Ever wondered how long it would take to acquire your Bitlocker keys? It turns out, it can be done in just 43 seconds and with less than $10 worth of hardware. Encrypting your hard drive is a crucial security measure, especially for Windows users who often rely on BitLocker, the popular encryption system included in Windows since Vista. However, it has been known for some time that Bitlocker can be compromised with direct hardware access. Microsoft acknowledges this, stating that such an attack requires the perpetrator to have the necessary skills and access to the hardware. [Stacksmashing] recently took the time to explain how to carry out an incredibly fast attack against Bitlocker.
The issue lies in the storage of the encryption keys. The keys are stored in the Trusted Platform Module (TPM), and when the computer starts up, it retrieves the key from the TPM over the LPC (low pin) bus, which is one of the few remaining components of the original ISA bus.
The problem is that the key can be intercepted as it passes through the LPC bus. Some laptops have connectors for direct access to the LPC, and [Stacksmashing] took advantage of this by targeting the old Lenovo Thinkpad (X1 Carbon 1st or 2nd Generation) which has an unoccupied connector on the motherboard, making it possible to steal the keys.
[Stacksmashing] used a Raspberry Pi Pico on a breadboard for his design, with pogo pins placed at the end of the carrier board to trace the LPC bus. However, stealing the keys does not immediately provide access to the data on the drive. The attacker would still need to take over the drive or spend more time transferring data over USB. Though the X1 Carbon is an older laptop (10 years old) with USB 3.0, modern computers with a TPM inside the CPU itself are also vulnerable to such attacks, albeit requiring more sophisticated equipment than a Pi Pico. Regardless, if someone manages to bypass the TPM, it would be valuable to share the method in the thread. Thanks for the insights, [YesterGearPc].
