{"id":10643,"date":"2024-03-11T08:28:19","date_gmt":"2024-03-11T15:28:19","guid":{"rendered":"https:\/\/mattfife.com\/?p=10643"},"modified":"2024-02-10T09:02:55","modified_gmt":"2024-02-10T16:02:55","slug":"extracting-bitlocker-keys-in-just-a-few-seconds","status":"publish","type":"post","link":"https:\/\/mattfife.com\/?p=10643","title":{"rendered":"Extracting Bitlocker keys in just a few seconds"},"content":{"rendered":"\n<p><a href=\"https:\/\/www.youtube.com\/@stacksmashing\" data-type=\"link\" data-id=\"https:\/\/www.youtube.com\/@stacksmashing\">Stacksmashing <\/a>demonstrates that the communication between the CPU and TPM is unencrypted and can be snooped by attaching wires to the traces between them. This is not new, but now has all the source\/board design to make it easier &#8211; on old systems with a long known security flaw of exposed traces.<\/p>\n\n\n\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\"><div class=\"wp-block-embed__wrapper\">\n<span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe loading=\"lazy\" class=\"youtube-player\" width=\"640\" height=\"360\" src=\"https:\/\/www.youtube.com\/embed\/wTl4vEednkQ?version=3&#038;rel=1&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;fs=1&#038;hl=en-US&#038;autohide=2&#038;wmode=transparent\" allowfullscreen=\"true\" style=\"border:0;\" sandbox=\"allow-scripts allow-same-origin allow-popups allow-presentation allow-popups-to-escape-sandbox\"><\/iframe><\/span>\n<\/div><\/figure>\n\n\n\n<p>This isn&#8217;t really new info. It requires numerous things to be right: physical access to the device and non-integrated TPM with a design flaw. Modern CPUs don&#8217;t have this easily exploitable design given the TPM is integrated into the die now. This was somewhat common in early days. At one point <a href=\"https:\/\/www.cnet.com\/tech\/computing\/security-concerns-on-apples-filevault-decryption-via-firewire\/\" data-type=\"link\" data-id=\"https:\/\/www.cnet.com\/tech\/computing\/security-concerns-on-apples-filevault-decryption-via-firewire\/\">just connecting a firewire cable into a Mac<\/a> let you read the encryption keys out of memory from a sleeping or running Apple.<\/p>\n\n\n\n<p>Additionally, Bitlocker using TPM without pin was <a href=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0898122112004634?via%3Dihub\" data-type=\"link\" data-id=\"https:\/\/www.sciencedirect.com\/science\/article\/pii\/S0898122112004634?via%3Dihub\">cracked years ago using fairly common electronic components<\/a>. Any secure Bitlocker deployment has long been understood to be using TPM and a pin.<\/p>\n\n\n\n<p>A reminder that security is only as good as its weakest link<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/xkcd.com\/538\/\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"448\" height=\"274\" data-attachment-id=\"10644\" data-permalink=\"https:\/\/mattfife.com\/?attachment_id=10644\" data-orig-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?fit=448%2C274&amp;ssl=1\" data-orig-size=\"448,274\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-13\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?fit=448%2C274&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?resize=448%2C274&#038;ssl=1\" alt=\"\" class=\"wp-image-10644\" srcset=\"https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?w=448&amp;ssl=1 448w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?resize=300%2C183&amp;ssl=1 300w, https:\/\/i0.wp.com\/mattfife.com\/wp-content\/themes\/mattTheme\/headerimgs\/2024\/02\/image-13.png?resize=441%2C270&amp;ssl=1 441w\" sizes=\"auto, (max-width: 448px) 100vw, 448px\" \/><\/a><\/figure>\n<\/div>\n\n\n<p>Links:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>https:\/\/www.tomshardware.com\/pc-components\/cpus\/youtuber-breaks-bitlocker-encryption-in-less-than-43-seconds-with-sub-dollar10-raspberry-pi-pico<\/li>\n\n\n\n<li>https:\/\/www.zdnet.com\/article\/new-bitlocker-attack-puts-laptops-storing-sensitive-data-at-risk\/<\/li>\n\n\n\n<li>https:\/\/github.com\/stacksmashing\/pico-tpmsniffer<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>Stacksmashing demonstrates that the communication between the CPU and TPM is unencrypted and can be snooped by attaching wires to the traces between them. This is not new, but now has all the source\/board design to make it easier &#8211; on old systems with a long known security flaw of exposed traces. This isn&#8217;t really new info. It requires numerous things to be right: physical access to the device and non-integrated TPM with a design flaw. Modern CPUs don&#8217;t have&#8230;<\/p>\n<p class=\"read-more\"><a class=\"btn btn-default\" href=\"https:\/\/mattfife.com\/?p=10643\"> Read More<span class=\"screen-reader-text\">  Read More<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[9,5],"tags":[],"class_list":["post-10643","post","type-post","status-publish","format-standard","hentry","category-cool","category-technical"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p4WECr-2LF","jetpack-related-posts":[],"_links":{"self":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/10643","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=10643"}],"version-history":[{"count":4,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/10643\/revisions"}],"predecessor-version":[{"id":10648,"href":"https:\/\/mattfife.com\/index.php?rest_route=\/wp\/v2\/posts\/10643\/revisions\/10648"}],"wp:attachment":[{"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=10643"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=10643"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mattfife.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=10643"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}