Decrypting BitLocker – extracting the key from the TPM chip
Connecting the sniffer to the TPM module via the LPC bus
Full disk encryption BitLocker in Windows OS it is considered a fairly reliable way to save data. By default, it uses the Advanced Encryption Standard (AES) algorithm in block coupling mode (CBC) or in mode rigged codebook with ciphertext theft (XTS) based on xor-encrypt-xor (XEX) with a 128- or 256-bit key.
In theory, this is a pretty strong scheme. The only problem is that the BitLocker private key is stored in Trusted Platform Module (TPM), and in some cases (on some computers) it can be removed by gaining physical access to the device.
BitLocker
Full disk encryption in Windows 10 can be enabled in Control Panel → System and Security → BitLocker Drive Encryption.
TPM (Trusted Platform Module) is a specification that describes a cryptographic processor in which cryptographic keys are stored to protect information. As you can see in the screenshot, BitLocker has the ability to work without a compatible crypto processor. In this case, the keys are stored in a different location.
In short, BitLocker encrypts data using a Full Volume Encryption Key (FVEK). This key is in turn encrypted using the volume master key (VMK).
The VMK key is encrypted with several “protectors”. There are two of them in the default configuration. One is the TPM, the other is the recovery key:
All this is done so that an attacker, having physical access to the device, will not be able to load Linux on the laptop (or remove the disk) and gain access to the data.
Chaining Block Encryption (CBC)
BitLocker in its default configuration requires no additional user intervention. This is because TPM is only used to decrypt VMK. Any changes to the BIOS or bootloader code will change configuration registers (PCRs)and TPM will not open VMK.
Encryption in xor-encrypt-xor (XEX) mode
Since data decryption occurs automatically, it is enough to intercept the VMK from the TPM, enter it into any BitLocker library, and decrypt the drive.
Removing the key
Keys can be extracted from the TPM using an inexpensive FPGA module or logic analyzer. The first to use this method in 2019
hacker Denis Andzakovic from Pulse Security. He published a proof-of concept and
.
The sniffer connects to LPC bus, from where it receives the master key for encrypting the volume. With this key you can decrypt the disk. The 2019 demonstration used an HP laptop with a TPM 1.2 chip and a Surface Pro 3 tablet with a TPM 2.0 chip, indicating that both versions of TPM were vulnerable. For the attack, the author used the DSLogic Plus 16 logic analyzer (cost about $150).
The HP motherboard has an Infineon SLB96350 chip. It acts as a cryptoprocessor and is connected via the LPC bus:
The sniffer is connected to this bus:
Since the LPC operates at 33 MHz, the engineer set the data acquisition frequency to 100 MHz:
After decoding the packets over the LPC bus, all that remains is to find the VMK key in the dump of the recorded traffic. You can find it by title 0x2c 0x00 0x00 0x00
.
A few bytes after the header the key body begins.
To listen to the Surface Pro 3 key, the specialist used a devkit Lattice ICEStickwhich is sold at a price about $49.
In 2021, Denis’s experiment with Bitlocker key sniffing reproduced specialists from SCRT Information Security on a laptop Lenovo ThinkPad L440 with ST Microelectronics P24JPVSP cryptoprocessor (equivalent to ST33TPM12LPC).
In this case, a similar iCEstick40 FPGA device from Lattice Semiconductor was used and software sniffer With some modifications TPM is for listening.
Having found the aforementioned key header in the dump, it is then extracted in its entirety using the command grep
and recording the 32 subsequent hex values:
$ cut -f 2 -d\' log6 | grep '24..00$' | perl -pe 's/.{8}(..)..\n/$1/' | grep -Po "2c0000000100000003200000(..){32}"
2c00000001000000032000005af9490916013a0bc177b3301d41508c4af8abb8583de5e4c60bbbabafad8a3a
Disk decryption is performed by the program
dislocker
which in recent versions supports the option
--vmk
and accepts VMK keys directly without FVEK reconstruction:
$ hexdump -C vmk
00000000 5a f9 49 09 16 01 3a 0b c1 27 b3 30 1d 41 50 8c
00000010 4a f8 ab b8 58 3d e5 e4 c6 0b bb ab cf ad 8a 3a
$ sudo dislocker -v -V /dev/sdb3 --vmk vmk -- /media/bl
$ sudo mount -o ro,loop /media/bl/dislocker-file /media/blm
$ ls /media/blm
'$RECYCLE.BIN' ESD pagefile.sys 'Program Files (x86)' Users
'$SysReset' hiberfil.sys PerfLogs Recovery Windows
Chocolatey install ProgramData swapfile.sys
'Documents and Settings' Intel 'Program Files' 'System Volume Information'
Thus, in the event of a laptop being lost/stolen when using BitLocker, data safety cannot always be relied upon. It is important to understand which TPM module is used in the device. If it is not combined with the CPU and is located on a separate chip, then how vulnerable is the bus to sniffing. The TPM is usually connected over a low-speed LPC, I2C or SPI bus, which operates at 25-33 MHz and
easily accessible for listening on cheap equipment
.
A few weeks ago information has appearedthat even a $4 Raspberry Pi Pico can be used as a sniffer, and the whole process takes less than a minute.
But there is also a positive aspect: if the user has forgotten his password or BitLocker PIN, then on some computers the files can still be recovered.
Microsoft published recommendations for additional protection when using BitLocker. The company recommends add an additional authentication factor before downloading (for example, PIN code).