The BitLocker partition is encrypted using the Full Volume Encryption Key (FVEK). The FVEK itself is encrypted using the Volume Master Key (VMK) and stored on the disk, next to the encrypted data. This permits key rotations without re-encrypting the whole disk.
The VMK is stored in the TPM. Thus the disk can only be decrypted when booted from this computer (there is a recovery mechanism in Active Directory though).
In order to decrypt the disk, the CPU will ask that the TPM sends the VMK over the SPI bus.
The vulnerability should be obvious: at some point in the boot process, the VMK transits unencrypted between the TPM and the CPU. This means that it can be captured and used to decrypt the disk.
This seems like such an obvious design flaw, and yet, that’s exactly how it works – and yes, as this article notes, you can indeed capture the VMK in-transit and decrypt the disk.
I hadn’t realized it was unencrypted in transit. I guess that’s what the “more difficult for attackers to access” part of Microsoft getting Pluton onto the same die as the CPU is about.
Yes, and no.
In the original design, TPM was an add-on chip on the motherboard. There are even 3rd party ones for specific manufacturers / models: https://www.amazon.com/NewHail-infineon-Motherboard-Compatible-MS-4462/dp/B09PBMQ8YY
That makes it really open to external attacks.
On the other hand, there are better implementations. The one in the Xbox consoles for example.
And that is the one being moved back into the PC space as Pluton:
https://www.windowscentral.com/microsoft-will-protect-pcs-pluton-technology-pioneered-xbox
Yes, external, physical attacks are definitely an issue, but i think they’re often too exaggerated. Performing a physical attack has high risk: you have to gain access/infiltrate an organisation, stand in front of the machine to be exploited, open it, add some snooper device, and leave. The chances of getting caught, or leaving evidence, is high.
Of course, if the risk balances reward (say, you steal millions of dollars), then it might be worth it. But for most organisations and corporations, the main vector for attack will always be from a remote setting.
Things like phishing attacks, viruses etc are all quite low risk, and often can provide as good, if not better, access than physically accessing said organisation could.
It isn’t only corporate saboteurs that are an issue. Governments can just seize your computer equipment openly and take their sweet time.
While I doubt the cops in the story I linked to bothered to put that much effort in breaking encryiption, journalists have a legitimate interest in protecting their sources
I don’t think its that surprising that its possible, given the design, that’s why pin and password versions of bitlocker exist. Without those, this is the possible attack. Some companies look at it and say its worth the risk of having a determined cracker doing this with the whole computer. Its either this design or you do Pluton as others mentioned or really make the TPU a very different animal.
Bill Shooter of Bul,
Most people don’t have to worry about sophisticated adversaries, but realistically if they were targeted by experts or even governments, it’d would be hard to detect and stop evil maid attacks and interdiction where a device is modified while its owner isn’t tending to it.
Even something as basic as a hardware keylogger would have a high change of working regardless of security features such as TPM. The hardware’s protection features don’t necessarily have to be broken, a resourceful adversary could swap in completely new compromised internals that they have unlocked and they control while giving owners the impression it’s the original unaltered hardware.
It’s unlikely such attacks are being used against average users – too much work for too little payout – but the threat is real for high level targets.
https://www.kaspersky.com/blog/evil-maid-attack/37901/