New BitLocker attack puts laptops storing sensitive data at risk

New BitLocker attack on TPM LPC buses


Image: Denis Andzakovic

A security researcher has come up with a new method of extracting BitLocker encryption keys from a computer’s Trusted Platform Module (TPM) that only requires a $27 FPGA board and some open-sourced code.

To be clear, this new BitLocker attack require physical access to a device and will result in the device’s destruction as the attacker needs to hard-wire equipment into the computer’s motherboard.

Nonetheless, the attack yields the desired results and should be considered a threat vector for owners of devices storing highly-valuable information, such as classified materials, proprietary business documents, cryptocurrency wallet keys, or other similarly sensitive data.

Attack targets TPM LPC buses

The attack was detailed for the first time today in a report by Denis Andzakovic, a New Zealand-based security researcher at Pulse Security.

His method is different from past BitLocker attacks because it requires hard-wiring into a computer’s TPM chip and sniffing communications via the Low Pin Count (LPC) bus.

TPMs are dedicated microcontrollers (also known as chips, cryptoprocessors) that are usually deployed on high-valued computers, such as those used in enterprise or government networks, but also data centers and sometimes personal computers.

TPMs have different roles, and one of them is to support Microsoft’s BitLocker, a full volume disk encryption feature that has been added way back in Windows Vista.

In his research, Andzakovic detailed a new attack routine that extracts BitLocker encryption keys from the LPC bus on both TPM 1.2 and TPM 2.0 chips.

He tested his research on an HP laptop running a TPM 1.2 chip (attack carried out using an expensive Logic Analyzer) and against a Surface Pro 3 running a TPM 2.0 chip (attack carried out using a cheap FPGA board and open source code).

In both attacks, BitLocker was running in its standard configuration.

Researcher & Microsoft: Use pre-boot authentication

Andzakovic’s research showed once again why using standard BitLocker deployments is a very bad idea and the reason why even Microsoft is warning against it in the official BitLocker documentation.

Both the researcher and Microsoft recommend using a pre-boot authentication method by setting a TPM/BIOS password before the OS boots, password that should prevent the BitLocker keys from reaching the TPM and getting sniffed using this new attack.

Andzakovic’s finding joins the ranks of other BitLocker attacks that involved direct memory access (DMA) methods [1, 2, 3], brute-force attacks, but also vulnerabilities in self-encrypting SSDs and the Windows Update process.

More vulnerability reports:

Source Article from https://www.zdnet.com/article/new-bitlocker-attack-puts-laptops-storing-sensitive-data-at-risk/#ftag=RSSbaffb68
New BitLocker attack puts laptops storing sensitive data at risk
https://www.zdnet.com/article/new-bitlocker-attack-puts-laptops-storing-sensitive-data-at-risk/#ftag=RSSbaffb68
http://www.zdnet.com/blog/rss.xml
Latest blogs for ZDNet
Latest blogs for ZDNet
https://zdnet3.cbsistatic.com/fly/bundles/zdnetcore/images/logos/zdnet-144×144.png

Article written by

great guy, love the news

Please comment with your real name using good manners.

Leave a Reply

You must be logged in to post a comment.