“Extracting BitLocker keys from a TPM”

(Pre-Boot Authentication: Wisdom in Security – Part 3)

In my September 2018 blog “Pre-Boot Authentication. Wisdom in Security Part 2”  I concluded that:

“Bottom Line: ‘No PBA’ is not a wise choice for enterprises

Microsoft’s reasoning that you don’t need PBA because the known memory attacks are difficult to pull off on most modern hardware is simply wrong because the threat is much more than just those attacks”. Just last week, one such attack made headlines.  Our customers asked us about the recent report titled “Extracting BitLocker keys from a TPM by Denis Andzakovic from Pulse Security.  In that report the author concluded “Don’t want to be vulnerable to this? Enable additional pre-boot authentication.” (my bolding)

Let me explain.  In my blog from July 2018 “Pre-Boot Authentication. Wisdom in Security” I wrote “Without PBA, the machine boots to the OS, unencrypting the data on the disk in the background.  Even though the Windows login screen is effective protection against attacks via the user interface, many other types of attacks can now be applied to the computer.  With physical access to the machine, the attacker can prepare, measure, and attack using the boot process of the computer, applying a logic analyzer to monitor the flow of data between the disk, CPU, and memory during the boot process to capture the disk’s encryption key –… “

The term “logic analyzer” caught my attention when the Pulse Security report stated:  “This project kicked off for me when Hector Martin (@marcan) mentioned they were able to sniff the BitLocker VMK straight off the LPC bus.  Hector used an FPGA to sniff the bus for a TPM1.2 chip; I wanted to see if I could achieve the same thing with a cheapie off-the-shelf logic analyzer and attempt the attack against a TPM2.0 chip.”

I don’t think my blog gave ideas to the researchers, e.g. to use a logic analyzer; I am pretty sure the researchers knew this long before I’d written it, but great minds think alike!  Or rather, this is just obvious to anyone who pays attention to security.

So, in my blogs about “No PBA – Wisdom in Security” I stated: Memory attack is possible – even in modern PCs.  There are many more attacks for “no PBA” beyond memory attacks and a few months later an attack for 1) was published, and now an attack for 2) has been published.  I imagine there are many more attacks which are not published!

Note that the newly published attack is “using a dirt cheap FPGA (~$40NZD)“.  Yes, some knowledge is required. But …. YouTube can be used mostly free of charge.

The definition of wisdom is “the soundness of an action or decision with regard to the application of experience, knowledge, and good judgment”.  When experience, knowledge, and good judgment are applied to Full Disk Encryption, wisdom dictates using Pre-Boot Authentication, else, while one cannot predict the exact future, these kinds of attacks are foreseeable.

Previous Post
Five Observations from RSAC 2019
Next Post
Great Product Development Begins with a Solid Foundation of Corporate Excellence