Discovering BitLocker drive encryption PIN under Windows

Fraunhofer SIT posted a method for discovering BitLocker drive encryption PIN under Windows. This method even works where Trusted Platform Module (TPM) is used to protect boot process. “An attacker with access to target computer simply boots from a USB flash drive and replaces BitLocker bootloader with a substitute bootloader which mimics BitLocker PIN query […]

Fraunhofer SIT posted a method for discovering BitLocker drive encryption PIN under Windows. This method even works where Trusted Platform Module (TPM) is used to protect boot process. “An attacker with access to target computer simply boots from a USB flash drive and replaces BitLocker bootloader with a substitute bootloader which mimics BitLocker PIN query process but saves PINs entered by user to disk in unencrypted form. Although BitLocker boot process carries out an integrity check on system, and thereby Windows installation, it doesn’t check bootloader itself – not that actual attack described even gets as far as Windows boot process. Once substitute bootloader has saved victim's PIN to hard drive, it rewrites original bootloader to MBR and restarts system. Victim may indeed wonder why their computer’s restarting, but then we've all seen computers suddenly decide to abort a boot and restart. To get hold of saved PIN, attacker needs to gain access to target computer for a second time, to once more boot up from a USB flash drive and then access hard drive. Computer can then be rebooted and PIN thus obtained used to open up BitLocker, allowing access to protected Windows system.”

More info: Demo and PDF