With a less than $10 Raspberry Pi Pico, BitLocker encryption can be defeated in 43 seconds, and the key can be sniffed using an external
TPM.
In this particular vulnerability, BitLocker's dependence ona TPM for protection is its own undoing.As a built-in feature of Windows 10 Pro and Windows 11 Pro, Bitlocker is one of the most accessible encryption systems on the market today, protecting your data from prying eyes. But YouTuber stacksmashing revealed a massive Bitlocker security hole that let him get around Windows Bitlocker in just a minute using a cheap Raspberry Pi Pico that costs less than $10, giving him access to the encryption keys that unlock data that is secured. It took the vulnerability about forty-three seconds to create the device and steal the master key.
To accomplish this, hackers can exploit a well-known designvulnerability present in many systems that include a specialized Trusted Platform Module, or TPM. For some installations, Bitlocker uses an external TPM to store crucial information like the Platform Configuration Registers and Volume Master Key. For external TPMs, the TPM key communicates with the CPU via an LPC bus, sending it the encryption keys required to unlock the data on the disk.
As an ethical hacker, I discovered that the communicationlanes (LPC bus) between the CPU and the external TPM are totally unencrypted during boot-up, allowing an attacker to sniff important data as it flows between the two units and steal the encryption keys. With this in mind, I decided to attempt an attack on a 6-year-old laptop protected by Bitlocker encryption. His laptop's LPC bus is
accessible via an unpopulated connector on the motherboard, which is positioned exactly next to one of the laptop's M.2 ports. This similar type of attack can be employed on newer motherboards that use an external TPM, however it usually takes more effort to intercept bus communication.
In order to read data from the connector, I built a low-costRaspberry Pi Pico device that could attach to the unprotected connector by just touching the metal pads that protruded from it. In order to access the Volume Master Key that was stored on the module, the Pico was configured to read the
raw 1s and 0s off of the TPM.
The fact that the data lanes between the TPM and CPU aren't encrypted indicates that Windows Bitlocker and external TPMs aren't as secure as many people believe. Fortunately, this attack technique—which has been around for a while—is limited to distinct TPMs.
How to protect against it.
It is critical to employ an internal TPM rather than anexternal one, because internal TPMs are less vulnerable to this physical interception method. If an external TPM is required, ensure that any exposed bus interfaces, such as the LPC bus, are protected and not easily accessible.
Organizations and users should also consider using securitylayers other than BitLocker and TPM. Even if attackers are able to extract the encryption keys, implementing multi-factor authentication can present additional barrier. Monitoring physical access to sensitive equipment is also necessary to keep attackers from physically tampering with the hardware and intercepting data.
Furthermore, evaluating disk encryption systems with extraprotections or other encryption lgorithms that do not rely primarily on TPM could improve security. Regular security audits, as well as staying up to date on developing vulnerabilities and threats, can aid in the timely identification and mitigation of potential new attack vectors.
In light of this specific vulnerability, manufacturers andusers should push for and apply firmware updates that may encrypt communication between the TPM and the CPU, or at the very least reduce the attack surface by reducing direct access points such as unpopulated connectors on the
motherboard. Finally, raising knowledge about such vulnerabilities iscritical so that users and IT professionals may be proactive in adopting safeguards to protect sensitive data.
Omar Rao
Omar has over 25 years of expertise in the technology field, specifically in Cybersecurity and Data Availability. He currently serves as a Senior Systems Engineer at Veeam, where he is tasked with delivering datacenter availability solutions to organizations to ensure the uninterrupted operation and quick recovery of their critical IT workloads and applications.
