A security researcher named Stacksmashing has revealed in a YouTube video how a $4 Raspberry Pi Pico can extract the BitLocker encryption key from Windows PCs within just 43 seconds. The researcher demonstrated that certain attacks could bypass BitLocker’s encryption by directly accessing the hardware and retrieving the encryption keys stored in the computer’s Trusted Platform Module (TPM) via the LPC bus.
It is important to note that obtaining the encryption key requires physical access to the device and a certain level of technical expertise, making it less of an immediate threat over the internet. However, BitLocker’s reliance on a TPM for security might be a vulnerability highlighted in this particular demonstration.
The dedicated Trusted Platform Module (TPM) has a design flaw that was exploited by the researcher. In specific configurations, BitLocker uses an external TPM to store essential data, such as the Volume Master Key and Platform Configuration Registers present in certain CPUs. When an external TPM is utilized, the CPU and TPM communicate through an LPC bus to transmit the encryption keys needed for unlocking the disk data. The security researcher Stacksmashing discovered that the communication lines (LPC bus) between the external TPM and the CPU were unencrypted during the boot-up process, enabling the hacker to intercept critical data as it passed between the two components and ultimately crack the encryption keys.
It should be noted that the researcher performed the demonstration on an older laptop with BitLocker encryption, but similar attack methods could be applied to newer motherboards utilizing an external TPM. However, newer motherboard setups would require more effort and technical skill to intercept bus traffic. Stacksmashing emphasized that the security of Windows BitLocker and external TPMs is not as robust as commonly believed.
If your CPU incorporates a built-in TPM, like those found in modern AMD and Intel processors, you are likely protected from this particular security vulnerability as all TPM communications are internal to the CPU.
Featured Image Credit: Photo by George Becker; Pexels
