38C3: BitLocker encryption of Windows 11 bypassed without opening the PC

At the Chaos Communication Congress, security researcher and hardware hacker Thomas Lambertz (th0mas) showed in his presentation"Windows BitLocker: Screwed without a Screwdriver" how Microsoft's BitLocker drive encryption can be used to decrypt protected Windows 11 systems over the network. This requires one-time physical access to put the device into recovery mode and connect a network cable. It is not necessary to open the device.

The exploited flaw CVE-2023-21563 belongs to the category of "bitpixie" attacks and has been documented since summer 2022. Microsoft has not yet closed it properly, although the bug has been considered fixed since November 2022. th0mas demonstrated that the vulnerability can still be exploited with a downgrade attack.

BitLocker is enabled by default on newer Windows 11 installations under "Device Encryption". In this mode, the hard disk is encrypted at rest, but is automatically decrypted when a legitimate Windows is booted. During his talk, Lambertz demonstrated live how a fully updated Windows 11 can be attacked. To do this, he used Secure Boot to first start an outdated Windows boot loader. Unfortunately, this "forgets" the encryption key in the working memory in recovery mode.

In order to get hold of it, the hacker booted a customized Linux system with Secure Boot, which granted him access to the RAM. He then used a vulnerability in the Linux kernel to read the memory contents and extract the "forgotten" volume master key from BitLocker. This procedure allows him to access the encrypted data without physical access to the storage medium.

Limited UEFI memory delays protection against BitLocker gap

Lambertz emphasized that Microsoft has been aware of the problem for a long time. A permanent solution would be to revoke the certificates for vulnerable bootloaders, but the memory space reserved for this in the UEFI firmware is limited. From 2026, Microsoft plans to distribute new secure boot certificates, which would force motherboard manufacturers to update the UEFI.

Complete protection against the bitpixie gap is currently only possible by securing BitLocker with a user PIN, which may be limited depending on the Windows version. Thomas Lambertz also advises deactivating the network options in the BIOS setup, as attackers could also exploit the bitpixie bug via USB network adapters.

The faulTPM attack on weaknesses in AMD CPUs presented last year also made it possible to access encrypted secrets, which are necessary for decrypting BitLocker, for example – but which requires several hours of physical access. This new variant greatly reduces the physical access time required for unauthorized opening of BitLocker drives.

(vza)