Security researcher Stacksmashing showed how hackers may use a $4 Raspberry Pi Pico to retrieve the BitLocker encryption key from Windows PCs in just 43 seconds, in a YouTube video. The researcher claims that specific attacks can get beyond BitLocker’s encryption by directly accessing the hardware and retrieving the encryption keys kept in the computer’s Trusted Platform Module (TPM) viz the LPC bus.
It has been shown that the encryption key requires physical access to the device and some extended know-how or expertise — so this is not an extended threat across the internet. Of course, BitLocker’s reliance on a TPM for security may be its own downfall in this particular escapade.
The dedicated Trusted Module, or TPM has a design flaw that the YouTuber took advantage of. In specific setups, Bitlocker depends on an external TPM to store vital data, including the Volume Master Key and Platform Configuration Registers (which are included in certain CPUs). When using an external TPM, the CPU and TPM communicate over an LPC bus to send the encryption keys needed to unlock the data on the disk. So the security hacker, Stacksmashing (YouTube), found the communication lanes (LPC bus) between the external TPM and the CPU are completely unencrypted on boot-up. This allowed the hacker to find critical data when it moved between the two units — and he was able to hack the encryption keys.
Keep in mind that the hacker used an old laptop that had BitLocker encryption — even though the same type of attack can be used on newer motherboards that use an external TPM. Also, the newer motherboards require more work and legwork to intercept the bus traffic. Security researcher Stacksmashing made it clear that the Windows BitLocker and external TPMs aren’t as foolproof as many individuals and companies think.
If your CPU has a built-in TPM, like the ones found in modern AMD and Intel CPUs, you should be safe from this security flaw since all TPM communication occurs within the CPU.
Featured Image Credit: Photo by George Becker; Pexels