When it comes to Windows BitLocker, I believe that the majority of digital enthusiasts should be familiar with it.
To put it simply, Windows BitLocker is a disk encryption technology developed by Microsoft that converts data stored on hard drives into a form that cannot be accessed by unauthorized users by using various encryption algorithms.
With Windows BitLocker, users can only unlock and access the data on the disk by providing the correct key, otherwise, the data on the hard disk will remain encrypted and cannot be read or modified.
Looking at Microsoft's propaganda, Windows BitLocker is very tall and seems to be very secure, but a very embarrassing thing happened recently, a third-party security researcher showed a way to easily crack Microsoft Windows BitLocker.
When it comes to cracking Windows BitLocker, some friends may think that it takes a very complicated and long process,—— no, no, no, no, this is not the case, according to the ** published by the security researcher, the whole cracking process takes less than a minute, only forty-three seconds, which is not too easy.
So, how does hacking Windows BitLocker work as a security officer? What are the specific principles and ideas? The idea is to exploit flaws and vulnerabilities in the aspect of TPM, and for some PCs, the BitLocker feature requires the use of an external TPM to store critical information such as platform configuration registers and volume master keys.
There is a type of TPM, whose key works by communicating with the CPU through the LPC bus, and unlocking needs to send the key to the CPU, that is, the encryption key of the disk encrypted by the Windows BitLocker scheme.
The communication between the CPU and the external TPM is unencrypted at startup, and the communication in clear text is used, so that the encryption key can be stolen by intercepting and sniffing the data passed between the two.
This is the main principle and idea of attacking and cracking Microsoft's Windows Bitlocker encryption scheme, the key is whether the data passed between the CPU and TPM can be successfully obtained, and in order to achieve this purpose, some external tools are needed.
The security researchers used an inexpensive Raspberry Pi Pico device (Figure 4) that cost less than $10 in total. The specific metal contacts are then connected to the specific contacts on the motherboard of the computer, and the specific computer used to test is an old laptop that has been in service for more than 10 years.
Then run a special ** on the Raspberry Pico device to read the raw data from the TPM and grant access to the volume master key stored on the TPM module, you can easily get the key to access the disk encrypted by Windows BitLocker, see the following three**.
It needs to be added and emphasized that:
The whole cracking process took 43 seconds", and it didn't start after removing the back cover of the laptop, connecting the wires, and making all kinds of preparations. Instead, the timing starts from screwing and disassembling the back cover of the notebook, and the process of disassembling the back cover of the notebook takes nearly 30 seconds, so the actual cracking process takes less than 20 seconds.
There are a few points that need to be added and explained about this cracking case:
First, this cracking scheme is not a "kill-through" scheme, and whether it can succeed depends on many factors.
For example, some platform configuration registers and volume master keys are not stored in the external TPM module, but in the CPU, then this idea will not work.
In addition, there are many ways and types of TPM, and this idea is only applicable to some external independent TPM modules, while the newer models of processors in these years have built-in soft TPM modules, which is also not applicable and cannot be cracked.
This attack method requires the attacker to physically contact the attacked computer, and cannot be implemented remotely, for the majority of ordinary users, the possibility of this kind of occurrence is extremely small, and the academic and research value is greater than the actual value, so you don't have to worry too much. However, for business users who store large amounts of important and sensitive data, caution is required.
Still, this case shows that Microsoft's Windows BitLocker encryption scheme is not as secure as advertised, and plaintext communication between TPM and CPU is a serious security vulnerability.
However, this "pot" cannot be completely borne by Microsoft, "unfair", TPM manufacturers, processor manufacturers and operating systems are responsible, close cooperation with each other, in order to plug this vulnerability, I hope this vulnerability can be solved as soon as possible.