How long does it take to steal your Bitlocker keys? Try 43 seconds, using less than $10 in hardware. Encrypting your hard drive is good security. If you’re running Windows, the most popular system is BitLocker, which has come with Windows since Vista. We’ve known for some time that Bitlocker could be defeated with direct access to the hardware. Microsoft claims that the process requires an attacker with skill and lengthy access to the hardware. [Stacksmashing] wanted to define lengthy, so he gave it a try. The result is a shockingly fast attack.
Anyone who uses Windows has probably run into Bitlocker. Your hard drive is encrypted, and Bitlocker runs silently in the background, decrypting data on demand. The problem is key storage. In a simplified sense, encryption keys are stored in the Trusted Platform Module (TPM). When your computer boots, it reads the key from the TPM over the LPC (low pin count) bus, which is one of the last remnants of the original ISA bus.
The problem is that the key can be sniffed as it passes on the LPC bus. Some laptops even have connectors and test points directly on the LPC. [Stacksmashing] takes advantage of the simple layout used on an older Lenovo Thinkpad (X1 Carbon 1st or 2nd Generation). Once the back cover is removed, Lenovo was nice enough to leave an unpopulated connector footprint on the motherboard. This was the key to stealing the key.
[Stacksmashing] used a Raspberry Pi Pico on a carrier board of his design. Pogo pins mounted on the end of the carrier board make it easy to probe the LPC bus.
To be fair, stealing the keys doesn’t give one the data on the drive. An attacker would have to take the drive itself or spend extra time transferring the data over USB. The X1 Carbon is a 10-year-old laptop, but at least it does have USB 3.0.
All is not lost though – more modern computers include the TPM inside the CPU itself. Sniffing that will take a bit more hardware than a Pi Pico. However, if anyone pulls it off, tell us in the tip line!
Thanks for the tip [YesterGearPc]