BitLocker, Microsoft’s full-disk encryption feature, is widely employed to safeguard sensitive data on Windows devices. While configurations without a Personal Identification Number (PIN) have been scrutinized for potential vulnerabilities, recent research has shifted focus to setups fortified with PIN protection. This exploration reveals that even PIN-secured BitLocker configurations can be susceptible to physical attacks, particularly when attackers possess the necessary credentials.
Understanding PIN-Protected BitLocker Architecture
In standard Trusted Platform Module (TPM)-only configurations, BitLocker automatically unseals encryption keys during the boot process. However, when a PIN is introduced, additional security layers are implemented:
– Full Volume Encryption Key (FVEK): This key encrypts the data on the disk and remains stored on the disk itself.
– Volume Master Key (VMK): The FVEK is encrypted by the VMK, which, in PIN-protected setups, is stored on the disk and safeguarded by an Intermediate Key (IK).
– Intermediate Key (IK): The IK is encrypted using a Stretched Key (SK) derived from the user’s PIN.
This multi-layered approach ensures dual authentication: the TPM unseals the IK, and the PIN-derived SK decrypts it. This design aims to thwart both online brute-force attacks through TPM lockouts and offline attacks via randomized intermediates, operating under the assumption of secure hardware isolation.
Exploiting TPM Communications via SPI Bus Analysis
Researcher Guillaume Quéré conducted experiments on an HP ProBook 440 G1, which features a discrete Nuvoton NPCT760HABYX TPM communicating over the Serial Peripheral Interface (SPI) bus. The SPI bus, a shared communication channel, can be accessed through test points on nearby components, such as the MX25U memory chip. Notably, this method requires no soldering; connecting to the clock, Master Out Slave In (MOSI), and Master In Slave Out (MISO) lines is sufficient, with the Chip Select (CS) line being optional for modern analyzers.
Using a DSLogic Plus analyzer, signal capture commenced before PIN entry. However, challenges arose due to the clock idling at intermediate voltages, leading to distorted readings. Implementing a 4.7kΩ pulldown resistor effectively grounded the clock, stabilizing the 33MHz SPI bus. Despite this, anomalies in the TPM Interface Specification (TIS) protocol persisted, such as double bytes per packet, likely resulting from slow acknowledgments, which hindered automated decoding.
Manual Decoding and Key Extraction
Given the limitations of automated tools, manual decoding became essential. By filtering raw MOSI/MISO data with regular expressions, researchers stripped TIS wrappers (e.g., identifying master requests with patterns like 00 D4 00 18 XX) and isolated TPM 2.0 commands through headers such as 80 01 (plain) or 80 02 (authenticated).
Focusing on key exchanges, the analysis identified commands like ReadPublic for TPM keys, Load for objects, GetRandom for nonces, StartAuthSession, PolicyAuthValue/PCR for policies, and, crucially, Unseal for the IK blob. Interestingly, the PIN itself is never transmitted to the TPM; instead, it influences the Unseal Hash-based Message Authentication Code (HMAC), a nuance confirmed through trials with both correct and incorrect PINs.
The Unseal response contains the encrypted IK, which differs from non-PIN blobs due to the PIN-derived SK. Deriving the SK involves converting the PIN to UTF-16LE encoding, applying a double SHA-256 hash, and performing 1,048,576 iterations with a disk salt—a process that is computationally intensive but feasible.
Decrypting the IK using AES-CCM with the SK allows access to the VMK from disk metadata. Tools like dislocker can then utilize the VMK to mount the encrypted volume.
Practical Application and Implications
In the case of the HP ProBook, Python scripts were employed to stretch the PIN 67851922 against the salt c36496f98842c6fd9841de2ea743d5cf, successfully decrypting the 44-byte IK payload. Subsequently, dislocker mounted the volume with read-write access, enabling potential backdoor installations, such as replacing sethc.exe with cmd.exe to facilitate privilege escalation via the Shift+5 shortcut.
Automated scripts like SPITkey.py or tpm_sniffing_pin.py can streamline this process by parsing volumes directly or leveraging dislocker outputs.
This research underscores the vulnerabilities inherent in discrete TPMs, challenging the perception of their security. While firmware TPMs (fTPMs) or configurations combining PINs with startup keys can mitigate the risk of SPI bus sniffing, insider threats remain a concern. Therefore, enterprises are advised to audit their encryption configurations beyond default settings to enhance security.
