Jump to content
Sign in to follow this  
The AchieVer

New BitLocker attack puts laptops storing sensitive data at risk

Recommended Posts

The AchieVer

New BitLocker attack puts laptops storing sensitive data at risk

New Zealand security researcher details never-before-seen attack for recovering BitLocker keys.

New BitLocker attack on TPM LPC buses


A security researcher has come up with a new method of extracting BitLocker encryption keys from a computer's Trusted Platform Module (TPM) that only requires a $27 FPGA board and some open-sourced code.


To be clear, this new BitLocker attack require physical access to a device and will result in the device's destruction as the attacker needs to hard-wire equipment into the computer's motherboard.

Nonetheless, the attack yields the desired results and should be considered a threat vector for owners of devices storing highly-valuable information, such as classified materials, proprietary business documents, cryptocurrency wallet keys, or other similarly sensitive data.


The attack was detailed for the first time today in a report by Denis Andzakovic, a New Zealand-based security researcher at Pulse Security.


His method is different from past BitLocker attacks because it requires hard-wiring into a computer's TPM chip and sniffing communications via the Low Pin Count (LPC) bus.


TPMs are dedicated microcontrollers (also known as chips, cryptoprocessors) that are usually deployed on high-valued computers, such as those used in enterprise or government networks, but also data centers and sometimes personal computers.


TPMs have different roles, and one of them is to support Microsoft's BitLocker, a full volume disk encryption feature that has been added way back in Windows Vista.


In his research, Andzakovic detailed a new attack routine that extracts BitLocker encryption keys from the LPC bus on both TPM 1.2 and TPM 2.0 chips.


He tested his research on an HP laptop running a TPM 1.2 chip (attack carried out using an expensive Logic Analyzer) and against a Surface Pro 3 running a TPM 2.0 chip (attack carried out using a cheap FPGA board and open source code).


In both attacks, BitLocker was running in its standard configuration.


Andzakovic's research showed once again why using standard BitLocker deployments is a very bad idea and the reason why even Microsoft is warning against it in the official BitLocker documentation.


Both the researcher and Microsoft recommend using a pre-boot authentication method by setting a TPM/BIOS password before the OS boots, password that should prevent the BitLocker keys from reaching the TPM and getting sniffed using this new attack.


Andzakovic's finding joins the ranks of other BitLocker attacks that involved direct memory access (DMA) methods [123], brute-force attacks, but also vulnerabilities in self-encrypting SSDs and the Windows Update process.





Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...