So I’ve just had a quick play with this and yes, it works.
-
@GossiTheDog not a Windows guy so forgive me but I don’t get it. Copy the Fstx folder from where? The target system itself?
@mkoek @GossiTheDog the repo.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog could this be used to unlock a drive taken from a dead laptop/pc, when the user doesn't have the bitlocker key saved?
-
@mkoek @GossiTheDog the repo.
@gsuberland @GossiTheDog oh right, sorry didn’t notice it there
and how do you click restart without being already in? Not a Windows user, I’m sure you can tell -
@gsuberland @GossiTheDog oh right, sorry didn’t notice it there
and how do you click restart without being already in? Not a Windows user, I’m sure you can tell@mkoek @GossiTheDog I'm pretty sure this only bypasses the bitlocker config where there's no password, just a key held by the TPM, which is supposed to protect against offline attacks (e.g. unplug your disk and plug it into another machine). so what you do is boot the victim system up to the login screen, follow the procedure here, and it drops you into cmd after bitlocker unlocks. so it really functions more like a login bypass than what most people would think when you say "bitlocker bypass".
-
@mkoek @GossiTheDog I'm pretty sure this only bypasses the bitlocker config where there's no password, just a key held by the TPM, which is supposed to protect against offline attacks (e.g. unplug your disk and plug it into another machine). so what you do is boot the victim system up to the login screen, follow the procedure here, and it drops you into cmd after bitlocker unlocks. so it really functions more like a login bypass than what most people would think when you say "bitlocker bypass".
@mkoek @GossiTheDog you can also usually get the same general result in this config by poking the motherboard with a logic analyser and dumping the TPM data off the bus.
-
@GossiTheDog could this be used to unlock a drive taken from a dead laptop/pc, when the user doesn't have the bitlocker key saved?
-
@GossiTheDog could this be used to unlock a drive taken from a dead laptop/pc, when the user doesn't have the bitlocker key saved?
@kirenida @GossiTheDog if the drive is still in the dead system you'd be better off trying to get it to a point where it'll boot to the point of the TPM being read.
-
I think my prior toot on NightmareEclipse auto deleted so to make a perm one - it isn’t me. I suspect it’s somebody who used to work at MSFT, who departed after my era.
@GossiTheDog It did cross my mind that this could perhaps be the person who used to drop 0-days on Twitter a few years ago when they were having a bad day.
-
@gsuberland @kirenida @GossiTheDog It could maybe restore my windows where bitlocker prompts me for the key which I have forgotten. Or I get that prompt because my TPM forgot the key, and that's then not possible.
Anyway, running linux now. -
@barubary @GossiTheDog It might be a "We've to deliver this and test this quicker" and someone forgot to remove.
A backdoor implies planning and we're talking about Microsoft.
I'd bet for bad QA and controls and lazy development with a pinch of "hurry, deliver now"
Which is ... Worse?
@prsfalken
This probably would be the only option that this is not a back door.Otherwise I'd say this is the reason the backdoor was found
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I never trusted #BitLocker with it's #Govware - #Backdoor anyway!
- Cuz now people put that trust into some #BackBox IC (#TPM) that is usually soldered down on the board that may or may not be #exploitable from the factory (whether due to #bugs, #incompetence or "Export Restrictions #Compliance" is irrelevant for the affected End-Users!)…
- If (for some horrible reason that I refuse to acknowledge as legitimate!) someone needs a #Windows machine BUT with #FullDiskEncryption, they should use the only REAL #FDE: #VeraCrypt!
#CensorBoot never was about #Security…
- Calling it "#SecureBoot" is adopting the enemy's #Propaganda-Speak!
-
@gsuberland @kirenida @GossiTheDog It could maybe restore my windows where bitlocker prompts me for the key which I have forgotten. Or I get that prompt because my TPM forgot the key, and that's then not possible.
Anyway, running linux now.@gunstick @kirenida @GossiTheDog nope. it needs a functioning TPM with the right key, and BitLocker in no password mode. this is only functionally a login bypass.
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog
Oh wow, a backdoor in a Microsoft product, much wow \s -
M mrmasterkeyboard@mastodon.social shared this topic
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog I am shocked. Shocked I say!
-
@GossiTheDog I am shocked. Shocked I say!
Rememeber: never ask “is this Microsoft security product backdoored?”
Instead ask: “how exactly is it backdoored? How many back doors are there?”
-
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
@GossiTheDog i wouldn't be surprised if this was supposed to only be built in certain branches via velocity configuration, and someone fucked up when merging some other changes in -
Rememeber: never ask “is this Microsoft security product backdoored?”
Instead ask: “how exactly is it backdoored? How many back doors are there?”
@GossiTheDog Also: that’s worse?
- Microsoft and intentionally backdooring BitLocker
- Microsoft unintentionally backdooring bitlocker -
So I’ve just had a quick play with this and yes, it works. Essentially BitLocker has a backdoor. https://github.com/Nightmare-Eclipse/YellowKey
Mitigation = BitLocker PIN and BIOS password lock.
-
I think my prior toot on NightmareEclipse auto deleted so to make a perm one - it isn’t me. I suspect it’s somebody who used to work at MSFT, who departed after my era.
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
-
For anybody looking at this, testing showed two things:
- TPM unlocked the storage
- it provides a login bypass, as you’re dumped as SYSTEM prior to Windows Hello or password loginBitLocker operates without a PIN by default so it’s basically a big gap, it’s unclear how this code made it into the production version of Windows.
I should point out I’ve only tested with one version of Windows 11 - maybe the scope is smaller.
