Hacker demonstrates the supposedly-patched Windows 11 BitLocker is still vulnerable to hackers — default encryption can be overcome with network access

Windows 11
(Image credit: Microsoft)

This week at the Chaos Computer Club's (CCC) annual Chaos Communication Congress, hacker Thomas Lambertz presented 'Windows BitLocker: Screwed without a Screwdriver,' detailing how users can beat BitLocker encryption and gain access to protected data. The old reported-fixed bug, CVE-2023-21563, can still be exploited on current versions of Windows with just one-time physical device access and a network connection. Still, the attack doesn't require opening up the PC or having hours of access as with other drive decryption exploits [h/t Heise].

This attack falls into the category of "bitpixie" attacks that have been well-documented since mid-2022. While this specific error was technically fixed via updates in November 2022, this demonstrates that this fix is, unfortunately, only surface-level. By using Secure Boot to start an outdated Windows bootloader to extract the encryption key into memory and subsequently using Linux to retrieve the contents of memory and find that BitLocker key, the updated version of Windows 11 can still effectively be attacked as if it were never updated to address bitpixie attacks at all.

Microsoft's attempt to fix this issue was insufficient because of UEFI firmware storage space limitations. Current estimates for new Secure Boot certificates are as far off as 2026. In the interim, users can only protect themselves by backing up BitLocker with their own PIN or disabling network access in the BIOS. Thomas Lambertz warned that even a simple USB network adapter could be enough to execute this attack.

This is unlikely to be a major issue for the everyday user, who is unlikely to have people on-site attempting to decrypt their BitLocker-protected drives. However, for corporate, enterprise, and government environments where cybersecurity is of the utmost importance, full BitLocker decryption is still possible with just a single instance of PC access, and a USB network adapter is undoubtedly a cause for concern.

The CCC is the EU's largest association of hackers and cybersecurity mediators. For those hungry for more surrounding information and with at least 56 minutes to spare, we recommend the full Windows BitLocker: Screwed without a Screwdriver presentation uploaded this morning to CCC's media hub. The whole talk is in English, unlike prior existing coverage. It gives detailed technical information on how the current exploits work and why they're so tricky to fix.

Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

  • hotaru251
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    Reply
  • toffty
    hotaru251 said:
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    Not quite in this case. The difference here is, if a bad actor steals a laptop, they could not copy the data off a drive due to the encryption. If this hack is real, a stolen laptop makes the data gettable.
    Reply
  • magbarn
    So frustrating that 24H2 has BL turned on by default.
    Reply
  • USAFRet
    magbarn said:
    So frustrating that 24H2 has BL turned on by default.
    1. No, it does not.

    2. BL enabled, slightly hackable. BL not enabled, more hackable.
    Reply
  • jp7189
    hotaru251 said:
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    In most jurisdictions bitlocker changes a stolen laptop with PII from an obligatory, publicly reported data breach to a non-event, and frankly that's all most companies really care about. Sadly, real security takes a back seat to legal liability.
    Reply
  • jp7189
    It should be noted that the TPM transmits data serially and the signal is possible to sniff if you have physical access. This attack is an easier way to achieve the same result. MS has been pretty open about this potential vulnerability and states it clearly on the main bitlocker page. Using PIN + TPM is effective in stopping all these types of attacks. Again this is stated on the bitlocker page. Recovering TPM and bruteforcing the PIN is still possible, but in my opinion puts this in the realm of a different class of adversary.
    Reply
  • magbarn
    USAFRet said:
    1. No, it does not.

    2. BL enabled, slightly hackable. BL not enabled, more hackable.
    1. I've done several 24H2 clean installs from USB and they all defaulted to BL on.
    Reply
  • USAFRet
    magbarn said:
    1. I've done several 24H2 clean installs from USB and they all defaulted to BL on.
    And my main Win 11 Pro system upgraded to 24H2 a few weeks ago, and remains BL free.
    Reply
  • jp7189
    USAFRet said:
    And my main Win 11 Pro system upgraded to 24H2 a few weeks ago, and remains BL free.
    BL enable is the default condition unless it's blocked. Upgrade to 24H2 when logged in with a MS online account (required for key backup), and it will be enabled. Upgrade with a local (offline) account from computer with BL disabled and it won't be automatically enabled.

    A fresh install of 24H2 enables bitlocker by default at the oobe stage. Also now for the first time with Home edition.

    I can't think of any oem system (Dell, HP, etc.) in recent years that doesn't ship with bitlocker pre-enabled
    Reply
  • USAFRet
    jp7189 said:
    Upgrade to 24H2 when logged in with a MS online account (required for key backup), and it will be enabled. Upgrade with a local (offline) account from computer with BL disabled and it won't be automatically enabled.
    And therein is the difference.

    All local account, unless absolutely required to log in with the MS account.
    Reply