Windows BitLocker: Screwed without a Screwdriver
Ever wondered how Cellebrite and law enforcement gain access to encrypted devices without knowing the password? In this talk, we’ll demonstrate how to bypass BitLocker encryption on a fully up-to-date Windows 11 system using Secure Boot. We’ll leverage a little-known software vulnerability that Microsoft has been unable to patch since 2022: bitpixie (CVE-2023-21563).
We'll live-demo the exploit, and will walk through the entire process—from the prerequisites and inner workings of the exploit to why Microsoft has struggled to address this flaw. We'll also discuss how to protect yourself from this and similar vulnerabilities.
BitLocker is Microsoft’s implementation of full-volume encryption. It offers several modes of operation, but the most widely used is Secure Boot-based encryption.
Many consumer and corporate clients use it, and it’s starting to be enabled by default under "Device Encryption" on newer Windows 11 installations.
In this mode, the harddrive is encrypted at rest but is automatically unsealed when a legit windows boots, meaning users don't need a separate decryption password. They just have to sign in with their usual user account.
Unfortunately, this configuration has been broken for quite a while. Hardware attacks against a dTPM are widely known, but software attacks are possible as well, at least since 2022, when Rairii discovered the bitpixie bug (CVE-2023-21563).
While this bug is 'fixed' since Nov. 2022 and publically known since 2023, we can still use it today with a downgrade attack to decrypt BitLocker.
In this talk, we'll dive into:
- How does Secure Boot work, and what role does the TPM play?
- How can Bitlocker leverage the TPM?
- How does the bitpixie exploit work? What are PXE boot and BCD?
- What are the prerequisites for running this exploit?
- How can you protect yourself against it?
- Why is it so challenging for Microsoft to fully fix this?
- How does this affect Linux secure boot?
Additional information
| Live Stream | https://streaming.media.ccc.de/38c3/huff |
|---|---|
| Type | Talk 60 (45min +15 Q&A) |
| Language | English |
More sessions
| 12/27/24 |
This talk announces the first public release of sixos, a two year project to create a nixpkgs-based operating system using skarnet's s6 supervisor instead of systemd.
|
| 12/27/24 |
Capture The Flag (CTF) für Einsteiger: Wie man legal "hacken" ueben kann, warum man das tun sollte und wo man anfaengt.
|
| 12/27/24 |
Das Duo 'read & delete' präsentiert radikale philosophische Texte mit musikalischer Begleitung
|
| 12/27/24 |
A field guide to dumping and reverse engineering a bare-metal U-Boot binary, including all the good stuff like funky hardware setups, UART logs, a locked bootloader and unknown base addresses.
|
| 12/27/24 |
Das Netzwerk Polylux hat sich vor 5 Jahren gegründet um dem Rechtsruck in Ostdeutschland etwas entgegen zu setzen. Polylux fördert, was die AfD hasst. Solidarisch, Unbürokratisch und Antifaschistisch. Für eine kritische und starke Zivilgesellschaft wo es sie am meisten braucht: Im ländlichen Raum in Ostdeutschland.
|
| 12/27/24 |
In einer Zeit, in der Privatsphäre immer mehr untergraben wird – warum nicht die Kontrolle über deine Daten übernehmen und eine eigene Cloud für Filehosting aufbauen? Dieser Vortrag ist ein praktischer Leitfaden zum Selbsthosting von Nextcloud zu Hause, speziell gedacht für Einsteiger mit grundlegenden Linux- und Bash-Kenntnissen. Von der Wahl der passenden Hardware bis zur sicheren Internetanbindung bauen wir Schritt für Schritt eine selbst gehostete Filehosting-App im eigenen ...
|
| 12/28/24 |
Eine Vorstellung der Hackspaces
|
