Breaking Bitlocker - Bypassing the Windows Disk Encryption

Not if you install a customized version of Win11 xD

Perfect security does not exist. It is always about finding a balance. Just enabling Bitlocker prevents a lot of possible attacks on your data, but if you don't protect your decryption key, any malicious actor who is willing to go dig deeper can intercept the key. While a prepared attacker can quickly get the key, and can get it faster than the time needed to also clone the drive when not wanting to leave a trace, someone who was not prepared and has to start looking for everything will need a lot of time.
And MS did provide a defense against this attack, unfortunately, they don't make it easy for consumers to use. Yet, I have chosen not to enable the PIN code on my personal devices as someone who is willing to invest the time to do this kind of attack on my personal devices can have whatever data they want. My corporate stuff however, PIN code all the way.

Windows 11 requires a TPM, not a dTPM. fTPMs do not appear to be affected by this issue, nor does Pluton.

@@sundhaug92 Apparently PIN adds a protection too as the TPM will not reveal the key without entering a valid PIN.

⁠@@sundhaug92what’s pluton ?

Reminds me of GLaDOS: "Assume the party escort submission position or you will miss the party"

That backdoor would be way more overengineered than this. This just looks like a huge oversight they ignore since it's way too complex for the rookie hacker

@@kreuner11 I wonder why the communication between TPM/CPU is not encrypted. It shouldn't be too hard to do.

@@advertslaxxorBecause the purpose of modern TPMs is to protect data from an amateur thief and the user, no one else

They are coming to hire him

Typical BitLocker attacks only work when the system can boot normally. If bootmgr is asking for a bitlocker recovery key, then that's because unsealing the TPM from the VMK failed. This is most likely due to a firmware (BIOS) update or dbx (secure boot revocation list) update (or, for legacy integrity validation, a Windows bootloader update).
If a dbx update with Secure Boot integrity validation caused BitLocker recovery, it may be possible to revert dbx to the default one provided by the firmware, and then apply older dbx updates if needed (the UEFI website contains all the older ones) to get the dbx contents to match what the TPM expects. It's still theoretical though, I haven't tried it personally; it's something I thought of that might work after I noticed dbx updates were causing actual data loss due to automatic bitlocker....

this only work if the user set to not have a pin, microsoft also warns you to have a pin so this attack only works when the user manually choosed to have a inferior security option,
because usually you have to have a pin, this works because the user no have a pin and the disk boot automatic and this boot automatic allows you to get the key.

@@gabrielandy9272 the default setting when enabling bitlocker is VMK sealed by TPM only (no pin); and the crippled bitlocker on home edition of Windows ONLY allows this and doesn't let you set any other key protector (only TPM only with no pin, and recovery key)

@@betaswithWack0 is this different in windows 10? on my computer the first thing it asks is to have a PIN my bitlocker always start with a pin and if i don't want i have to manually select the drive to not have one.

@@gabrielandy9272 the thing to search for here is "automatic bitlocker"

That's only true if they can get access, tamper with the device, then return it to it's place. You don't notice any tempering, and when you unlock the disk-encryption, they gain access. Potentially after retrieving the device again (Evil Maid Attack)
Just having access to the device, without later usage of the person holding the encryption key, is not enough if proper software-based Full-disk-encryption (i.e. LUKS) is used, where you actually have to enter the encryption key.
Just don't trust Bitlocker and Microsoft's TPM scheme.

That would be interesting to know. My Linux laptop has an LVM encrypted file system with a key. The key is a password that i have to enter on startup, i'd guess it's part of the cryptograhic key. Meaning as far as my limited knowledge of encryption would go, even if someone gets access to the laptop and gets to the hardware, the fill cryptographic key isn't stored anywhere. Aside from classic bruteforce attacks on the passwords or if there's some security vulnerability i can't see how someone would crack that.

@@dies200 The simple method here is to solder in a small board that sniffs your keyboard input and sends it out via bluetooth or by other means. Your laptop keyboard will be using PS/2 or USB protocol, so you don't need special hardware to decode the keys, and ready-made hardware keyloggers do exist. A more time intensive method is to replace the preboot authentication tool with one that performs identical, but stores the key after successful encryption within a reserved space inside of the executable itself. The attacker can then at any time in the future come back, read the preboot programm off the disk and then extract the key that was stored in the reserved key space of the tool. This does mean you have to visit your victim twice though, so the broadcaster keylogger may be the easier method.

Except iphones

@@radio4active that sounds pretty complicated actually. the boot partition is not encrypted, there's nothing stopping an attacker from adding arbitrary code to the bootloader, or the kernel, or the initramfs. just patch cryptsetup-unlock so that it secretly writes a copy in plaintext somewhere on the disk for the attacker to retrieve later. or inject a payload into userspace that automatically uploads the password to the attacker's server once the system finishes booting and connects to the internet.
unless you extremely know what you're doing and have a device that lets you enroll custom secure boot keys, or are using one of the distros whose kernel builds microsoft has blessed with their signing keys, there's no integrity protection of the early boot stages to even warn you that something was changed. you can't even discover the tampering after the fact because, it's arbitrary code, it could just self destruct and restore the boot partition to exactly how it looked before the modifications.

Many folk no articulate gud but bang bang on keyboard

The video is good, but it is too clickbaity. Common people will think the fault is in BitLocker. This implies that Microsoft is at fault and people love blaming them. The truth is, the same problem exists in Linux because this is hardware vulnerability, not software.

Heya - thanks for the insightful comment!
Oh interesting, apologies for the misrepresentation of how the PIN works with Bitlocker! I'll read up and add it to the errata!

Can this be done if bitlocker doesn't trust the hardware and is asking for the password or recovery key? I currently have a machine that's asking for the bitlocker password after cloning and installing a new ssd.

Becausethey average person tends to complain about this. I've worked for a devenct contractor that required the pin on boot up

the flaw is in Microsoft's Bitlocker@@stacksmashing and not a TPM flaw. Tomshardware made a really poor job covering your video

@@jasons.6747 no this can only be done when the system integrity is still in tact (when all the PCR measurements are as expected), otherwise the TPM cannot send the key in clear text to the CPU. Also the ideal way of cloning a BitLocker encrypted disk is from within the OS after it’s been booted. Use one of the many different tools out there (like EaseUS) to do that. The cloned drive will not be encrypted whatsoever. Re-enable BitLocker after installing the new cloned drive.
If you are trying to clone the entire disk block-by-block, you should have gone into BitLocker and put it in Suspended mode first. Although no telling if that will work, usually that’s used when a motherboard is swapped.

Have to agree on this one, the ability to figure out the problem, prototype a hardware and software solution for a single laptop model, is what I would call advanced. Also spectacularly fit into a 9 min vid.

But from the point of publication of proof of concept, all further attackers no longer need as much background knowledge. Guessing criminals just watch ethical hackers and copy them. Gotta get those CPD points!

@@Baldavier Maybe less, but unless they are retrieving the keys from the same model, they will still need the advanced knowledge to find the correct pins, and then adjust the hardware and software tools.

@@Baldavier
You would hope that this forces evolution in the cybersecurity field; being essentially an arms race.

I did agree on this at first... but now that he's basically made a "how to" and included his own code/hardware purchases, you could now build one yourself, load his program up and do this yourself, within 50 seconds

It can send it plain text, as the hardware is already trusted at that point. If you just have the SSD, this exploit doesn't work. And if you set a pin, it requires a trusted user as well.

​​@@solwidotnlthe hardware is trusted, but how can they trust that no one is listening in on the wires? you can't check that wires aren't beong tampered with

​@@solwidotnl
One could argue that it shouldn't be sent unencrypted. I see what you're saying, at some point the data needs to be read and can be intercepted at that point.
Maybe the key should be obfuscated with a common/clock signal so that the signal is always unique and can't be done with a simple "replay" attack.
One thing that's interesting: I took my nephews Dell hard drive that has BitLocker enabled but a broken power connector that I couldn't fix with my soldering iron.
Plugged it into his mom's identical Dell, booted no issue.

​​@@suncat530 when there's chassis intrusion, it becomes a responsibility of physical security, not of software programmers. If the hardware is modified, everything is vulnerable, and it won't matter if you apply an encryption or not, there will be lots of other ways to read data of the disc. With enough knowledge and research , a stealer who has the full computer in his hands, should always find a way to hack it. But I'm not saying that everything has been discovered yet.

...so the plain text communication is not that crazy. But they could have put something else just to slow down hacking.

Me too.

Me too.

Which you might not be able to run (manage-bde) under corporate AD, as it most likely is blocked 🤓

@@TheStuartstardust That's an odd corporate AD policy.

@@M0UAW_IO83 agree, but I am not controlling AD 😉

About the manage-bde, it's not enabled by default, which is majority of home users, so what's the point.
Also, the moving point in time, what a bad take. It's as good as saying if you're always watching your phone/laptop it's secure, which is baffling. This just sounds like corporate speak to me.

Thanks for the note on Manage-BDE! I’ve added it as a note into the description.
My main gripe is the documentation - I don’t think it protects against what Microsoft claims, and it’s not clear to average user or admin that “Bitlocker without PIN gives very limited protection”

the preshared key would have to be accessible. In order for it to be accessible on the harddrive it would have to be stored in a nonencrypted partition. You see the catch 22? Technically it could possibly do it with asymmetric (as opposed to symmetric preshared) if the cpu generated a key pair on runtime, sent the pubkey to the tpm and then the tpm responded back with the bitlocker masterkey encrypted with the public key.

It's difficult to prevent attacks when the attacker has physical access to the device. But yeah, plaint text communication was a bad idea

@@XxtrashcanXx The TPM, CPU and BIOS Chip are all soldered on to the motherboard at the factory. They could be "provisioned" with randomized symmetric keys at the factory.
Very easy and cheap way to defend against this attack. You could maybe extract a key from one of the chips given enough time, but it would only work for the specific laptop you have on hand, so no automated tool like the above would be possible.

​@@TheNewFaceOfHSPso you say companies are too lazy to implement an elementary intervention

@@XxtrashcanXx It's actually not possible to do it because you can always Man in the Middle by just blocking the keys the cpu generates, storing them for yourself and then generating your own keys to give to the TPM, and vice versa if the TPM tries to send keys to the cpu. This is why certificates and DNS registration are necessary for https. Of course if you did not have access to the beginning of the conversation then it wouldn't work because you couldn't intercept the key messages. And of course all of this is assuming that the encryption algorithm, and key algorithm is public or can be found, because otherwise you wouldn't be able to generate your own keys. But security by obscurity is usually not a good way to protect data, and eventually somebody will find the algorithm, either by software reverse engineering or hardware reverse engineering, it would just be a matter of time.

You can.😊

Yeah, hardware security chips are meant to protect their keys from being copied... although it can theoretically be accessed. But you cannot assume they will magically secure the system they encrypt 😂

I'd like to see an eFUSE type of system that can be remotely executed to blow away the TPM module if a laptop is stolen. Better would be to have the UEFI look for a special code for self-destruct via the internet with an out of band signal if the unit is powered up once, it checks for the code online, if it finds it, it self-destructs (before the key is ever delivered to the OS).

It's not the TPMs fault. It's the fact that the encryption key is not based on a passphrase which was the standard for FDE before TPM.. Whoever you should still be able to use full disk encryption with a passphrase

*never rely on TPM 1.x.
In TPM 2.0/fTPM this has long been addressed and isn't a problem anymore.

What if bitlocker is enabled without tpm hardware? So that it requires a password on boot?

Yes but you have to unpack these acronyms and put in the missing meaning. DRM = Digital Rights Management. The rights of the IP holders are managed/enforced, not the owner of the hardware. TPM=Trusted Platform Module. The trust is such that govts and corps can trust that the platform in user hands is not compromised thus enforcing non-owner rights once again.

@@bobmcbob4399 I don't know if I'd go that far for TPM. There is some benefit to users in that there can be some assurances made to the integrity of the boot process, which is somewhat useful against persistent malware etc.

​@@rika-chanhow many time I have to told people. TPM are open standards and not made by Microsoft. They only make it a requirement for Windows 11, in which they're playing catch-up with other OS. Linux works just fine with TPM and actually use it in enterprise environment.

@@bltzcstrnx Like I said it just makes the barrier to entry higher.

@@rika-chan they're playing catch-up though. macOS and Android already use trusted platform from a long time. If they don't make it mandatory, vendors will ignore it and choose the cheaper option of not implementing it. This will them the only consumer platform that don't use it.

It has to be unencrypted at some point. They could use a preshared symmetric key to prevent this particular attack but that has it's own issues.

Pin is a great idea in general, but not to worry if you don't use it. On modern devices the TPM is no longer on a physical chip, but part of CPU now.

@TealJosh in a lot of high-end laptops it’s still a dedicated chip

@@stacksmashing huh, you are right. I wonder why manufacturers choose dTPM over fTPM considering CPUs nowadays support fTPM.

​@@TealJoshTCG certification of dTPMs is one reason. Linus Torvalds also has a strong opinion about AMDs fTPM implementation. Installing a new CPU in a desktop also means that your TPM data would be gone (hopefully you have a backup). For the small cost, I think a dTPM is the way to go.

@@smts0243 I'm extremely sceptical of even the current system for TPM maintaining its state through hardware configuration changes. There are situations where just opening the chassis should invalidate the TPM state.
What is Linus' opinion?

What's more terrifying is when less tech savy people buy a laptop and they end up with bit locker enabled, having not kept their key. Years later they come to us for repair and we can't retrieve their data. Should be made very clear to people that they have bit locker enabled and what this actually means. Im glad progress is being made with regards to cracking it. The currently available software for bit locker cracking costs insane amounts which small time computer shops can't afford.

this for sure @@ZonkedCompanion

A good counter for physical tampering is physical tampering. What i mean specifically is using some sort of glue like sparkled nail polish on your case screws to see if its been tampered with before youve actually done any disassembling yourself.

​@@ZonkedCompanionso what do you do in those cases

@@keylanoslokj1806 you either suggest an advanced data recovery specialist (which usually costs 1000s and few touch bitlocked drives anyway), or tell a poor old lady she's lost all her grand childrens photographs forever and try to educate on what encryption is. We also try to impliment some kind of backup solution, be it on the cloud or just an external hdd, so it never happens again!

Babe Ruth maybe

I spent hours to develop a fast attack and used it… once 😂😭🥲

You don't understand how easy and simple that PCB is, but I think the focus was to make it fast, as he said you could solder the wires if you have time.

Programmers have this running joke, where they often spend hours, or even days, automating something that would've taken them 10 minutes to do by hand 😅

yeah but now that you have this fancy PCB and the bit of code, youre always gonna save a huge amount of time. ...only if the contact points are on the mainboard in that layout tho.

(as you mention at 07:30)

Pin is highly crackable

@@gabriledyt not so much with the TPM, as it has anti-hammering measures

@@lemonsh I think you can crack this TEE with an exploit,like on some android and old iPhones ( for now)

@@gabriledytsource?

You could look it up with your MS account also if it's backed up there.

@@mailjasons Unfortunately, this particular machine was used for experiments - it's backed up, just not w/MS (oops!).

regarding TPMs - it's not advised to extract keys out of the TPM module. Usually the TPM supposed to get a payload, derive the key, encrypt it and return the payload back. With this design we are keeping the key within the module itself not exposing to other devices. I can understand why MS went with their decision since routing all the disk data via TPM would be inefficient as hell, so they went with the way that's not really secure.

Good luck getting it unencrypted.

I use FDE on my Linux laptop for this reason.

I always find it odd that my Windows work laptop never requires my PIN on boot, only my biometrics. How would they derive it into text decryption key? I would guess with some kind of a trusted module (probably TPM) which I will never be sure that it is secure if there is someone who has enough expertise and direct access to the machine. I mean, even iOS, Android and Linux require putting the user's PIN/password in after boot.

Most of them wouldn't even wipe the drive, IME that's usually done by whoever they sell it to.

This. Especially Vera/Trucrypt.

@@TheDuckPox
Because your biometrics are being used in lieu of your logon password, not your encryption key. Your encryption key is stored in your TPM, assuming you're using BitLocker at all.

And now, after one single person has spent some time preparing the exploit, everyone can use it in matter of seconds (of course with limitations, most importantly the hw, but still in seconds). I'm pretty sure those who are for real "in the security world" have a different opinion than yours

The funny thing is yes he spent time going more scientific and fully unlock the drive on other machines okay. But there's a greater problem with BitLocker and I'd assume you know this. The disk is encrypted essentially by the power button. How secure is a door you push a button to go through >< ?

@@alphabeta448 for this specific manufacturer and model. In the real world, physical TPM chips are becoming rare. Also, bitlocker + tpm is not recommended, it should be bitlocker + tpm + pin.

some data is valuable enough to throw a few days at trying to unlock it.

Windows doesn't use this feature, as despite requiring a CPU with a TPM 2.0 built-in, it will happily use an earlier revision. For example, my daughter's laptop runs Windows 11 and has a discrete TPM 1.2, and BitLocker works fine with it.

Win 11 requires v2.0.

The one in the video is 1.2, but the kind of attack should also work on TPM2.0

I have read in the comments here a few people saying this won’t work on 2.0. One saying key is then encrypted. Would be curious to know this too!

@@npwiley
TPM 2.0 does support encrypted communications across the bus, but Windows doesn't use this feature, as despite requiring a CPU with a TPM 2.0 built-in, it will happily use an earlier revision. For example, my daughter's laptop runs Windows 11 and has a discrete TPM 1.2, and BitLocker works fine with it.

@@npwiley It works fine with 2.0, decoding the sniffed data is slightly different as I think the way wait staes are communicated changed between 1.2 and 2.0 but its otherwise the same (if you are using Gheckos sigrok plugin select the correct TPM type in the dropdown)

Why would they patch something that is working as intended? If you need security, you enable the PIN requirement. I have never seen anyone use the PINless configuration in real life.

i do, because it's always a tradeoff securityusability @@mikkolehtisalo

Probably yes, that is what the chassis intrusion switch is for.(at least it might lock the bios if you have a password set)

@BRNSystems I would think if the BIOS implementation was smart it would take into consideration the chassis intrusion status as part of its boot hash and thus cracking open a protected machine would spoil the measure boot.
That said what usually breaks my BitLocker is forgetting to pause protection when updating my BIOS.

Chassis intrusion is usually a button/switch so in the case where you simply drill a hole like he shows in the video, it won't stop the attack.

For real. It's the worst when the host system has a dead motherboard and the customer doesn't have the key in their MS Account.

@@gorrumKnight Not really, I mean, in that instance, you give them back their hardware and you're done. They'll hem and haw about you charging them the diagnostic fee, and then they leave.
Worst case, bad yelp/google review, which nobody really reads anyway.

I always use a password (known as a enhanced pin in GP), XTS-AES 256, and full drive encryption with Bitlocker.

Unfortunately requires Pro or higher and many people aren't going to pay 150+ for that and don't know how to pirate Windows.

Bitlocker requires Pro or higher anyway. Also Hyper-V is to good of a feature to miss out on.@@mcq2879

@@mcq2879 BitLocker (unless we count "device encryption") also requires Pro or higher

No, it's why Windows 11 only supports CPUs with a built-in TPM.
Windows can use a discrete TPM however, hence why the uploader chose such a machine.

@throwaway6478 windows 11 does not only support CPUs with fTPM.

@@stacksmashing
I'd like to see an example of these supported CPUs that don't have a built-in TPM, since all Zen+ and Coffee Lakes have built-in TPMs, and these are the minimum requirement for Windows 11.

@@stacksmashing
I like how it took you three minutes to scream "hurr durr u rong", and we're now in the third WEEK of you failing to show how I'm wrong. Don't ever change, freetard.

Do the same attacks also affect Ubuntu's TPM encryption?

@@soundspark It would depend on what TPM PCRs the key is sealed with. If PCR4 is used to seal the key, then no. But if PCR4 is not used and PCR7 is used instead, then an attacker could theoretically exploit some vulnerable bootloader signed by the same certificate as the first stage bootloader. I'm not sure what Ubuntu uses by default.

​@@soundspark Yes/It depends.
Ubuntu uses LUKS to encrypt the disk. LUKS supports storing the key in the TPM (you can set this up on any distro). It is vulnerable to the sniffing attack. It depends on the specific configuration Ubuntu uses, if it's vulnerable to the other attacks mentioned above. (Like the specific TPM registers used and if it forces secure boot etc).
Ubuntu probably uses weak settings by default, since really tight settings would require the user to enter the recovery key a lot, (after every update for example).
This would probably annoy a lot of people.
But having full disk encryption with a weak TPM configuration is still better than no full disk encryption.

Also, if it's a PIN, wouldn't you be able to just brute-force it?
It's only 9^4 = 6561 combinations. So yeah, quite some work and nothing a random hacker would do for anyone but a high value target.
I mean, technically you could just set it to need a recovery key after x times of typing it wrong, but I guess especially non-tech-savy people and IT departments would go insane with that.

@@kuhluhOG when a TPM is used with a PIN, the TPM will enforce rate limits, or wipe secrets with too many failed attempts

There's no need for the CPU to transfer the key to RAM. There are enough registers in there to hold the key. E.g. you could store 128 bits in DR0-DR3. It's simply a matter of priorities; Microsoft's priority isn't that you get what you thought you bought, it's that you keep paying.
Many CPUs can do on the fly encryption of main RAM itself and have dedicated key storage.

This is actually a godsend for repair shops & people who want to see their data again if their computer bites the bullet!

​@@CyrilCommandoThat's true. It's also strange how MS doesn't let you backup the key without a microsoft account. There is a recovery code in bitlocker that you can use to decrypt your data, but requires using the CLI. But then again, the fact that it's not user-facing front and center for a regular joe negates the point. Maybe because they want to motivate people to create an account. Such a shitty company I tell you

@@dexterman6361 they do let you backup the key without a microsoft account. You can literally print it on a paper.

@@TealJosh I had to use the CLI to get to it. The settings pane told me "add account to finish encrypting your device"
The printing, I believe that's only for Win pro where bitlocker is exposed in old control panel directly. Win Home does not have it. It only has "device encryption" in the new fancy settings app. I was referring to win home.

@@dexterman6361 oh yeah. That's my straight up biggest criticism of win11 and Microsoft in general. Encryption should NOT be a pro feature and now that the home version kind of encrypts by default(but not well enough) without providing full access to the encryption parameters.
I actually don't know the limitations of the home version because I haven't considered it acceptable for my requirements for years.

How?
Through software? Requires Administrator privileges, and is thwarted by the hypervisor-assisted memory protection features introduced in Windows 10, and that are on by default in Windows 11.
Cold-boot attack or FPGA-based DIMM interposer? These are why so many computer have soldered RAM now.
Through a compromised DMA-capable device? Windows can be configured to disallow hotplugging of DMA-capable devices (e.g. USB 3.x). Adding a card would cause a Secure Boot failure, as the hardware configuration had changed.

This also means that LUKS2 on Linux wont save me from this attack either

Laptop in question doesn't have TPM 2.0 so this is a valid question (it's designed for Windows 8 as per the sticker visible on the chassis).

You mean 4 games after another?🤔

@@stacksmashing Yes. The hardware is great. Still working well to this day. :)

See the faulTPM paper: arXiv.2304.14717
Remains unpatched to this day.

It may function the same but one would have to sniff 1,311 or 1,781 pins ;)

@@Wahinies And the risk of destroying the processor and in the process taking the keys with it. I think AMD is on the right track!