Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion
‎03-21-2019 12:46 PM
‎03-21-2019 12:46 PM

Extracting BitLocker Keys from a TPM

Denis Andzakovic has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed from default (insecure) Windows configurations as they travel from Trusted Platform Modules (TPMs) during boot. For "convenience" BitLocker boots encrypted drives without the user needing to enter a password or PIN other than their normal Windows login. Simple, right? No login, no access to the computer’s encrypted drive, not even removing the drive, also putting it in another computer won't work because the encryption key is secured inside the old machine’s TPM. Totally, secure!

 

BUT, there is one theoretical line of attack – boot the target computer and figure out how to discover the encryption key (or Volume Master Key) as it travels from the TPM across something called the Low Pin Count (LPC) bus.

 

I love it when someone finds a hardware flaw and shows me a technical exploitHeart

Reply
3 Replies
Balby84
Newcomer II
‎03-22-2019 05:03 AM
‎03-22-2019 05:03 AM

That's why important files and documents should be always encrypted at file level and not only ad OS level 😉

Reply
0 Kudos
vt100
Community Champion
‎03-22-2019 05:31 PM
‎03-22-2019 05:31 PM

I am still using TrueCrypt encrypted volumes that have to be mounted manually. This is on top of the BitLocker.

Incidentally, there is a way to protect from that vulnerability by requiring password auth at boot time pre-OS and it could be configured in UEFI.

It's a headache for sure, but depending how sensitive the information on your computer is, it may be worth it.

Reply
0 Kudos
Shannon
Community Champion
‎03-24-2019 01:51 AM
‎03-24-2019 01:51 AM

@vt100 wrote:

 

Incidentally, there is a way to protect from that vulnerability by requiring password auth at boot time pre-OS and it could be configured in UEFI.

Yes, I have done just that on my laptop; It's configured to prompt for the UEFI password whenever the system starts up. (If that's a pain, it can be configured to prompt for a password if it detects that the rear was temporarily removed)

 

Anyway, this emphasizes on the need to have your data secured at multiple levels. To obtain useful data via this exploit, an attacker would need to have physical access to the system, bypass UFEI security, and finally decrypt data at application levels as well.

 

All this isn't impossible, but will definitely increase the effort / time required to obtain the data --- and probably dissuade an attacker unless the data is really very valuable.

 

 

Shannon D'Cruz,
CISM, CISSP

www.linkedin.com/in/shannondcruz
Reply
0 Kudos