#hacker #broke #BitLocker #encryption #seconds #modified #Raspberry #Pico #board #Živě.cz
BitLocker has been encrypting drives on Windows computers for years, but even that is not immune to hackers. Security expert Stacksmashing boasted on YouTube that it only took him a few tens of seconds to break in, and a Raspberry Pi Pico prototyping board for a hundred.
Raspberry Pi in the name helped to spread the message to the world, but it is still too early to scrap poorly secured computers. This is not a fresh bug, but rather a design vulnerability that has always been there.
BitLocker Attack Demonstration:
The BitLocker key can be intercepted when transferred from the TPM
The decryption key for BitLocker is located in the TPM security chip, which initially verifies the integrity of the system – that is, that no one has tampered with its basic hardware configuration – and then passes the key to the boot process, which is used to start decrypting the data on the secured disk drive.
The transfer of the key from the external TPM chip to the processor is unencrypted
The risk is that the key is transmitted from the TPM to the processor unencrypted, so a potential eavesdropper with physical access to the inside of the computer could connect a probe to the communications bus wires and eavesdrop on its signal.
Raspberry Pi Pico on the author’s PCB adapter for listening to raw communication
Well, this is exactly what Stacksmashing did, using a Raspberry Pi Pico to record the key transfer from the TPM to the CPU on an older ThinkPad X1 Carbon model series laptop. He then cheerfully plugged the BitLocker-encrypted SSD into his Ubuntu computer, unlocked it with the intercepted key, and was free to do whatever he wanted with the files.
The integrated TPM – fTMP will help
However, this design vulnerability is known, it’s nothing new, and it’s simply a feature rather than a bug. After all, if the transmission of the key between the TPM and the CPU was encrypted, this key also needs to be stored somewhere, so we would just loop endlessly.
The author later unlocked the Linux partition with the intercepted key
Microsoft is thinking about some of these design vulnerabilities and the system has several countermeasures at the hardware level, however the best defense is the increasingly widespread fTPM – Trusted Platform Module as a firmware that is part of the processor/chipset itself.
In this case, it is no longer possible to simply eavesdrop on the signal communication on the electrical level, because it takes place between the individual logic blocks directly inside the processor.
If the attacker has access to the hardware, it’s over
In any case, if a would-be attacker gets to the hardware, intercepting the key transfer for BitLocker is the least of it. In principle, such a computer system can no longer be considered trustworthy, and all security principles have failed.
You can find out what your TPM is in newer OS versions in the Windows Security application
The attacker can then eavesdrop on practically anything. Also for that reason, encryption is also gradually being deployed in the flash memories of many microcontrollers and other critical integrated circuits.
:watermark(https://f.pmo.ee//logos/4132/d583334e07b643b158b745b655f05032.png,-2p,-2p,0,18,none):format(webp)/nginx/o/2024/05/09/16058200t1h6db8.jpg)
