BitLocker key sniffing is still possible on modern Windows 11 laptops with discrete TPM modules

Source: Tom's Hardware added 13th Feb 2024

  • bitlocker-key-sniffing-is-still-possible-on-modern-windows-11-laptops-with-discrete-tpm-modules

(Image credit: Microsoft)

We recently reported on a BitLocker security flaw that enables attackers to steal BitLocker encryption keys with a cheap sub-$10 Pico. However, some of our commenters mentioned that the laptop used to demo this flaw was 10 years old, supposing that modern laptops no longer have this vulnerability. Unfortunately, stacksmash on X / Twitter) reports that modern 2023 laptops running Windows 11 still have this vulnerability.

The process to grab the encryption key is a little bit harder now, but nevertheless, the encryption key is still accessible through the same means. As a reminder, this specific BitLocker security flaw takes advantage of the unencrypted communication lanes between the CPU and a laptop’s discrete TPM, by tapping into those lanes with an external sniffing device.

Stacksmash forwarded a post by Stu Kennedy on X (Twitter) unveiling the same vulnerability on a Lenovo X1 Carbon Gen 11 — a modern 2023 Lenovo laptop running Windows 11. The security specialist showed where the vulnerability points were on the TPM, and showed the exact soldering points to hook a sniffing tool to the system.

BitLocker Key retrieval on a Windows 11, Lenovo X1 Carbon Gen 11 via SPI Sniffing.The TPM on the backside of the Motherboard, there are various test pads. 7, 2024

See more

Lenovo’s X1 Carbon isn’t the only modern laptop with this vulnerability; theoretically, all modern laptops with a discrete TPM module are at risk. Stu Kennedy has a GitHub page dedicated to TPM sniffing, educating people on the different methods users can employ to grab the BitLocker encryption key from the TPM. Kennedy’s page alone has cracking tutorials for seven modern laptops (including the X1 Carbon).

There are various methods for cracking a TPM, including attacking the SPI, I2C, or LPC buses, but they all rely on the same general attack: Hijacking the communication lanes between the CPU and the TPM.

The good news is that this attack method is only exploitable if the attacker has physical access to the laptop, making it impossible for someone to do it remotely.

But, there are ways you can defend yourself from this security flaw if you are worried someone might steal your laptop. One way is to not use the TPM module at all to secure BitLocker. You can use either are secondary password at startup or an external security key such as a USB thumb drive. TPM is the default method BitLocker will use to secure a system with a TPM. But you can override this by going into the Group Policy Editor and choosing a different security method.

One interesting tidbit about this TPM hack is that it has only been done on laptops featuring discrete TPMs. Logically, it should be impossible for hackers to use this attack on systems that utilize the CPU’s TPM to secure the system. Sensitive information that is being passed from a built-in TPM to the CPU and vice versa should all be done through the CPU, making it impossible to physically access. So if you still want to use a TPM, the built-in TPM module found in modern Intel and AMD CPUs should be a more secure option.

Join the experts who read Tom’s Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We’ll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.

Aaron Klotz is a freelance writer for Tom’s Hardware US, covering news topics related to computer hardware such as CPUs, and graphics cards.

Read the full article at Tom's Hardware

media: Tom's Hardware  

Related posts

Notice: Undefined variable: all_related in /var/www/vhosts/ on line 88

Notice: Undefined variable: all_related in /var/www/vhosts/ on line 88

Related Products

Notice: Undefined variable: all_related in /var/www/vhosts/ on line 91

Warning: Invalid argument supplied for foreach() in /var/www/vhosts/ on line 91