An attacker with physical access can abruptly restart the device and dump RAM, as analysis of this memory may reveal FVEK keys from recently running Windows instances, compromising data encryption.
The effectiveness of this attack is, however, limited because the data stored in RAM degrades rapidly after the power is cut off.
You’re misreading that, I’m afraid. Direct from the researcher:
“While Windows is loading” … You must restart after the BitLocker password has been entered and the key is stored in RAM, that’s how this exploit works. He had the best luck at that point durong boot, but it could be attempted at any time when RAM is powered and BitLocker is already unlocked. A shutdown or hibernated system is not vulnerable.
A lot of BitLocker setups unlock using just TPM though, which was my point. No password/PIN needs to be entered at boot time to unlock it, it uses the TPM to unlock. This is the default setup that many companies use. Password/PIN unlock is completely optional.
I’m not misreading that.
Not the default at any company I’ve been at. What’s the point of encryption if it’s unlocked right away? Whoever’s doing that deserves this exploit. However, since that’s factually correct I’ll edit my original comment to add in:
Exactly.
I don’t use BitLocker, but I do use FDE on Linux, and I use a password at the bootloader level. Why would I bother with all the downsides of FDE if it isn’t actually secured by a password?
If the computer doesn’t password protection and the attacker has physical access… They can just copy the data, why care about the keys?
I think that’s already a worst case scenario.
The user still has to login to their user account. The assumption is that the Windows login is secure so BitLocker can decrypt using TPM and an attacker still won’t have access to the data without being able to log in.
This article obviously shows a method how an attacker can potentially still get access to the data without logging in.