cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Contributor I

Extracting BitLocker Keys from a TPM

Denis Andzakovic has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed from default (insecure) Windows configurations as they travel from Trusted Platform Modules (TPMs) during boot. For "convenience" BitLocker boots encrypted drives without the user needing to enter a password or PIN other than their normal Windows login. Simple, right? No login, no access to the computer’s encrypted drive, not even removing the drive, also putting it in another computer won't work because the encryption key is secured inside the old machine’s TPM. Totally, secure!

 

BUT, there is one theoretical line of attack – boot the target computer and figure out how to discover the encryption key (or Volume Master Key) as it travels from the TPM across something called the Low Pin Count (LPC) bus.

 

I love it when someone finds a hardware flaw and shows me a technical exploitHeart

Tags (3)
3 Replies
Newcomer II

Re: Extracting BitLocker Keys from a TPM

That's why important files and documents should be always encrypted at file level and not only ad OS level Smiley Wink

Community Champion

Re: Extracting BitLocker Keys from a TPM

I am still using TrueCrypt encrypted volumes that have to be mounted manually. This is on top of the BitLocker.

Incidentally, there is a way to protect from that vulnerability by requiring password auth at boot time pre-OS and it could be configured in UEFI.

It's a headache for sure, but depending how sensitive the information on your computer is, it may be worth it.

Community Champion

Re: Extracting BitLocker Keys from a TPM


@vt100 wrote:

 

Incidentally, there is a way to protect from that vulnerability by requiring password auth at boot time pre-OS and it could be configured in UEFI.

Yes, I have done just that on my laptop; It's configured to prompt for the UEFI password whenever the system starts up. (If that's a pain, it can be configured to prompt for a password if it detects that the rear was temporarily removed)

 

Anyway, this emphasizes on the need to have your data secured at multiple levels. To obtain useful data via this exploit, an attacker would need to have physical access to the system, bypass UFEI security, and finally decrypt data at application levels as well.

 

All this isn't impossible, but will definitely increase the effort / time required to obtain the data --- and probably dissuade an attacker unless the data is really very valuable.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz