New Hacking Method Extracts BitLocker Encryption Keys

  • 598
  •  
  •  
  • 13
  •  
  •  
  •  
    611
    Shares

A researcher has found a new attack method that can extract BitLocker encryption keys. As a result, the attack puts the security of the stored data on target laptops at risk of hacking. This attack method requires physical access to the target device.

Extracting BitLocker Encryption Keys

According to a report by Denis Andzakovic from Pulse Security, the researcher has found a new attack method that can compromise BitLocker encryption keys. The attack method requires physical access from the attacker. Using this technique, the attacker can decrypt the drive and access stored data.

As stated in his report about the findings,

“You can sniff BitLocker keys in the default config, from either a TPM1.2 or TPM2.0 device, using a dirt cheap FPGA and now publicly available code, or with a sufficiently fancy logic analyzer. After sniffing, you can decrypt the drive”

Reportedly, he could extract encryption keys from the Trusted Platform Module (TPM) chip of the target computer by hard wiring the motherboard through a field programming gate array. He tested his findings against two different devices – a HP laptop featuring a TPM1.2 chip, and a Surface Pro 3 with TPM2.0 chip.

“When you enable BitLocker in its default configuration, no additional user interaction is required at boot. This is due to the TPM only being used to decrypt the VMK… As the decryption happens automatically, if we can sniff the VMK as its being returned by the TPM then we can enter that information into any number of BitLocker libraries and decrypt the drive.”

Possible Mitigation

As a possible mitigation, researchers have suggested using a PIN at the boot stage.

“Enabling BitLocker with a TPM+PIN protector should mitigate this vulnerability, however, user’s will be required to enter a PIN at boot.”

In addition, he also mentioned about using smart cards or USB security keys as pre-boot authentication methods.

In response to his report, Microsoft stated that the phenomenon is common in dTPMs, both 1.2 and 2.0. Besides, they also recommended using pre-boot authentication.

The following two tabs change content below.
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]
Avatar

Abeerah Hashim

Abeerah has been a passionate blogger for several years with a particular interest towards science and technology. She is crazy to know everything about the latest tech developments. Knowing and writing about cybersecurity, hacking, and spying has always enchanted her. When she is not writing, what else can be a better pastime than web surfing and staying updated about the tech world! Reach out to me at: [email protected]

Do NOT follow this link or you will be banned from the site!