Researcher finds new way to sniff Windows BitLocker encryption keys

A researcher has published a new and relatively simple way that Windows BitLocker encryption keys can be sniffed in less secure configurations as they travel from Trusted Platform Modules (TPMs) during boot.

BitLocker is the full volume encryption system that has been shipped with higher-end versions of Windows since Vista, which in the case of Windows 10 requires running or upgrading to Pro, Enterprise or Education versions on a computer with a TPM 1.2 or 2.0 chip.

Inevitably, being the Windows encryption platform has made it a target for researchers looking for weaknesses in something many people use, of which the method published by Denis Andzakovic of Pulse Security last week is only the latest example.

The weakness he exploits is that in its most basic and insecure configuration, BitLocker boots encrypted drives without the user needing to enter a password or PIN other than their normal Windows login. Writes Andzakovic:

The idea behind this is that if the laptop is stolen, and the attacker does not know your login password, they cannot pull the drive and read the contents.

No login, no access to the computer’s encrypted drive. Simply removing the drive and putting it in another computer won’t work either because the encryption key is secured inside the old machine’s TPM.

However, there is one theoretical line of attack – boot the target computer and figure out how to discover the encryption key (or Volume Master Key) as it travels from the TPM across something called the Low Pin Count (LPC) bus.

Microsoft already warns BitLocker users about the risk of using the technology without additional security such as a PIN:

This option is more convenient for sign-in but less secure than the other options, which require an additional authentication factor.

The innovation of the latest attack is, therefore, less to do with the fact it was able to retrieve the keys than the cheap setup and relative simplicity with which this was achieved.

Andzakovic’s attack involved wiring an Infineon TPM 2.0 from a Microsoft Surface Pro 3 to a drive through a $30 Field-Programmable Gate Array (FPGA). To simplify a bit, after using a sniffer tool, he was able to discover the Volume Master Key (VMK) from the LPC bus by executing a boot.

To demonstrate this wasn’t a one-off, he repeated the technique against an older TPM 1.2 chip from an HP laptop.

What to do

As Andzakovic acknowledges, the simplest defence is to follow Microsoft’s advice and not use BitLocker with TPMs in this default state where security is important.

A more secure alternative is either to configure a USB flash drive containing a startup key, set up PIN access or, ideally, add multifactor authentication by using both at the same time.

BitLocker has become an ultimate test of hacking nous for some researchers, which is why they’ll keep picking away at it. Known weaknesses included possible bypasses involving the design of Solid State Drives (SSDs), as well as during upgrade reboots.