from Hacker News

Dumping Memory to Bypass BitLocker on Windows 11

by supermatou on 12/30/24, 6:43 PM with 176 comments

  • by jansommer on 12/30/24, 8:42 PM

    I think you get the biggest advantage from BitLocker when you use TPM (PCR 7+11) with a PIN. That should mitigate the exploit because the FVEK should never be read without the PIN, and if BitLocker does it right (which I think it does) too many wrong PIN's results in the TPM going into dictionary attack lockout mode.

    Now I've been trying for months to do the same for Linux. There's systemd-cryptsetup/cryptenroll, but it's only for LUKS and I'm trying to encrypt a few sensitive directories on a super slow internal eMMC with fscrypt (keys for secure boot and /home). The TPM is _EXTREMELY_ hard to code for when things go beyond the basics:

    1. Bind to PCR 7

    2. Bind to changing PCR 11 (changes whenever the kernel, init, cmdline etc. is updated)

    3. Use a PIN - but not the AuthValue, because I want to use the same authorization policy for resetting the DA lockout counter on login, and also have a long password/AuthValue for resetting the counter manually.

    4. Make it all work with PCR 11 signatures and public keys provided by systemd-stub.

    Maybe this isn't the right place to ask, but there's almost nothing but basic TPM guides out there, so if you're an expert I could really use your help. It's just for a personal project, but I'll write about it once I'm done - if I ever figure it out!

  • by jandrese on 12/30/24, 8:07 PM

    Fundamentally I don't understand BitLocker's security model. In most installs it seems like you power on the machine by pressing the power button and it boots into Windows.

    So if someone steals you machine with an encrypted hard drive they need to...just turn it on? That can't be right, but at the same time I have no idea how this particular attack is defeated. I have to assume the traffic over the SPI bus is encrypted so the key can't just be dumped like that, but it seems like the machine is going to give up the key pretty easily regardless.

    With LUKS it at least has a password prompt to unlock the drive.

  • by mjg59 on 12/30/24, 7:44 PM

    This is entirely defeated by https://trustedcomputinggroup.org/resource/pc-client-work-gr... - if enabled, if the OS isn't cleanly shut down (giving it an opportunity to wipe encryption keys) the firmware will pause to wipe RAM before booting anything else on next boot. Does Windows not make use of this, or did the tested system not implement it?

  • by NoInitRD on 12/30/24, 11:24 PM

    Hello everybody, I'm the author of the article. If you have any questions, please feel free to message me on this account. I had a lot of fun working on this and I really appreciate all of the engagement.

  • by PhilippGille on 12/30/24, 8:55 PM

    Related 38C3 talk about Windows 11 BitLocker bypass: https://media.ccc.de/v/38c3-windows-bitlocker-screwed-withou...

  • by layer8 on 12/30/24, 10:11 PM

    It’s fairly well known that BitLocker only really protects a computer that is turned off, and also only if you configure BitLocker to require a boot password [0].

    [0] https://en.wikipedia.org/wiki/BitLocker#TPM_alone_is_not_eno...

  • by RachelF on 12/30/24, 10:35 PM

    Windows has a proposed memory encryption option along with memory compression.

    Both Intel and AMD are working on embedding this into their CPUs.

    However, the target use appears to be servers with multiple VMs, not laptops.

  • by 0xml on 12/31/24, 3:18 AM

    Related: Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop https://news.ycombinator.com/item?id=37249623

  • by ivraatiems on 12/31/24, 6:52 AM

    For any exploit which relies on reading a dump of the target machine's memory, if you have physical access to said machine: How feasible is an "interposer" device that copies off or modifies data as it goes in and out of RAM?

    I'm thinking of something like the old "Action Replay" devices for Gameboys, which modified memory from the game cartridge as it went into the system to be loaded (or executed in the case of code) in order to cheat in games. You slotted the cartridge into the Action Replay, then slotted the Action Replay into the Gameboy.

    Could you do something similar between the RAM and the motherboard? Slot your ram into the device, slot the device into the motherboard, and capture the state of memory at any moment by simply watching how memory is read/written? That way, you'd save yourself the hassle of manually powering off the machine and hoping the data you need is available?

    I'm not an electrical engineer so maybe what I am proposing is completely infeasible - physical space and bandwidth limitations certainly seem likely. But is it possible?

  • by dist-epoch on 12/31/24, 10:25 AM

    Few know this, but Intel/AMD CPUs released in the last few years support transparent full memory encryption, where the RAM content is encrypted with a random key kept in the CPU memory controller and generated at reset.

    It's typically disabled in BIOS, since it has a small memory performance penalty (0.1%->1%)

    But it would completely prevent this attack.

  • by ibbtown on 12/31/24, 8:00 AM

    Having a surface 5 pro laying around here, with a bitlocker encrypted disk, which turns quickly into a BSOD during boot. Do you think it could work in auch situation? I'm still waiting for an exploit to the tom to extract some pictures from the disk

  • by shortsunblack on 12/31/24, 1:07 AM

    See the talk "Recent TPM Security Enhancements to the Linux Kernel" by a Microsoft engineer (I find this ironic) for recent Linux TPM security enhancements. New features add some transport security.

    https://youtu.be/WK7NERQXh4I

  • by medlazik on 12/30/24, 10:29 PM

    Step 3: Boot from the USB Device

    Game over, any laptop with data worth stealing will have this disabled in bios

  • by jpalomaki on 12/31/24, 8:55 AM

    You can make things a bit harder by locking the boot order in bios and password protecting the bios settings.

    Not sure how much this helps against a determined attacker, but it's easy and inconvenience is minimal in most cases.

  • by slicktux on 12/30/24, 8:46 PM

    Why are more people not using self encrypting drives?

  • by 3eb7988a1663 on 12/30/24, 7:29 PM

    What was the hardware on which this was running? I thought DDR5 would be more resistant to this type of RAM attack.

  • by wh_123 on 12/31/24, 6:58 AM

    Reminds me the cold boot attack....

  • by EVa5I7bHFq9mnYK on 12/31/24, 8:19 AM

    Why bitlocker specifically? Will GPG encryption survive if an attacker can dump the RAM at any moment while it encrypts a file?

  • by devops99 on 12/31/24, 9:05 PM

    This is exactly why there are some more "enterprise" machines out there that an arbitrary adversary with physical access can not "abruptly restart" from the outside.

    It's a shame that popularly used OEMs still allow "abrupt restart" to be so easy.

  • by maxo133 on 12/30/24, 8:13 PM

    Too bad the author did not provide hardware specs. Such attack is even harder on DDR4 and DDR5 memory and most publications refer to legacy ram such as DDR3

    > In my experience I have had the most success restarting the system while Windows is loading but before the login screen has appeared, at least in the case of finding FVEK keys.

    So what is this? It was supposed to be memory attack and he's dumping the keys after someone unlocked it and it's booting?

    So this is just another theoretical attack where perfect conditions must be met.

  • by tnetenbaa on 12/30/24, 7:18 PM

    BitLocker is crazy easy to bypass if you have physical access to the device. I work IT, and had to demonstrate to our head of security, that if you just pop in a Linux USB and boot from it, the drive is completely open.