Breaking Bitlocker - Bypassing the Windows Disk Encryption

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
this is me stealing the BitLocker dis encryption key from this laptop in just 43 seconds simply by poking it with a $4 Rasberry pip Eco this allows me to access all bit Locker protected data on this system and even lets me back to it let's see how it works let's start by exploring what BitLocker is BitLocker is the full disk encryption system built into windows and according to Microsoft's documentation BitLocker addresses the threats of data theft or exposure from Lost stolen or inappropriately decommissioned devices in my interpretation this should mean that if I steal or otherwise have temporary access to this device I should not be able to decrypt its data right and further down on this page it's documented that bit Locker provides maximum protection when used with a trusted platform module well luckily this Lenovo laptop here contains the TPM and so according to the Microsoft documentation bit Locker should provide maximum protection of my data on this system in the Windows settings it's clear that bit Locker is indeed turned on and when we remove the SSD and try to read the windows partition on another our computer it doesn't work the entire windows partition is encrypted and we can't access or modify any data on it but wait a minute when I pluck it back into the Lenovo computer the computer starts up fine but how does Windows load when the entire hard drive is encrypted I didn't enter a password during boot so how is the encryption key protected if not by my password well as mentioned BitLocker uses the TPM The Trusted platform module a classical TPM is a dedicated chip on the motherboard of your computer and when we open up this Lenovo laptop and remove the mother board we can find the TPM chip on the backside hidden underneath this tape a TPM is a special chip that provides cryptographic functionalities such as encryption key storage generation of random numbers signal check creation and verification attestation and so on and in the case of bit Locker the DPM basically stores and protects the key that we need to decrypt the windows partition but how does Windows actually get this key out of the DPM well simplified during boot the different components of this system for example the BIOS or UF hash their firmware and the config configuration and send that hash to the TPM this process is called a measurement we basically measure the current configuration of the hardware or software on the TPM this hash is used to update so-called pcrs platform configuration registers basically the TPM takes the current value of the PCR and the new measurement hashes them both together and stores the result as the new value of the PCR this process will then be repeated for example for the bootloader and other components in the boot chain and as the new PCR value is always a combination of the previous value and the new measurement we can determine whether anything in the boot chain has been modified there are multiple different pcrs with each containing a measurement of a certain set of components some will change when you replace Hardware some will only change when you for example replace the boot loader and you can even configure which pcrs bid Locker should use the idea is that as long as your system can be considered trusted and unmodified the TPM will unseal the key but there's one problem here the communication between the processor and the TPM is unencrypted and when the the key is unsealed the TPM will send it in clear text to the CPU so if we manage to sniff the bus between the processor and the TPM we will be able to steal the bit locker key so let's try to do just that we first have to understand how the processor communicates with the DPM the physical protocol depends on the choosen TPM but on my laptop the TPM is connected by LPC the low pin count bus this bus is relatively simple we have a simple clock signal and then four B directional data lines that are aligned to that clock there's also a frame signal which indicates when a new transaction starts there are more signals to LPC but these are the ones we care about and to Sni the bit locker key we need to somehow get access to these signals now sure I could just sold our wires directly to the TPM but I found that on a lot of laptops there are easier ways to access the TPM data lines so I started programing around on the mainboard with my multimeter and I found that most of the signals of the LPC bus are easily accessible on the back of the main board hidden underneath this black tape here is an unpopulated connector and after measuring around a bit I found that most of the LPC signals are available on this connector the four data lines and the frame signal but no clock signal and after researching a bit it looks like Lenovo disables the clock that should normally be on this pin on production devices by not placing a resistor now I could still solder just the clock wire directly to the TPM but I thought let's try to sniff this without the clock signal and so I hooked up a couple of needle probes to the connector and sniffed the boot up process on the logic analyzer as the system boots we can nicely see all the activity on the TPM bus but we can't decode the data yet because we are missing set clock signal but let's look at this we have five signals the four data lines L 0 to3 and the L frame line which indicates start off a frame now ideally we would have a clock line that tells us exactly when to read the state of those lines the clock will be 25 MHz and so every 40 NCS we should read the data lines now what if we just do that but with our own clock we wait till L frame goes low indicating the start of a new transaction then we wait a couple of NS and then we read whatever is on the data lines then we wait 40 NS again read all the data and we repeat all that for the entire frame and in theory we should get all data and as the Transmissions are relatively short we don't even have to worry too much about our clock getting out of sync or anything like that to prototype this idea I wrote a simple analyzer plugin the code for which you can find Linked In the description that does exactly that and it works we can decode the TPM Transmissions without the clock signal perfect now this setup is already enough to read out the bit locker key but it requires quite a bit of equipment and it's not really something trivial or fast to do and so I wanted to make it easier and faster I ordered a couple of spring-loaded contacts online and designed a small PCB with you guested a raspberry pip Pico and with pads onto which I can solder these spring-loaded contacts in just the right distance so they fit onto the mainboard connector pads and after a couple of days the pcbs arrived and the the finished TPM sniffer looks like this I sold it on the Rasberry pipo and the poger pins and now I have a small tool that I can just push onto the connector in the laptop that establishes a decent connection the total costs of parts for this are less than $10 and after hacking together a bit of firmware which basically just does what I just described and which you can as always find Linked In the description I was ready to give it AO I turn on the computer I push my adapter down and SD system Boots the vmk the volume master key appears on the computer and if we take the SSD now and connect it to a Linux machine we can use the vmk that we just collected with an open source tool called dislocker to decrypt the drive as you can see I can browse through all files on the encrypted machine and can also modify or backo the system we just successfully attacked the BitLocker full dis encryption with less than $10 of equipment and didn't really need any super Advanced skills or tools now this is not a new type of attack I've linked some papers and other blog posts about similar attacks in the description in fact you can even find some V documentation on the bottom of the bit Locker countermeasures page according to it an attacker needs skill lengthy physical access plenty of time must be able to open the case must be able to solder and require sophisticated hardware and software Now watch how long it takes when you're prepared to conduct this attack on this laptop I open the case using a regular screwdriver then I turn on the laptop I push the $10 Pogo pin setup against it and I have the key all in less than 50 seconds I'm not sure that this counts as plenty of time Microsoft also suggests mitigations and the main recommendation here is setting the preboot authentication to TPM with a pin protector this will protect the DPM with a pin unfortunately it seems like there's no easy way in the bit Locker settings to enable this instead it seems to only be possible via Group Policy now obviously the adapter which by the way is fully open source and so you can build your own only works with certain Lenovo laptops but a lot of other laptops have similar access to the TPM pins for examp example Pascal a friend of mine who also gave me a lot of information about DPMS and their usage provided me with a picture of a Microsoft Surface Pro again the LPC bus is easily accessible on the back of the device in this case he even just cut a hole in the case instead of removing the backside now some B on CPUs have so-called fpms firw TPMS that are integrated into this CPU we can't easily sniff the bus here and so this attack won't work there however most business laptops seem to still have dedicated DPMS and they have also been successful at Tex against ftpm I've also linked instructions on how to enable a pin on your BitLocker enabled system to help you make sure your systems are more secure now if you've watched this far I also want to tell you about something that I've been working on together with life overflow hex.io our online security learning platform on hex.io you will be able to learn reverse engineering Hardware hacking web security and More in well produced micro courses you can sign up to our waiting list using the link below I hope you enjoyed this video and to see you on this channel again soon
Info
Channel: stacksmashing
Views: 763,542
Rating: undefined out of 5
Keywords: Bitlocker, encryption, windows, microsoft, security, hacking, hardware hacking
Id: wTl4vEednkQ
Channel Id: undefined
Length: 9min 11sec (551 seconds)
Published: Sat Feb 03 2024
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.