Last week, a video by security researcher StackSmashing demonstrated an exploit that could break Microsoft’s BitLocker drive encryption in “less than 50 seconds” using a custom PCB and a Raspberry Pi Pico.
The exploit works by using the Pi to monitor communication between an external TPM chip and the rest of the laptop, a second-generation ThinkPad X1 Carbon from roughly 2014. The TPM stores the encryption key that unlocks your encrypted disk and makes it readable, and the TPM sends that key to unlock the disk once it has verified that the rest of the PC’s hardware hasn’t changed since the drive was encrypted. The issue is that the encryption key is sent in plaintext, allowing a sniffer like the one that StackSmashing developed to read the key and then use it to unlock the drive in another system, gaining access to all the data on it.
This is not a new exploit, and StackSmashing has repeatedly said as much. We reported on a similar TPM sniffing exploit in 2021, and there’s another from 2019 that similarly used low-cost commodity hardware to pick up a plaintext encryption key over the same low-pin count (LPC) communication bus StackSmashing used. This type of exploit is well-known enough that Microsoft even includes some extra mitigation steps in its own BitLocker documentation; the main new innovation in StackSmashing’s demo is the Raspberry Pi component, which is likely part of the reason why outlets like Hackaday and Tom’s Hardware picked it up in the first place.
This post has been read 37 times!