|BitLocker Defeated Using Logic Analyser|
|Written by Harry Fairhead|
|Wednesday, 30 August 2023|
Security is hard, very hard, in fact so hard that I really don't think a device can be secure if you have physical access to it. To prove the point news that Bitlocker can be bypassed if you have a cheap logic analyzer has just emerged.
One of the problems with hardware is that it is accessible to examination. You can connect a logic analyzer and see everything that is happening on any external bus. Even internal bus connections can be read with some effort. What all this means is that if any cryptographic information is stored "in the clear" it can generally be read. You can try to hide it by obfuscation, but by following the dynamic access of even obfuscated data, it can eventually be put back together. This is a particular problem for small single-board devices as typically found in the IoT. As I explain in Master the Raspberry Pi Pico in C, a great many of the security mechanisms used by servers, say, are not secure on a device that is physically acessible. This means, for example, there is no point in storing a certificate on an IoT device in the belief that it can secure a communications channel. Given physical access to the device, the certificate can be read.
Now we have a real world example involving Microsoft's BitLocker disk encryption. This uses a two-level key system to encrypt data on a disk. To make sure that the disk cannot be read if removed and installed in another machine, the master key the Volume Master Key (VMK) is stored in secure hardware the TPM - a peice of hardware that is required if you want to run Windows 11. If the disk is connected to a different motherboard then the TPM has a different key and the disk cannot be accessed.
The VMK is used to decrypt a Full Volume Encryption key (FVEK) which is stored on the disk. To encrypt or decrypt data on the disk the TPM has to give the system the VMK which is then used to decrypt the FVEK read from disk which in turn is used to work with the data on the disk.
The need to transport the key from the TPM to the system is where the insecurity lies. The key is transferred in the clear, how could it be anything but in the clear, over the system SPI bus. So all that is needed is to connect a logic analyzer to the SPI bus, and as it's a bus anywhere easy will do, and examine the data during a boot.
This is exactly what Guillaume Quéré decided to do, using a very cheap logic analyzer that barely had enough bandwidth to capture the 33Mhz SPI bus signals. Spend a few dollars more and the SPI decoding is trivial and routine. The data is coded on top of the basic SPI commands using TIS, TPM Interface Specification. There isn't an off-the-shelf decoder for this, but one would be easy to write. The key is sent as part of the TPM 2.0 protocol and again detecting it could be automated.
Quéré did the job manually and while difficult it wasn't a super human effort. The result was he could mount the disk and decrypt it. Read more about the fine detail in Quéré's blog post.
The point is that at some stage the key has to be in plain text so that it can be used and, when it is moving it around, the system makes it possible to snoop on it and read it out. This is a fundamental flaw. The only way to protect against such an attack is to set a Pin or password that remains secret even if the key is obtained. Of course, this makes the disk slightly less easy to use.
This is not just a one-off exploit. If you can get to the hardware then similar techniques can be used. Security is complicated and hardware is comparatively simple.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Wednesday, 30 August 2023 )|