Microsoft's BitLocker encryption is one of the most readily available encryption solutions that allows users to securely encrypt and protect their data from third parties. However, it seems that BitLocker is not as secure as you think.
Earlier this week, YouTuber stacksmashing posted a video showing how he was able to intercept BitLocker data along with the encryption keys that allowed him to decrypt data stored on the system. Not only that, but he did it in 43 seconds using a Raspberry Pi Pico that probably costs less than $10.
To execute the attack, it exploited the Trusted Platform Module, or TPM. In most PCs and laptops, the TPM is located externally and uses the LPC bus to send and receive data from the CPU. Microsoft's BitLocker relies on the TPM to store critical data such as platform configuration registers and the master key.
In its testing stacksmashing found that the LPC bus communicates with the CPU via communication lanes that are not encrypted at boot and can be used to steal critical data. He ran the attack on an old Lenovo laptop that had an unused LPC slot on the motherboard next to the M.2 SSD slot.
stacksmashing plugged a Raspberry Pi Pico into the unused slot to capture the encryption keys at boot. The Raspberry Pi was configured to capture binary 0 and 1 from the TPM while its main system was booting. Once he was done, he took out the encrypted drive and used the master key to decrypt it.
Microsoft says these attacks are possible, but says they would require sophisticated tools and long physical access to the device. However, as shown in the video, someone who is prepared can carry out the attack in less than a minute.