Microsoft BitLocker encryption cracked in just 43 seconds with a $4 Raspberry Pi Pico https://www.techspot.com/news/101792-microsoft-bitlocker-encryption-can-cracked-43-seconds-4.html "In a YouTube video, security researcher Stacksmashing demonstrated that hackers can extract the BitLocker encryption key from Windows PCs in just 43 seconds using a $4 Raspberry Pi Pico. According to the researcher, targeted attacks can bypass BitLocker's encryption by directly accessing the hardware and extracting the encryption keys stored in the computer's Trusted Platform Module (TPM) via the LPC bus."
I've never used BitLocker as I don't trust that is effective or reliable. How many times have they broken it with a Windows update and left PCs that were unbootable? If you want encryption find a 3rd party alternative.
The real issue is the usage of TPM technology. Who thinks its wise to store encryption keys inside a "chip" (trusted platform module) on the motherboard and then assume they are safe?? I know Windows 11 Pro is requiring TPM but someone needs to rethink that. Even Fedora (RHEL) offers TPM, but I for one have no issues with always keying in my really long encryption passwords. I don't mind UEFI with secure boot but I vote a hard NO for TPM on my end. I can sign my own kernels with RHEL so secure boot is fine. My .02 If someone has a really solid reason why I should trust TPM believe me I want to learn security. I could care less about convenience. In my world I always gladly give up convenience for security ------ > every time!!
Neither the Home or Pro versions of Windows 11 actually require TPM, but Microsoft has limited what hardware you can install it on. But they also let you use a workaround to install in on unsupported hardware. So you don't actually need TPM 2.0, a 6th GEN CPU, etc. I've even installed Windows 11 on an 18 year old laptop with 2GB of RAM.
I assume that when accessing the device locally, you can do anything, you are not limited by the time nor local security, since you can boot anything else and most users do not update BIOS which could fix local vulnerabilities. Still it proves that the blind fate in Bitlocker is misguided, I always prefer a separate encryption for critical files. Bitlocker can be a nice addition. Then again it is problem in targeted attacks, a random thief wants a laptop not your data.
The main reason to use BitLocker or any other FDE is preventing theft of data by criminal acquiring physical access to hibernated/shut down computer. We can debate whether or not TPM is a Windows requirement or just strongly suggested way but that is only a debate over a definition. Neverthless security issue exploited in this attack is found in TPM. While this TPM thing may be a good idea in corporate enviroment (some employees will cut corners and choose predictable passwords), for personal usage by security aware people TPM isn't a good idea.
As I understand it, Bitlockers default method uses only TPM. When you use something like Truecrypt/Veracrypt, the encryption key is only unlocked by your boot password. With Bitlockers default, it checks if the system is modified, and if not the TPM sends the encryption key to the CPU so the system can be decrypted and booted. (Which you can also see in the video.) So an attacker only needs to bypass your Windows user password, as it already automatically decrypts on turning on the computer. If you set a boot PIN/password for Bitlocker, the TPM will only send the key after entering the correct PIN/password and the attack is foiled. MS should have made a boot PIN the default method for Bitlocker.
Yeah, but then you would have a bunch of people each year complaining: I fOrGoT eNcRyPtIoN pAsSwOrD, MIcRoSoFt ReFuSeD tO hElP
Yeah true. But they could at least require a 6 digit PIN like most phones do, afaik those manufacturers can't help you either if you forgot the PIN.
True but that's the price you pay for using it. If someone can help then it wasn't any good to start with.
Almost all phone apps are pushing users to be synced with cloud, so damaged, lost phone or forgotten PIN is not such a problem from data loss perspective. For better or worse desktop apps don't push for that level of cloud synchronization. Microsoft has done trade off between data loss (lost password/PIN) and not protecting data at all. It isn't that bad, because regular thief won't know how to decrypt it. And security aware people will know about weaknesses in default, so either change them or use other FDE software. I use LUKS https://en.wikipedia.org/w/index.php?title=LUKS
