New BitLocker attack puts laptops storing sensitive data at risk

New BitLocker attack on TPM LPC buses

Image: Denis Andzakovic

A security researcher has come up with a new method of extracting BitLocker encryption keys from a computer's Trusted Platform Module (TPM) that only requires a $27 FPGA board and some open-sourced code.

More security news

  • WordPress shopping sites under attack
  • Google Chrome to block automatic downloads initiated from ad slot iframes
  • RSA Conference and the dismal nature of cybersecurity (Reporter's Notebook)
  • Samsung Galaxy S10 facial recognition fooled by a video of the phone owner

To be clear, this new BitLocker attack require physical access to a device and will result in the device's destruction as the attacker needs to hard-wire equipment into the computer's motherboard.

Nonetheless, the attack yields the desired results and should be considered a threat vector for owners of devices storing highly-valuable information, such as classified materials, proprietary business documents, cryptocurrency wallet keys, or other similarly sensitive data.

Attack targets TPM LPC buses

The attack was detailed for the first time today in a report by Denis Andzakovic, a New Zealand-based security researcher at Pulse Security.

His method is different from past BitLocker attacks because it requires hard-wiring into a computer's TPM chip and sniffing communications via the Low Pin Count (LPC) bus .

TPMs are dedicated microcontrollers (also known as chips, cryptoprocessors) that are usually deployed on high-valued computers, such as those used in enterprise or government networks, but also data centers and sometimes personal computers.

TPMs have different roles, and one of them is to support Microsoft's BitLocker, a full volume disk encryption feature that has been added way back in Windows Vista.

In his research, Andzakovic detailed a new attack routine that extracts BitLocker encryption keys from the LPC bus on both TPM 1.2 and TPM 2.0 chips.

He tested his research on an HP laptop running a TPM 1.2 chip (attack carried out using an expensive Logic Analyzer) and against a Surface Pro 3 running a TPM 2.0 chip (attack carried out using a cheap FPGA board and open source code ).

In both attacks, BitLocker was running in its standard configuration.

Researcher & Microsoft: Use pre-boot authentication

Andzakovic's research showed once again why using standard BitLocker deployments is a very bad idea and the reason why even Microsoft is warning against it in the official BitLocker documentation .

Both the researcher and Microsoft recommend using a pre-boot authentication method by setting a TPM/BIOS password before the OS boots, password that should prevent the BitLocker keys from reaching the TPM and getting sniffed using this new attack.

Andzakovic's finding joins the ranks of other BitLocker attacks that involved direct memory access (DMA) methods [1, 2 , 3 ], brute-force attacks , but also vulnerabilities in self-encrypting SSDs and the Windows Update process .

Microsoft Surface Go: First impressions

SEE FULL GALLERY

1

-

5

of

33

NEXT

PREV

More vulnerability reports:

Similar Articles:

Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Password breach teaches Reddit that, yes, phone-based 2FA is that bad

Introducing the Librem Key – Purism

Introducing the Librem Key – Purism

Wi-Fi Gets More Secure: Everything You Need to Know About WPA3

Wi-Fi Gets More Secure: Everything You Need to Know About WPA3

Security and Privacy

Security and Privacy