If you have a Windows 10 Pro, or Windows 11 Pro device, with a dedicated external Trusted Platform Module (TPM), all of your encrypted data could easily be decrypted and read – all that’s needed is a little brainpower, a $10 Raspberry Pi Pico, and physical access to the target endpoint.
A YouTuber with the alias stacksmashing has demonstrated what they call a “colossal security flaw” which allowed him to bypass Windows Bitlocker in less than a minute and gain access to the encryption keys, all with the help of the off-the-shelf cheap device.
You can read up on the technicalities of the flaw and its exploit here, but the short story is that the communication lanes between the CPU and the external TPM are completely unencrypted on boot-up. So, if an attacker were to have an unpopulated connector on the motherboard that can read LPC bus data, they would be able to connect the Pico to it and have the device read the raw ones and zeros from the TPM. That would grant them access to the Volume Master Key that’s stored on the module.
Major oversight
During their demonstration, stacksmashing used a ten-year-old laptop with Bitlocker encryption, but explained that the same method works on newer motherboards with an external TPM.
The devices with a TPM built into the CPU should be safe (which includes most Intel and AMD CPUs for sale today). In the video, the YouTuber is seen first removing the back cover of a laptop with a screwdriver, before touching the connectors with their Pico device. At the same time, a stopwatch running on a smartphone showed the entire process lasting less than a minute.
While some viewers praised stacksmashing’s findings, saying the tool could be really helpful for people who lost their encryption keys, others suggested that the flaw was a “major oversight”.
Via The Register