Safety researcher Thomas “Stacksmashing” Roth has launched a instrument which turns the $4 Raspberry Pi Pico right into a gadget able to capturing the keys for Microsoft BitLocker-encrypted volumes from chosen laptops in underneath a minute — by sniffing visitors on the Low Pin Rely (LPC) bus.
“That is me stealing the BitLocker disk encryption key from this laptop computer — in simply 43 seconds,” Roth says within the introduction to his newest challenge, “just by poking it with a $4 Raspberry Pi Pico. This enables me to entry all BitLocker protected information on this technique, and even lets me backdoor it.”
First launched in Home windows Vista, BitLocker is Microsoft’s whole-disk encryption system designed to guard information at relaxation on Home windows methods. To strengthen the safety, the keys for the assault will be saved in a system’s Trusted Platform Module (TPM) — however, by sniffing visitors to and from the TPM and the CPU, utilizing the Low Pin Rely (LPC) bus, it is doable to seize these keys and achieve unauthorized entry to the goal quantity.
“I might simply solder wires to the TPM,” Roth explains, “[but] hidden beneath this black tape is an unpopulated connector, and after measuring round a bit I discovered that many of the LPC alerts can be found on this connector. I ordered a few […] spring-loaded [pogo-pin] contacts on-line and designed a small PCB with — you guessed it — a Raspberry Pi Pico. Now I’ve a small instrument that I can simply push onto the connector within the laptop computer and that establishes an honest connection.”
This is not the primary time BitLocker has fallen to a sniffing assault on the LPC bus. Again in March 2020 SySS Analysis turned a Lattice Semi iCEstick FPGA board right into a sniffer for the Trusted Platform Module — which constructed, in flip, on Alexander Couzens’ LPC Sniffer challenge, with modifications by Denis Andzakovic particularly concentrating on the TPM. Roth’s twist on this dramatically reduces the price of entry, right down to a $4 growth board and a easy service board — a complete, he estimates, of $10 in elements.
The dongle connects to a debug port utilizing pogo pins, permitting for a fast assault with no soldering required. (📷: Thomas Roth)
There’s a few catches in Roth’s strategy, although. The primary is that the hidden connector is a Lenovo invention for debugging in the course of the manufacturing course of, and cannot be discovered on each Lenovo mannequin not to mention laptops from third-party producers. The opposite is that not all Trusted Platform Modules join over the LPC bus, with SPI-connected TPMs commonplace — and invisible to an LPC sniffer.
Regardless, in the event you’ve bought an acceptable Lenovo laptop computer and have to get into its BitLocker-encrypted storage in a rush, Roth has launched the supply code and {hardware} design information on GitHub underneath the GNU Basic Public License 3.
