So I’ve just had a quick play with this and yes, it works.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
I was worried I'd run out of tools that do not require opening a computer/laptop case, now that Microsoft's planning to patch Bitpixie this year.
But Windows is a gift that just keeps on giving
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I always assumed anything that could unlock an encrypted drive with no password or other authentication from the user could be bypassed. I figured if you don't have to enter a password, you have to assume that neither does anybody else.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog hi just out of curiosity why would a bios password help / be required? is that only for if pcr7 isn't bound?
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
-
@tanavit @GossiTheDog
Haha oui j'ai vu passer ça, ainsi qu'une faille RCE dans Word. -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog why is Microsoft so lazy when it comes to developing mission critical software
-
@mkoek @GossiTheDog you can also usually get the same general result in this config by poking the motherboard with a logic analyser and dumping the TPM data off the bus.
@gsuberland @mkoek @GossiTheDog Unless Microsoft made another mistake this shouldn't be possible. Accessing disk encryption keys should always use what is called a "salted session", where the communication between TPM and application is encrypted, precisely to prevent passive attacks on the bus.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@drm Plus besoin de s'embêter à faire du TPM sniffing
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog thanks God i can recover an Old ssd whose bitlocker key is somewhere in the short-circuited mainboard Something Something Secure Module and I happen to not have a backup of that specific bitlocker key
-
@drm Plus besoin de s'embêter à faire du TPM sniffing
@S1m @GossiTheDog testé hier par un collègue, ça marche bien ! Mais ça va être rapidement patché...
-
@S1m @GossiTheDog testé hier par un collègue, ça marche bien ! Mais ça va être rapidement patché...
@drm @GossiTheDog Toujours à la pointe les collègues. C'est pas un patch qui nécessite une mise à jour des certifs secureboot ça ? Le genre de mise à jour qui est toujours retardée
-
@drm @GossiTheDog Toujours à la pointe les collègues. C'est pas un patch qui nécessite une mise à jour des certifs secureboot ça ? Le genre de mise à jour qui est toujours retardée
@S1m @GossiTheDog
. Je crois que tu confonds avec cette vuln https://github.com/garatc/BitUnlocker -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I suspect you have that NSA key set.
-
@S1m @GossiTheDog
. Je crois que tu confonds avec cette vuln https://github.com/garatc/BitUnlocker@drm @GossiTheDog Ah bah j'ai toujours cru que Bitlocker était by-design vuln aux downgrade attacks
-
@barubary @GossiTheDog It might be a "We've to deliver this and test this quicker" and someone forgot to remove.
A backdoor implies planning and we're talking about Microsoft.
I'd bet for bad QA and controls and lazy development with a pinch of "hurry, deliver now"
Which is ... Worse?
@prsfalken @barubary @GossiTheDog they’re excellent at planning Copilot and spyware integrations, though.
-
@GossiTheDog thanks God i can recover an Old ssd whose bitlocker key is somewhere in the short-circuited mainboard Something Something Secure Module and I happen to not have a backup of that specific bitlocker key
@splinux @GossiTheDog my mom sent me an old ssd in the same situation. Haven't been able to recover her data from it so far.
-
@mkoek @GossiTheDog you can also usually get the same general result in this config by poking the motherboard with a logic analyser and dumping the TPM data off the bus.
@gsuberland @mkoek @GossiTheDog not always - this wouldn't work with a "firmware TPM" implementation in IntelME/AMD PSP or in Pluton for example -
@gsuberland @mkoek @GossiTheDog not always - this wouldn't work with a "firmware TPM" implementation in IntelME/AMD PSP or in Pluton for example
@Rairii @GossiTheDog @mkoek yeah, I was just thinking "hm I should edit that post from yesterday to mention fTPMs"
-
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password login
Technically you're running in WinPE with unlocked
drive. -
@gsuberland @mkoek @GossiTheDog Unless Microsoft made another mistake this shouldn't be possible. Accessing disk encryption keys should always use what is called a "salted session", where the communication between TPM and application is encrypted, precisely to prevent passive attacks on the bus.
@berglerma @gsuberland @mkoek @GossiTheDog This is BitLocker we are talking about. There's about one yearly post somewhere online, from someone new who bypassed bitlocker with an arduino and two paperclips. It's always passive attacks on the bus.
