BitLocker key sniffing is still possible on modern Windows 11 laptops with discrete TPM modules

BitLocker hardware encryption tested
(Image credit: Microsoft)

We recently reported on a BitLocker security flaw that enables attackers to steal BitLocker encryption keys with a cheap sub-$10 Pico. However, some of our commenters mentioned that the laptop used to demo this flaw was 10 years old, supposing that modern laptops no longer have this vulnerability. Unfortunately, stacksmash on X / Twitter) reports that modern 2023 laptops running Windows 11 still have this vulnerability.

The process to grab the encryption key is a little bit harder now, but nevertheless, the encryption key is still accessible through the same means. As a reminder, this specific BitLocker security flaw takes advantage of the unencrypted communication lanes between the CPU and a laptop's discrete TPM, by tapping into those lanes with an external sniffing device.

Stacksmash forwarded a post by Stu Kennedy on X (Twitter) unveiling the same vulnerability on a Lenovo X1 Carbon Gen 11 — a modern 2023 Lenovo laptop running Windows 11. The security specialist showed where the vulnerability points were on the TPM, and showed the exact soldering points to hook a sniffing tool to the system.

See more

Lenovo's X1 Carbon isn't the only modern laptop with this vulnerability; theoretically, all modern laptops with a discrete TPM module are at risk. Stu Kennedy has a GitHub page dedicated to TPM sniffing, educating people on the different methods users can employ to grab the BitLocker encryption key from the TPM. Kennedy's page alone has cracking tutorials for seven modern laptops (including the X1 Carbon).

There are various methods for cracking a TPM, including attacking the SPI, I2C, or LPC buses, but they all rely on the same general attack: Hijacking the communication lanes between the CPU and the TPM.

The good news is that this attack method is only exploitable if the attacker has physical access to the laptop, making it impossible for someone to do it remotely.

But, there are ways you can defend yourself from this security flaw if you are worried someone might steal your laptop. One way is to not use the TPM module at all to secure BitLocker. You can use either are secondary password at startup or an external security key such as a USB thumb drive. TPM is the default method BitLocker will use to secure a system with a TPM. But you can override this by going into the Group Policy Editor and choosing a different security method.

One interesting tidbit about this TPM hack is that it has only been done on laptops featuring discrete TPMs. Logically, it should be impossible for hackers to use this attack on systems that utilize the CPU's TPM to secure the system. Sensitive information that is being passed from a built-in TPM to the CPU and vice versa should all be done through the CPU, making it impossible to physically access. So if you still want to use a TPM, the built-in TPM module found in modern Intel and AMD CPUs should be a more secure option.

Aaron Klotz
Freelance News Writer

Aaron Klotz is a freelance writer for Tom’s Hardware US, covering news topics related to computer hardware such as CPUs, and graphics cards.

  • Sleepy_Hollowed
    I've only read a hand of these, and they seem to focus on the LPC data bus, which is fine but it is also not quite what's out there on newer systems.

    That being said, this is good to know since it's often overlooked and the set of standards for the TPM external devices have not been updated in a while as far as communication goes, due to cost.

    I know it might be super expensive, but having something similar to pcie x1 to connect these would be much better, since it's been done before but now that NICs and Audio is mostly integrated on the board, why not?
    Reply
  • Dylan Shekter
    Sleepy_Hollowed said:
    I've only read a hand of these, and they seem to focus on the LPC data bus, which is fine but it is also not quite what's out there on newer systems.

    That being said, this is good to know since it's often overlooked and the set of standards for the TPM external devices have not been updated in a while as far as communication goes, due to cost.

    I know it might be super expensive, but having something similar to pcie x1 to connect these would be much better, since it's been done before but now that NICs and Audio is mostly integrated on the board, why not?
    Pcie can still be sniffed. It seems that the real solution is secure board design. Running the traces on the innermost layers to mitigate emission is step 1. ICs are harder to probe than test pads, but still probable, so using a fine pitch bga with a glob top to prevent snaking mag wires would go a long way.
    Reply
  • TJ Hooker
    You don't need to change the CPU-TPM communication channel to address this issue. The mitigation is already known and documented: configure bitlocker to require a pre-boot PIN.

    https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/countermeasures#attacker-countermeasures
    Another option would be for Bitlocker to be updated to use TPM "parameter encryption", which results in the disk encryption key being sent from the TPM to the CPU in encrypted form, rather than clear text.

    And of course, if you're not using a discrete TPM, you don't need ro worry about bus sniffing in the first place.
    Reply