I've always been under the impression that once someone has physical access to your machine, you've already lost. And this video once again confirms that.

I love the clarity of your explanations. More folk in the industry need to speak and explain like you do. Great job.

I work in data recovery... this could be really helpful for those who can't get their keys for whatever reason. If people can't get their keys, we have other avenues at times, but largely its just not worth it

Really interesting video and great demonstration. Surprising how easy this is. Of note, TPM only BitLocker configuration is documented as being one of the less secure. Definitely not recommended for a production deployment. As you have shown, it really only offers robust protection against access when the drive is removed and separated from the original system and TPM. With TPM only there is only a single branch in the key chain. TPM Key Protector (KP) decrypts the Volume Master Key (VMK) decrypts the Full Volume Encryption Key (FVEK). TPM + PIN is a more secure method which requires the pre-boot PIN in addition to the TPM stored key. Actually the PIN doesn't protect the TPM as you suggested, it is really just another BitLocker KP needed to unlock decrypt the VMK. It is just designed to require both the TPM KP and the PIN KP to do so. There's a whole lot more behind BitLocker in terms of default vs best practice for security. Why MS don't just them as default it is beyond me.

don't forget - a TPM module was a requirement for Windows 11 installs for "security" 🙃

6:48 - "It did not need any super advanced skills or tools" Depends on who you ask. To me there is a lot of knowledge already needed to perform this kind of attack and (optionally) even build a custom PCB 👍 Well done Sir.

Congratulations! You found the FBI's backdoor. Expect an agent to arrive at your destination in a couple of minutes for your prize!

What you’ve pointed out is that providing *maximum* security is a moving point in time. What is maximum (and usually adequate) at one point in time becomes inadequate as attack techniques improve and shortcomings are identified. The protection is then improved to maximize it anew - again, for a time. To remediate the defect you demonstrated, laptops now use integrated TPM or firmware TPM so there’s no more transmission of keys over motherboard traces to be sniffed. Finally, your statement about preboot PIN is inaccurate. It does not require a Group Policy Object (GPO). This documented command for Windows Pro does it: Manage-BDE -Protectors -Add C: -TPMandPIN

Your explanation is great! I really like the animations and visuals you show

There was a similar attack published a few years ago for a TPM that communicated unencrypted over SPI. I had assumed that something like this would have been addressed by now by using some kind of encryption using pre-shared keys. 🙈 Great work, BTW 👏🏼

transmitting the key in *plaintext* is such a bafflingly obvious vulnerability I'm amazed it's in the bloody security chip. I understand the increased hardware and execution time costs that would come with doing otherwise but you'd think security would be prioritized

Oh, I love this. The combination of ingenuity, curiosity and a great amount of knowledge. Well done.

I saw your great presentation on the Iphone USB-C stuff from 37C3 and now this popped up in my feed. Really amazing work stacksmashing!

Prior to the video I was aware of this attack but I was shocked at how practical it actually is, it even looked like a magic stick. I thought it needed a somewhat sophisticated lab and days of work

well, you are the only one i found in two days that really understands the bitlocker, thanks for the video

Exploit, explanation, development, mitigations and considerations, all in under 10 minutes I'd subscribe twice if I could

sending the bitlocker key over unencrypted connections is ridiculous. thanks for sharing!

BRILLIANT. And a totally perfect advert for why you never rely on TPM for security. THANK YOU

Thanks for making this video. I thought bitlocker was enough to secure my computer. I still think it’s good enough to keep it safe from the majority of criminals but I’m going to look at editing the group policy to secure the TPM with a pin pre-boot for additional security. Thanks for making me aware of this issue

I used to encrypt hard drives all the time in the windows XP days. It would take days. I always wanted to know why bitlocker works so quickly. Great video. Thanks for sharing.

good video. i would point out that while fTPM attacks have been disclosed, they're nowhere near as simple and fast as a bus-sniffing attack like this.

This works if the user has a TPM chip but most people don't use a TPM chip. This is still a great find, nice work!

great. used this for a decade and now I finally know why pin is needed. Also respect for clearly speaking about fTPM and this hack

I always thought TPMs were of dubious security benefit while only furthering anti-consumer activities like 1) MS' hold on secure boot, making installing alternative OSes more difficult for less skilled users and 2) further integration with DRM, all the way to the browser.

Great Video! Explained well. Thank you.

I'd argue it'd depend on your threat model. If you're mostly concerned about someone stealing your laptop to sell at Cashies for money to buy ice than having the keys in the TPM is perfectly fine imo. 99% of criminals are just going to wipe the drive and sell the computer anyway. This fits the use-case for majority of people. Now if you're high value target for criminals (e.g you work in the finance industry or something) or the government then it's definitely not a great way to protect your data and you should use a GPO to force the use of a password, use an audited third-party FDE solution like VeraCrypt (formally TrueCrypt), or a Linux-based alternative with LUKS/dmcrypt. Great video btw!

Babe, wake up. Stacksmashing posted a new video.

This definitely prove that bitlocker is so safe in 99% of cases, you' like that germ detol can't kill lol Great video

Very insightful! Expected nothing less from a stacksmashing video. I just wanted to put in my 2 cents here - there's another, simpler attack you can employ against BitLocker: taking a snapshot of RAM. The BitLocker key is casually stored in RAM every time you boot, so taking a full snapshot and finding a key inside it is not a big deal at all. This subject really fascinates me; The key takeaway must be: BitLocker is secure, but nothing will save you if a bad actor gains physical access to your machine. Unless you use an external strong key, but even that falls flat against the silliest HNDL attack. TL;DR don't give your machine to strangers!

Your are an excellent speaker, and gave an excellent tutorial. No silly background music. Very nice! Thank you.

Great walkthrough. I feel like I would have already been wary of this type of auto-unlock encryption anyway though. If I'm not typing in a password to unlock at boot, it's quite obvious there would be some type of hardware hack possible. Kinda common sense, imo.

This will be very useful to get the Bitlocker key BEFORE the system fails, because the manufacturers do not inform users about the correspondent Bitlocker key.

This is cool, but to those suggesting this is a planned backdoor or design failure it depends on your threat model. Presumably CPU is handling disk encryption operations, then some key will end up in RAM anyway which isn’t much better than this. Until you can get a TPM with high enough throughput to handle all disk traffic it will be the reality. If you’re using the system state itself as authorisation, then I’d argue there is no security flaw with the hardware here, rather with policy (as explained in the video). An attacker such as this would be authorised to access the device simply because the hardware configuration is the same, they could turn on the device and access the operating system anyway. So it’s important to include an actual authentication factor in the decryption sequence (password, pin etc).

Just wanted to say this is a pretty incredible video and fascinating topic. I suppose it doesn't help people who are already locked out due to an unbootable system, which is when BitLocker is most often the issue... but it is certainly an interesting topic!

5:58 I want something easier and faster, so I directly designed my own PCB... sure, I see we don't have the same understanding of "easy and fast" xD

Amazing and so well explained. Have a dell micro 3080 that belonged to a company, recovered from an unpaid storage unit. Have bought several laptops the same way. This is first one, that had a bitlocker encrypted drive. I'm new to using kali, and have done an 8266 nodmcu deauth chip, but this is a little more involved. Don't have a raspberry pi yet. Thanks for the tutorial !

super informative as always, thx for the video

Very impressive attack, and a well made video! I do have to take issue with the idea that setting up the PIN in Group Policy is somehow some extraordinary technical challenge... It's far more simple than everything else you did in this video. I suck at GP, and I figured it out with a quick Google search. Guess I'm setting a PIN on all my bitlocker encrypted devices now! Damn...

Thank you for making this more known. This is just a nuisance for data recovery techs rather than actual security.

What i gained from this video is A) bitlocker and tpm can be more secure with further configuration. B) Microsoft knows their customers

Nice video and explanation. I haven't trusted those consumer products/architecture/key-management too much in the first place, so while having a normal vanilla bitlocker in the windows machines, I have all my important/secret data away from my desktop/laptop. My oldest desktops have manual Bitlocker passwowrd entry prompts, as there are no TPM chips, Ha! The secret stuff are behind my own VPNs, my own hardware, and NAS/DAS, and located in encrypted storage in my own systems. And the super secret stuff (for example those that cam compromise access to my customers secret data) is additionally protected in Veracrypt containers. And other security stuff too, but those are not to be spilled at youtube comments.

Hi, clever attack, which proves the reason why a part of the encryption process (usually the key) _must_ be separated from the hardware - nice decoding self-made dongle BTW :)

Hello! Fantastic video. I'm curious, is the chip featured TPM 1.2 or TPM 2.0?

Well explained, and very interesting to see how much protected hard drives aren't protected 😁

This is terrifying... Thanks for showing this

Nice work! I have a background in electronics and programming and was just thinking about how TPM actually works (while studying for Sec exam) since I wasn't really familiar with it, and thought, "hey, there's got to be a key sent in the clear on some bus somewhere", then you're vid popped up in my recommended videos. Thanks for sharing (I actually ran into this problem on one of my 5 y/o machines after the mobo's power module failed w/a popped cap - I caught it immediately, so the rest of the components should still work including the dedicated TPM chip, I'll give this a try so I can get my data back off my expensive SSD, easier than blowing it away, reinstalling OS and restoring backup).

Loved your cc presentation

You have to admit, it definitely adds a level security %99,99 of the people wouldn't want know how to pass. I'd rather try different ways of hacking a PC than getting these tools, hoping they're compatible for the laptop I'm hacking(possibly altering the tools), getting the laptop, opening the back of the laptop and getting the tpm data(~50 seconds if you're fast), getting the SSD out and connecting it to your pc (maybe another 5-10 seconds) and depending on what you're looking for in the ssd; you'll be spending a solid 2-3 minutes including putting the pc back together. I'd try to connect an usb to their laptop when it's active with a little bit of social engineering.

I'm so envious on you guys being capable doing stuff like this, so much knowledge, wished that I have the brain for this stuff.

Best explanation about clock signals yet! thank you it was a eye opener!

unbelievable. All the encryption, security and blahblah just to then send the key unencrypted. Nice video!

Really great video. That why we use pin for bitlocker.

Beautiful Beautiful Mind Opening!

This video shows the reason as to why I'm a great fan of VeraCrypt 🙂 (on laptops remember to disable the keys stored in ram via removing the battery or shutting down the laptop completely as well as disabling windows fast-boot feature!) Peace!

So just disable TPM and enter the key the old fashioned way on startup (on any device)?

I read an article about your device and this attack, and honestly I was surprised that nobody tried something like this years ago. I too had always wondered how an external tpm was supposed to keep data secure if at some point during boot it needs to send the raw encryption keys to the cpu. It's pretty big design flaw and it's pretty unbelievable to think that it was overlooked. In fact, I had assumed that the cpu and tpm did some sort of DH key exchange with possibly some sort of certificates to also avoid midm attacks. Guess that would have been too good to be true.

TPM is really just security through obscurity. I always wondered how it decrypts without a password or an external key device. This makes so much sense. I'm happy that I use LUKS on Linux with a manual password.

For the people wondering, this doesn't work on most on modern computers. They have the TPM chip embedded inside the processor

I'm not particularly concerned by this considering the primary purpose of encryption on my devices is to prevent casual thieves rifling through my data (and very few of them would understand or take measures like above), but it shows it's not enough for a lot of applications. My home can also be broken into if someone is willing to ram the door hard or pick the locks. Security isn't about perfection, it's about proportionality.

Great video, this makes me think about veracrypt or encrypted VMs again

Nice demo! It goes without saying that this is not just a bitlocker/Microsoft problem, but rather a (d-)TPM problem that is "by design". fTPM solves this.

Interesting information and nice skills. Note: Bitlocker can also be used without the TPM in which case, this video won't apply. I like to use Bitlocker on a Hyper-V Virtual Disk that contains my data needing to be secured. I mount the disk on demand with my Bitlocker unlock key/passphrase. I can move the data around to any computer like a single file. Makes backups simple too.

for the efforts you took to explain this whole concept so nicely - i subbed!!

You’ve gained a follower, thanks for your effort and video.

yeah I've been going through how TPM and etc works as I was moving from windows to linux, and I gotta say, I was astonished (an understatement) when I realized that most implementations just send the actual key in plain-text! Microsoft and other manufacturers had ONE job, and they couldn't get it right. fTPM is better in that it's integrated into the CPU and from my understanding, is practically impossible to sniff since it all happens inside, possibly in the secure enclave chip. Extensions to out-of-CPU TPM have been proposed, where the key is sent encrypted with a pre-shared-key when setting things up, which would theoretically fix this design flaw. I'm yet to understand how this works. Great video! I'm somewhat glad I understood things right as I researched around about this topic.

Very cool implementation, I love your pi zero stuff! Btw was very nice meeting you at the ccc, just finished populating the tamarin-c board I got from you 😊

this is so good to know, but the main thing is you must have the TPM linked to that ssd/hdd,

No way i was just worried by my bitlocker today and this is on my recommendation and its just uploaded today 😅😮😮

The bizarre thing about this is that TPM spec supports session-based parameter encryption (part 1 section 19). Firmware needs to explicitly set it though.

That was sick. Thanks for taking the time to share with us.

7:35 setup a PIN with GP policy is easy and I know many enterprises who has enabled it via GP Good mitigation- case closed.

I needed this like 6 months ago and would have totally purchased the TPM sniffer pico as I was attempting to get the recovery key for my dad's PC. I tried a lot of stuff, but this looks more promising.

Wouldn't this be a lot harder on a modern Windows 11 machine with TPM 2.0, instead of an ancient Lenovo running Windows 7 BitLocker?

This is why I use VeraCrypt system disk encryption.. Simple and effective.. and does NOT rely on TPM, etc.

“Plenty of time” refers to you having researched that particular laptop, developed a custom tool which took days for them to make and send to you, the custom code you had to write to run the exploit, etc. This is what we call in the security world as the “advanced persistent threat.” It took you 40 seconds after spending countless hours preparing to run your exploit.

You have to appreciate the effort that went into making the pins setup! However, this video makes me more likely to use BitLocker than not. My use case is leaving a PC unattended with a person who's highly unlikely to have the skills to do this attack. However, anyone can use a SATA to USB adaptor.

Solution: use TPM integrated in CPU.

Thank you, incredible work 👍 Very enjoyable watching this video. Aren't 90%+ of new systems in last 5 years using fTPM unless I am mistaken? Kindest regards, neighbours and friends.

Interesting, though I noticed this was on a really old version of the Carbon X1. My understanding was it used to be a problem but vendors have grown wise and patched it in newer designs. Do you have any examples of newer laptops this works on?

Well security is always layered, if all you trust is "what you have" and thats the same as "what you want to protect" in most cases (laptop and tmp module), it only makes it a bit harder to attack. Always mix your security trust anchors and dont keep 2 of the same type in 1 place. A simple password would make this infinetly harder and require much more attacks against the actual victim aswell.

Would a chassis intrustion switch (and a strong BIOS password to prevent reset) case a measured boot failure?

Interesting to see how relatively simple these are to exploit once the hardware has been investigated. I guess that removable storage would be a completely different matter. Time for me to subscribe

Still clinging to hopes that someone will help to upgrade your gameboy web interface to make four-round matches possible.

very impressive. Always thought bitocker was safe, but with only a 10$ device, it's no longer the case. You can always put a boot password in BIOS to prevent PC from booting, but even then, someone prepared with a default manufacturer BIOS password (easily found on the internet) could still managed to by-pass it. Physical TPM should/will disappear soon I hope

This isn't how mine is setup. I have to manually enter the key at the start of the booting process.

You never cease to amaze Thomas. Incredible work my friend!

Is this also possible if the TPM which is built in into the CPU is used, as then no signalling between the cpu and TPM can be seen?

"...and didn't really need any super advanced skills or tools" - Definitely not super advanced, but still advanced skills and tools. Not everyone can make that stuff you know. Microsoft's documentation around 7:00 is still mostly correct. You had to make your own both tool and software, which can only be used on small number of machines and probably exclusively for laptops. You simply can't pull this off in the real world if you don't have "lengthy physical access" on the device. Not all PC's are built in the same way and not all of them have probe points at the same spot if they have those in the first place. Still, this is good to know. A little too hard bashing on MS but good video.

It's Joever for Microsoft. Get ready for Bitlocker 2.

Such an interesting video, thanks! ❤ When I had my main hard drive Bitlocker encrypted, Windows would always ask for the password, before it was able to boot. This would seem safe to me as the key shouldn't be stored anywhere in that case. But did this change to auto-unlock on boot or is there a setting where you can change this behavior?

THE BREAKING BAD THUMBNAIL LOL

Most people who care about the data on their laptops, are businesses and they use group policy, and hence set that a PIN must be used. If you don't have Active Directory, then use the local group policy function.

Curious whether AMD's fTPM would be easier or harder to crack.. Seem it might just use a serial connection so that applications can use it as an RNG during runtime

This TPM vulnerability is not new, it has been known for a number of years, but stacksmashing has created an excellent demonstration that shows how quickly an automated attack can intercept the encryption key and use it to decrypt the drive of a vulnerable system. Keep in mind that this attack only works against computers that have an external TPM mounted on the motherboard, which is no longer a common practice. Nowadays most PCs and laptops have TPM functionality built into their CPU, which makes the encryption key MUCH harder to intercept. It might still be possible, but so far I have not heard of any successful attempts. The other thing to remember is that this attack would have failed instantly if the user had merely set their BitLocker startup PIN or one of the other types of BitLocker preboot authentication. If you use BitLocker and you truly care about your security then you should definitely do this. To summarize, if you have a newer computer with a CPU-based TPM and/or if you have set the BitLocker startup PIN then you should be quite safe from this type of attack. That should be your main takeaway from this video.

Interesting how one of the uses of bitlocker is to protect data on stolen devices, but if you steal the whole computer you just need to turn it on

Nice! I've seen this done with Ice spray and RAM, but this is much more convenient!

I had a strange feeling, that using that goofy ahh TPM module for the bitlocker is not the greatest idea, so I immediately searched the web for how to set the PIN instead of using TPM. Also, why the heck bitlocker doesn't let to use security keys to decrypt the drive?....

Honestly I have no idea why win11 removed the passphrase/pin at the beginning and as you mentioned the typical user won't use the group policies. This is like locking a door and leave the key inside but maybe it is as designed so some people with knowlegde can still access the data easily. Great video and good explaination, I just skipped through because of a well known background but this is a video from beginner to expert.

The real issue here is that the communication between the TPM and the CPU is in clear text. This is just stupid, I mean just a diffie-hellman exchange would have been better. Sure, you could then get in the middle of the communication, but that would have required desoldering the TPM chip and having an hardware to get in the middle, not something easy as sniffing some data lines!

Yeah TPM without a startup key on USB and/or PIN is a joke, as shown here. Microsoft kind of admits this somewhere in the middle of that article you showed. Anyways, love your video and easy explanations! Looks fun!