alt Hacker NewsI read a little about BitLocker. It seems to store the encryption key in TPM and acquire it automatically after boot. I wonder, can encryption key be extracted by inserting a rogue PCIe card and reading it from memory, or by inserting a rogue DDR memory card with a backdoor to read the key from it, or by sniffing CPU - TPM bus?
Replies
rolph • yesterday at 10:41 PM
yes sniffing is possible, for now im waiting for some pluton variant to start making its way into the chip and die stream.
the concept is to shield the TPM its bus, and any keys whith the CPU chip.
Sniffing the TPM's been available for quite some time, actually - and quite cheap!
https://pulsesecurity.co.nz/articles/TPM-sniffing
The best way would be to arguably keep the key completely off the TPM and use remote attestation. There's some preboot products out there like WinMagic SecureDoc* that use a little Linux partition, spin up just enough to get a network connection up to a remote server, provide authentication services, and then send the Bitlocker key down, unlock the partition, and chainload onwards to Windows.
* I acquired an enterprise device on eBay and was VERY surprised to find this product on it as the preboot protector. Zero way to crack in from my end, so I applaud it. There's even some MFA solutions they offer around this! https://winmagic.com/en/solutions/mfa-windows-login/