YouTuber hacks BitLocker in under a minute

Reading time icon 2 min. read


Readers help support MSpoweruser. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help MSPoweruser sustain the editorial team Read more

Key notes

  • The researcher intercepts BitLocker keys in under a minute, but only on older devices with specific access.
  • Exploit targets unencrypted communication during boot, not the encryption itself.

Security researchers have identified a potential vulnerability in Microsoft’s BitLocker Drive Encryption, a popular tool for protecting sensitive data on Windows devices. 

The vulnerability, demonstrated by YouTuber stack smashing in a recent video, involves intercepting communication between the Trusted Platform Module (TPM) and the CPU during boot-up, potentially allowing attackers to steal encryption keys and decrypt stored data.

The exploit hinges on that some older devices with external TPM modules rely on an unencrypted communication channel (LPC bus) to exchange critical data with the CPU during boot. 

Stack smashing was able to leverage this vulnerability by connecting a readily available Raspberry Pi Pico to an unused LPC connector on the motherboard, capturing the data stream, and extracting the Volume Master Key used for decryption. This process reportedly took less than a minute to complete.

It’s crucial to note that this attack has limitations. It primarily affects older devices with external TPM modules, while newer systems with fTPM (firmware TPM) where data resides within the CPU are not vulnerable. Additionally, physical access to the device and specific technical knowledge is required to execute the attack successfully.

Last month, another vulnerability in BitLocker was discovered, allowing attackers to bypass encryption through the Windows Recovery Environment (WinRE). Microsoft addressed this issue with security patch KB5034441, emphasizing the importance of updating systems.

User forum

1 messages