Businesses warned over a new breed of BitLocker attacks

Malicious actors can physically breach target devices by hardwiring equipment into the motherboard

Motherboard

Devices protected using Microsoft BitLocker can be physically breached in a new form of attack that involves extracting the encryption keys from a computer's Trusted Platform Module (TPM) chip.

By hardwiring equipment into a computer's motherboard, namely the TPM chip, attackers would be primed to access any sensitive corporate information stored on encrypted hard drives. This breed of attack requires an attacker to be in close physical proximity to the target and leads to the device in question being destroyed.

A security researcher from Pulse Security Denis Andzakovic outlined the method in a post published yesterday, including how he would wire up equipment to a target device, and interpret the information he intercepts.

TPM chips are a form of crypto-processor designed to carry out cryptographic operations. It's a form of secure encryption deployed to protect highly sensitive information. The most common functions are used for system integrity, and for key creation and usage.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

But Andzakovic's work has demonstrated how BitLocker encryption keys can be extracted from both 1.2 and 2.0 TPM chips can be using source code and a field-programmable gate array (FPGA) board.

"Enabling BitLocker with a TPM+PIN protector should mitigate this vulnerability, however, users will be required to enter a PIN at boot," he wrote.

"Smart cards or USB keys used as an additional pre-boot authentication in addition to the TPM should mitigate this issue as well. I'd need to take a closer look at the different protector modes to be able to say for certain, maybe some future work."

The researcher first demonstrated the attack on a 1.2 TPM chip, beginning with soldering on seven wires to the chip, with the aim of intercepting its low pin count (LPC) bus. He then used a logic analyser to pick up on the LP messages and decoded them to extract the volume master key (VMK). This key encrypts the full volume encryption key (FVEK), which itself encrypts the data locked away on BitLocker drives.

He then demonstrated the attack on 2.0 TPM chip embedded in his own Surface Pro 3.

After passing the details of the attack to Microsoft's security response centre, Andzakovic said he was advised to apply an additional form of pre-boot authentication to mitigate the potential for this attack.

Featured Resources

Report: The State of Software Security

This annual report explores important trends in software security

Download now

A fast guide to finding your cloud solution

One size doesn't fit all in the cloud, so how do you find the best option for your business?

Download now

Digitally perfecting the supply chain

How new technologies are being leveraged to transform the manufacturing supply chain

Download now

Small & Medium Business Trends Report

Insights from 2,000+ business owners and leaders worldwide

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/mobile/28299/how-to-use-chromecast-without-wi-fi
Mobile

How to use Chromecast without Wi-Fi

5 Feb 2020
Visit/hardware/354723/coronavirus-starts-to-take-its-toll-on-the-tech-industry
Hardware

Coronavirus starts to take its toll on the tech industry

6 Feb 2020
Visit/operating-systems/microsoft-windows/354739/windows-7-bug-blocks-users-from-shutting-down-their-pcs
Microsoft Windows

Windows 7 bug blocks users from shutting down their PCs

10 Feb 2020
Visit/in-depth/354726/sonos-speakers-are-environmentally-unsound
In-depth

Sonos speakers are environmentally unsound

9 Feb 2020