Extracting BitLocker Keys From a TPM

Windows uses BitLocker to encrypt drives with two protectors, the Trusted Platform Module (TPM)and the Recovery Key. A researcher from Pulse Security recently discovered that the encryption keys can be extracted by hard-wiring into the TPM chip and sniffing communications via the LPC bus, either with a logic analyzer or a cheap FPGA board. The new method of extraction requires physical access to devices and will result in the device’s destruction due to the hard-wiring. The NJCCIC recommends users review the research article and Microsoft’s BitLocker Countermeasures for more technical details. We highly encourage users ensure pre-boot authentication is enabled and restrict physical access to devices, especially those with highly sensitive or valuable information.

AlertNJCCICwindows