you can encrypt the data on the bus, but where do you store that key?

H8crilA2y ago

You use a Diffie-Hellman key exchange, signed by a cert stored in the CPU on one side and verified by the TPM on the other. CPUs already have such secret certs inside of them, for example for Intels' SGX.

But as you can read in the article linked by /u/osy, the TPM ecosystem is a victim of design by committee where such things as a threat model are not a thing. They were focused on building a "generic security solution" or some other nonsense, instead of making a threat model, then a protocol, then a verification of the protocol under the threat model - like people did for example with TLS 1.3.

2 more replies

mjg592y ago

You don't need to store that key anywhere, just like you don't need to store any keys to validate TLS connections.

briHass2y ago

Exactly. An attacker that has full access to the device can get past encrypted TPM parameters, it would just slow them down. The best method is pre-boot auth where the TPM itself requires a PIN to release the keys. Windows doesn't use that by default, but it can be enabled.

northern-lights2y ago

TPM can always store the (root) private key inside the TPM, but where will the other side of the channel (CPU, HD etc.) store their private key?

1 more reply

p_l2y ago

TPM 2.0 provides encrypted sessions specifically to handle this problem.

Of course you need to first use them...

briHass2y ago

No big deal here. This attack looks like it's using a crusty old TPM 1.2 laptop, so encrypted parameters to the TPM aren't supported. Even with Win11 and TPM2.0 (required for Win11), encrypted parameters to the TPM would just slow down an attacker.

You need to use pre-boot auth, like a PIN. Obviously, the TPM needs to have some kind of authentication to release the key, not just the default mode where Windows just needs to request it. This is all outlined in MS documentation: https://learn.microsoft.com/en-us/windows/security/operating...

NotPractical2y ago

TPM without PIN is the default configuration, so I'd consider it to be a big deal.

briHass2y ago

The age old battle of security vs convenience. Most Linux distros don't force you into pre boot, PIN TPM encryption either.

It is controllable through group policy, so orgs that care can force users into it.

1 more reply

ddtaylor2y ago

I agree. It seems Microsoft wants to get the accolades of solving a hard key exchange problem without actually solving that hard key exchange problem. We see this a LOT in companies that "make it easy" to do cryptography.

Dowwie2y ago

Interesting...

A PIN auth step eliminates the convenience value proposition of a TPM.

Selling passwordless authentication as a solution requiring a PIN just isn't recognizing that the PIN is now the password.

briHass2y ago

You're forgetting the other convenience value of the TPM in Windows, which is that it allows you to use a PIN/bio instead of your (hopefully) long and complex account password.

mathisdiego2y ago

I think that's a bit of an overstatement. You already enter a password to sign in (or not, if you use biometrics). This is just another password that you enter once at boot. Doesn't seem all that bad of a tradeoff for data security.

i5-2520M2y ago

With an ISO install, only 1.2 is required for Win11. TPM2 ia inly required to get the update offer from 10.

briHass2y ago

You can also set a registry key to ignore TPM/CPU requirements with the regular upgrade tools.

osy2y ago

TPM is insecure against physical attacks by design: https://gist.github.com/osy/45e612345376a65c56d0678834535166

The only secure implementation is called D-RTM which requires a level of chip, OEM, and OS support that's not done in practice.

northern-lights2y ago

There is nothing that is safe against physical attacks practically. You can always find a point where you can do a MITM attack as the communication channels between the TPM and anything else is almost always insecure.

FirmwareBurner2y ago

>There is nothing that is safe against physical attacks practically.

This! If security is your prime directive in your line of work(government, highly sensitive data, etc), then as long as your device has been outside your physical possession and in the hands of an untrusted third party, then it's automatically considered compromised and gets wiped or discarded by your IT department.

Because no amount of marketing security fluff from Microsoft, Apple, Google can stand against targeted attacks of state actors or knowledgeable motivated well funded actors with freshly acquired zero days.

The security they provide is only good enough against the average thief off the street, which I guess covers 98% of Average Joe's threats.

Even CC security certifications never judge a device whether it's hackable or not, but only on how long it takes for it to be hacked by an accredited lab, because nothing with outside physical access is ever unbackable. With enough time and six figure equipment off the publicly available commercial market, everything reveals its secrets eventually. And that's without zero days off the black market.

2 more replies

qingcharles2y ago

I use to work in Microsoft DRM. I used to say: the key is on the machine! This is like leaving your house key under a rock in the garden. It just puts up a barrier of a certain level which puts off most villains.

If you want secure Bitlocker, use a password.

sweetjuly2y ago

Sure, but there are many shades of gray. Directly leaking the entire key on an external bus is very different than needing to find and somehow bond to individual traces (likely below the top metal layer) on the die itself.

badrabbit2y ago

Only a sith deals in absolutes (jk). Even with physical access, you can define restrictions that introduce some level of difficulty for a threat actor with limited capability. For example, you can just kick in most house doors to get past locks, but people still lock their doors. Cars are a better example, most car theft happens when people leave their doors unlocked.

shawnz2y ago

Having a non-zero attack surface doesn't mean your security system provides "zero practical security". This is at best equally as hyperbolic as the vendors' own marketing claims that you are arguing against.

mjg592y ago

Not really? Encrypted sessions block the trivial attack of just watching the secret go across the bus. Pushing people to MITM attacks is already an improvement, and while generating initial trust in the TPM for that purpose isn't straightforward, it's not impossible. The almost universal implementation of TPM-backed secret management isn't secure against physical attack, but that's very different to "insecure by design". All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.

osy2y ago

Yes really. The lack of any working implementation in production systems is an issue (D-RTM + encrypted sessions), something that Apple has done in an equivalent threat model since the iPhone 11. You can argue that "insecure by design" doesn't apply because there is a secure design in the abstract but the fact that nobody has adopted it in 20 years says something about the design itself.

It's _also_ insecure by design because in every deployed implementation (including with PIN), it is S-RTM meaning that _any_ UEFI driver vuln will compromise your TPM key. Yes, any UEFI vulnerability in its countless vendor drivers, USB stack, network stack, etc.

Arnavion2y ago

>All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.

To be precise, both Windows (according to the article) and Linux+systemd (since systemd v251) support letting the user specify a TPM PIN and then use parameter encryption. But yes, both make it optional.

Avamander2y ago

DTRM is offered with some Secured-Core machines that support Firmware Protection, is it not?

mike_hock2y ago

I hope this attempt at shoving hardware DRM down our throats tanks just like the last one did.

p_l2y ago

It's not actually used for DRM, that's part of Intel ME and why AMD PSP is closed source. Both of those are involved in setting up "protected media path" which is all about setting up encrypted channel between display and media player to prevent sniffing.

TPM could be used for DRM in the sense that DRM software could refuse to run on system that isn't approved, but it's not going to stop you from enjoying a DRM free system - in fact it can help by explicitly supporting clearing of TPM state by owner.

jsmith992y ago

Nothing new. This attack is demonstrated here many times and the Microsoft docs discuss a similar attack using self encrypting drives. The counter measure is to use a virtual TPM built into the CPU or to use TPM+PIN (which is standard practice for security).

p_l2y ago

Another piece is to use encrypted session where the traffic between OS and TPM is encrypted as well.

jpalomaki2y ago

Does Microsoft Pluton [1] help here? I noticed at least some recent ThinkPad AMD models support it.

[1] https://learn.microsoft.com/en-us/windows/security/hardware-...

mjg592y ago

Yes, it does, as does using any other CPU or chipset based TPM (Intel PTT, the AMD PSP-based TPM, running in Trustzone on ARM). The non-Pluton approaches potentially have greater overall attack surface, so Pluton is probably the best choice if available.

matsz2y ago

This is particularly interesting considering that TrueCrypt recommended migration to BitLocker as the main option for Windows: https://truecrypt.sourceforge.net/

IIRC Apple's version of TPM (Secure Enclave) should be immune to such attacks (since it's on the SoC, but I'm not sure whether the communication is encrypted or not), and the main data encryption method for GNU/Linux (LUKS) does not utilize TPM by default (might depend on distro though).

EDIT: I believe that the method in the video only works for volumes that aren't password/PIN-protected.

dist-epoch2y ago

If you worry about someone sniffing your hardware buses, you should also worry about them intercepting your keyboard connection when you type the TrueCrypt password.

Dylan168072y ago

The problem is that they can sniff the bus at their convenience after grabbing the hardware and running. No need to hide a keylogger.

0cf8612b2e1e2y ago

Does seem laughably easy to intercept the keyboard connection.

p_l2y ago

TPM 2.0 supports encrypted sessions, which block this kind of attack (TPM 2.0 is wholly different beast than TPM 1.x series).

I do not recall if cryptsetup's TPM2 support sets up encrypted session, but for BitLocker just setting it to require PIN breaks this attack (the PIN is used as part of TPM policy preventing automatic decryption).

Additionally, some laptops at the very least attempt to erase TPM on case open.

jeroenhd2y ago

I think the "on case open" bypass was shown quite well in this video (the picture of the Surface device with a hole drilled in the back).

Such measures should protect against backdooring attempts (by the visible physical damage to the case) but they won't prevent an attacker from reading the secret key.

linarism2y ago

Worth noting that modern AMD CPUs incorporate the TPM functionality in the CPU itself, not sure about Intel.

Kluggy2y ago

AMD calls it fTPM (Firmware TPM I believe) and Intel calls it PTT (Platform Trust Technology)

dist-epoch2y ago

The most recent AMD CPUs, Zen4 also incorporate Pluton, the TPM designed by Microsoft based on Xbox security experience.

Arnavion2y ago

Also given AMD's repeated bungling of the fTPM, Pluton is probably the better option if you must enable one.

kopirgan2y ago

Didn't know! After TC vanished with recommendation to use BL I had kept few files in direct Windows storage protected by BL. The more sensitive ones I still kept in Vera. Here my natural scepticism protected me lol.

Guess turning on pre boot pw is next thing to do.

briHass2y ago

Note: there's also Bitlocker for non-boot drives, aka Bitlocker to Go. It functions more like TV/VC in that you can encrypt a drive/partition/removable storage with a password. You probably don't want it to auto-unlock in that case.

bugbuddy2y ago

I predict that this will necessitate an upgrade to TPM 3.0 with a key exchange handshake mitigation along with it being a requirement to upgrade to Windows 12. That’s fine though because it will help with economic growth and all the relevant companies’ bottom lines.

p_l2y ago

TPM2 already has encrypted session support which does exactly that.

whyoh2y ago

To decrypt a drive with a TPM-only key you just need to turn on the PC. So what's the big deal here?

It's disappointing that TPM-only is the default for Bitlocker, but you can just use something else (pin/password, key file, ...).

jeroenhd2y ago

I think TPM-only encryption is still good enough for cases where a thief may try to swipe the hard drive out to steal the information on it later.

Plus, in a business where laptops may get reused, it could be a method to make an old Windows install inaccessible by wiping the backup key from the cloud and clearing the TPM on the device without any formatting. You may want to do a quick format to be sure (you never know if someone kept their private files in the EFI partition) but it'll protect you against data recovery risks from reassigned sectors without having to force everyone to enter a password twice every time they boot their laptop.

shawnz2y ago

These kinds of attacks aside, the intent is that you need to turn on the PC and then actually boot to the intended operating system, which is then protected with a login screen

whyoh2y ago

Yeah fair enough. The login screen should still provide good protection in a TPM-only scenario. (Although it had some vulnerabilities in the past: https://secret.club/2021/01/15/bitlocker-bypass.html)

ale422y ago

Except that if you can sniff the encryption keys, you can tamper with the OS and for example remove the password...

1 more reply

mr_mitm2y ago

The "big deal" is just seeing it demonstrated this quickly. TPM-Sniffing is an old hat [1], but I always thought it would take at least hours of painstaking fiddling with a soldering iron. I find this video impressive and eye opening.

[1] https://www.orangecyberdefense.com/ch/insights/blog/tpm-snif... (2021)

goriloser2y ago

The default is an unencrypted computer. Microsoft is trying to improve that default without requiring yet another password.

Dowwie2y ago

This presumably applies to any FDE utilizing TPM, not just BitLocker.

WirelessGigabit2y ago

Modern systems don't have a dedicated TPM, so it's a lot harder to read the settings off the chip, as it is part of the CPU.

Then I believe modern TPM communication is encrypted.

On too of that you want your laptop to support physical tampering resistance, which prevents both this (outdated) chip attack and freezing the RAM. When you then boot the laptop the master password is required. I would prefer it to throw off the PCR but hey, it works too.

I do wonder if you have 8GB of soldered RAM and 8GB on a stick, Windows keeps the key in the soldered part to increase difficulty stealing?

joemazerino2y ago

I'm lead to believe the TPM is a firmware TPM and not a hardware one. Is this correct?

blinkingled2y ago

Opposite - the TPM is hardware TPM and that's why it was easier to sniff the communication between it and the CPU over LPC. fTPM resides inside the CPU so sniffing is not as easy.

joemazerino2y ago

That's compelling. I understand fTPM is less resistant to system level attacks because of the virtualization nature of it. Seems like a conundrum of tradeoffs.

j / k navigate · click thread line to collapse

69 comments

aquova2y ago

I'll leave the comments about MS requiring TPM chips for Win11 to others.

ghostpepper2y ago

It's a bit of a chicken-egg problem when the TPM is the root of trust for the entire system. Sure you can encrypt the data on the bus, but where do you store that key?

H8crilA2y ago

2 more replies

mjg592y ago

You don't need to store that key anywhere, just like you don't need to store any keys to validate TLS connections.

briHass2y ago

northern-lights2y ago

TPM can always store the (root) private key inside the TPM, but where will the other side of the channel (CPU, HD etc.) store their private key?

1 more reply

p_l2y ago

TPM 2.0 provides encrypted sessions specifically to handle this problem.

Of course you need to first use them...

briHass2y ago

NotPractical2y ago

TPM without PIN is the default configuration, so I'd consider it to be a big deal.

briHass2y ago

The age old battle of security vs convenience. Most Linux distros don't force you into pre boot, PIN TPM encryption either.

It is controllable through group policy, so orgs that care can force users into it.

1 more reply

ddtaylor2y ago

Dowwie2y ago

Interesting...

A PIN auth step eliminates the convenience value proposition of a TPM.

Selling passwordless authentication as a solution requiring a PIN just isn't recognizing that the PIN is now the password.

briHass2y ago

You're forgetting the other convenience value of the TPM in Windows, which is that it allows you to use a PIN/bio instead of your (hopefully) long and complex account password.

mathisdiego2y ago

i5-2520M2y ago

With an ISO install, only 1.2 is required for Win11. TPM2 ia inly required to get the update offer from 10.

briHass2y ago

You can also set a registry key to ignore TPM/CPU requirements with the regular upgrade tools.

osy2y ago

TPM is insecure against physical attacks by design: https://gist.github.com/osy/45e612345376a65c56d0678834535166

The only secure implementation is called D-RTM which requires a level of chip, OEM, and OS support that's not done in practice.

northern-lights2y ago

FirmwareBurner2y ago

>There is nothing that is safe against physical attacks practically.

The security they provide is only good enough against the average thief off the street, which I guess covers 98% of Average Joe's threats.

2 more replies

qingcharles2y ago

If you want secure Bitlocker, use a password.

sweetjuly2y ago

badrabbit2y ago

shawnz2y ago

mjg592y ago

osy2y ago

Arnavion2y ago

>All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.

Avamander2y ago

DTRM is offered with some Secured-Core machines that support Firmware Protection, is it not?

mike_hock2y ago

I hope this attempt at shoving hardware DRM down our throats tanks just like the last one did.

p_l2y ago

jsmith992y ago

p_l2y ago

Another piece is to use encrypted session where the traffic between OS and TPM is encrypted as well.

jpalomaki2y ago

Does Microsoft Pluton [1] help here? I noticed at least some recent ThinkPad AMD models support it.

[1] https://learn.microsoft.com/en-us/windows/security/hardware-...

mjg592y ago

matsz2y ago

This is particularly interesting considering that TrueCrypt recommended migration to BitLocker as the main option for Windows: https://truecrypt.sourceforge.net/

EDIT: I believe that the method in the video only works for volumes that aren't password/PIN-protected.

dist-epoch2y ago

If you worry about someone sniffing your hardware buses, you should also worry about them intercepting your keyboard connection when you type the TrueCrypt password.

Dylan168072y ago

The problem is that they can sniff the bus at their convenience after grabbing the hardware and running. No need to hide a keylogger.

0cf8612b2e1e2y ago

Does seem laughably easy to intercept the keyboard connection.

p_l2y ago

TPM 2.0 supports encrypted sessions, which block this kind of attack (TPM 2.0 is wholly different beast than TPM 1.x series).

Additionally, some laptops at the very least attempt to erase TPM on case open.

jeroenhd2y ago

I think the "on case open" bypass was shown quite well in this video (the picture of the Surface device with a hole drilled in the back).

Such measures should protect against backdooring attempts (by the visible physical damage to the case) but they won't prevent an attacker from reading the secret key.

linarism2y ago

Worth noting that modern AMD CPUs incorporate the TPM functionality in the CPU itself, not sure about Intel.

Kluggy2y ago

AMD calls it fTPM (Firmware TPM I believe) and Intel calls it PTT (Platform Trust Technology)

dist-epoch2y ago

The most recent AMD CPUs, Zen4 also incorporate Pluton, the TPM designed by Microsoft based on Xbox security experience.

Arnavion2y ago

Also given AMD's repeated bungling of the fTPM, Pluton is probably the better option if you must enable one.

kopirgan2y ago

Guess turning on pre boot pw is next thing to do.

briHass2y ago

bugbuddy2y ago

p_l2y ago

TPM2 already has encrypted session support which does exactly that.

whyoh2y ago

To decrypt a drive with a TPM-only key you just need to turn on the PC. So what's the big deal here?

It's disappointing that TPM-only is the default for Bitlocker, but you can just use something else (pin/password, key file, ...).

jeroenhd2y ago

I think TPM-only encryption is still good enough for cases where a thief may try to swipe the hard drive out to steal the information on it later.

shawnz2y ago

These kinds of attacks aside, the intent is that you need to turn on the PC and then actually boot to the intended operating system, which is then protected with a login screen

whyoh2y ago

ale422y ago

Except that if you can sniff the encryption keys, you can tamper with the OS and for example remove the password...

1 more reply

mr_mitm2y ago

[1] https://www.orangecyberdefense.com/ch/insights/blog/tpm-snif... (2021)

goriloser2y ago

The default is an unencrypted computer. Microsoft is trying to improve that default without requiring yet another password.

Dowwie2y ago

This presumably applies to any FDE utilizing TPM, not just BitLocker.

WirelessGigabit2y ago

Modern systems don't have a dedicated TPM, so it's a lot harder to read the settings off the chip, as it is part of the CPU.

Then I believe modern TPM communication is encrypted.

I do wonder if you have 8GB of soldered RAM and 8GB on a stick, Windows keeps the key in the soldered part to increase difficulty stealing?

joemazerino2y ago

I'm lead to believe the TPM is a firmware TPM and not a hardware one. Is this correct?

blinkingled2y ago

Opposite - the TPM is hardware TPM and that's why it was easier to sniff the communication between it and the CPU over LPC. fTPM resides inside the CPU so sniffing is not as easy.

joemazerino2y ago

That's compelling. I understand fTPM is less resistant to system level attacks because of the virtualization nature of it. Seems like a conundrum of tradeoffs.

j / k navigate · click thread line to collapse