Hacker demonstrates the supposedly-patched Windows 11 BitLocker is still vulnerable to hackers — default encryption can be overcome with network access

Windows 11
(Image credit: Microsoft)

This week at the Chaos Computer Club's (CCC) annual Chaos Communication Congress, hacker Thomas Lambertz presented 'Windows BitLocker: Screwed without a Screwdriver,' detailing how users can beat BitLocker encryption and gain access to protected data. The old reported-fixed bug, CVE-2023-21563, can still be exploited on current versions of Windows with just one-time physical device access and a network connection. Still, the attack doesn't require opening up the PC or having hours of access as with other drive decryption exploits [h/t Heise].

This attack falls into the category of "bitpixie" attacks that have been well-documented since mid-2022. While this specific error was technically fixed via updates in November 2022, this demonstrates that this fix is, unfortunately, only surface-level. By using Secure Boot to start an outdated Windows bootloader to extract the encryption key into memory and subsequently using Linux to retrieve the contents of memory and find that BitLocker key, the updated version of Windows 11 can still effectively be attacked as if it were never updated to address bitpixie attacks at all.

TOPICS
Christopher Harper
Contributing Writer

Christopher Harper has been a successful freelance tech writer specializing in PC hardware and gaming since 2015, and ghostwrote for various B2B clients in High School before that. Outside of work, Christopher is best known to friends and rivals as an active competitive player in various eSports (particularly fighting games and arena shooters) and a purveyor of music ranging from Jimi Hendrix to Killer Mike to the Sonic Adventure 2 soundtrack.

  • hotaru251
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    Reply
  • toffty
    hotaru251 said:
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    Not quite in this case. The difference here is, if a bad actor steals a laptop, they could not copy the data off a drive due to the encryption. If this hack is real, a stolen laptop makes the data gettable.
    Reply
  • magbarn
    So frustrating that 24H2 has BL turned on by default.
    Reply
  • USAFRet
    magbarn said:
    So frustrating that 24H2 has BL turned on by default.
    1. No, it does not.

    2. BL enabled, slightly hackable. BL not enabled, more hackable.
    Reply
  • jp7189
    hotaru251 said:
    "requires physical access"

    again if a bad actor has physical access you have larger issues.
    In most jurisdictions bitlocker changes a stolen laptop with PII from an obligatory, publicly reported data breach to a non-event, and frankly that's all most companies really care about. Sadly, real security takes a back seat to legal liability.
    Reply
  • jp7189
    It should be noted that the TPM transmits data serially and the signal is possible to sniff if you have physical access. This attack is an easier way to achieve the same result. MS has been pretty open about this potential vulnerability and states it clearly on the main bitlocker page. Using PIN + TPM is effective in stopping all these types of attacks. Again this is stated on the bitlocker page. Recovering TPM and bruteforcing the PIN is still possible, but in my opinion puts this in the realm of a different class of adversary.
    Reply
  • magbarn
    USAFRet said:
    1. No, it does not.

    2. BL enabled, slightly hackable. BL not enabled, more hackable.
    1. I've done several 24H2 clean installs from USB and they all defaulted to BL on.
    Reply
  • USAFRet
    magbarn said:
    1. I've done several 24H2 clean installs from USB and they all defaulted to BL on.
    And my main Win 11 Pro system upgraded to 24H2 a few weeks ago, and remains BL free.
    Reply
  • jp7189
    USAFRet said:
    And my main Win 11 Pro system upgraded to 24H2 a few weeks ago, and remains BL free.
    BL enable is the default condition unless it's blocked. Upgrade to 24H2 when logged in with a MS online account (required for key backup), and it will be enabled. Upgrade with a local (offline) account from computer with BL disabled and it won't be automatically enabled.

    A fresh install of 24H2 enables bitlocker by default at the oobe stage. Also now for the first time with Home edition.

    I can't think of any oem system (Dell, HP, etc.) in recent years that doesn't ship with bitlocker pre-enabled
    Reply
  • USAFRet
    jp7189 said:
    Upgrade to 24H2 when logged in with a MS online account (required for key backup), and it will be enabled. Upgrade with a local (offline) account from computer with BL disabled and it won't be automatically enabled.
    And therein is the difference.

    All local account, unless absolutely required to log in with the MS account.
    Reply