Microsoft’s Bitlocker & TPM encryption combo defeated with a $10 Raspberry Pi::The point of Microsoft’s Bitlocker security feature is to protect personal data stored locally on devices and particularly when those devices are lost or otherwise physically compromised. With Bi

  • @[email protected]
    link
    fedilink
    English
    16611 months ago

    It should be noted that this attack was demonstrated on a nearly 10 year old laptop that has the TPM traces exposed on the motherboard.

    Most TPMs nowadays are built into the CPU which does not leave them vulnerable to this type of attack.

      • @surewhynotlem
        link
        English
        6411 months ago

        I don’t get the downvoting. This is solid commentary on the Flipper Zero idiocy.

    • @cheese_greater
      link
      English
      28
      edit-2
      11 months ago

      Its definitely sort or misleading but MS needs to really have its feet held to the fire when it comes to these things. It sort of pushes the narrative in the correct direction which is towards privacy AND security, not a half-ass balance where one or the other or both is compromised or is an illusion altogether

      The Outlook stuff has demonstrated how fundamentally irresponsible and unserious they are about their obligation to secure and regulate their own systems, they need all the bad press they can get so they are compelled to do betwr

      • Shadow
        link
        fedilink
        English
        18
        edit-2
        11 months ago

        Because MS designed Lenovo motherboard for them and told them where to put the tpm debug pins? I think you’re casting blame at the wrong vendor here.

        Doesn’t matter how good the software is if the hardware vendor fucks up like that.

        • Natanael
          link
          fedilink
          English
          110 months ago

          They’re heavily involved with the development of the spec and guidance to OEMs on how to implement it

  • @TORFdot0
    link
    English
    9111 months ago

    Fake news. Nobody is getting a raspberry pi for $10 lol

    • @f4f4f4f4f4f4f4f4
      link
      English
      3511 months ago

      I get your joke, but it’s even cheaper than a “Raspberry Pi”. Pi Pico, one RP2040 chip, that’s basically RPi’s new version of a Teensy. I just installed one in my GameCube to defeat its “BIOS” and boot from micro SD card :P

      • @andrewth09
        link
        English
        1711 months ago

        I just installed one in my GameCube to defeat its “BIOS” and boot from micro SD card :P

        Coolest thing I heard all day. Didn’t know that was a thing.

    • @Hiro8811
      link
      English
      411 months ago

      With shipping it’s more than ten but on it’s own it’s 6,10 for the H model

    • @PeterPoopshit
      link
      English
      27
      edit-2
      10 months ago

      There probably will someday be a push to prevent common normal people from having access to computer systems that offer the user root or superuser access. “ThE aVeRaGe PeRsOn DoEsNt NeEd AdMiN pErMiSsIoNs” or “think of the children”. Ipads and surface pros will be allowed but something like a socket 1155 motherboard won’t.

      • @[email protected]
        link
        fedilink
        English
        1210 months ago

        Someday? Canada is already trying to ban the Flipper Zero, we’re living in your nightmare.

      • @[email protected]
        link
        fedilink
        English
        1110 months ago

        We’re gonna have problems getting enough software engineers in the future. How is anyone supposed to learn when everything is locked away. It’s already happening in the repair industry and the trades.

        • @PeterPoopshit
          link
          English
          3
          edit-2
          10 months ago

          When the government starts taking away unlocked bootloader phones, I will be switching to ham radio instead of getting a locked down phone. Fuck the system.

          • Virtual Insanity
            link
            English
            110 months ago

            Sad thing is there is no way to securely communicate via ham radio.

            But I’d be fully open to going pirate!

            And with regard to unlocked bootloaders, I think it’s the manufactures wanting to lock away choice and options that is the issue more than the government.

      • @Specal
        link
        English
        -110 months ago

        No one wants LGA1155 anymore anyway so it’s Gucci, my i7-2600 was far past it’s life span 5 years ago

          • @Specal
            link
            English
            010 months ago

            The IPC just isn’t good enough of those chips anymore, making them really inefficient. You’d be better off buying a modern celeron

            • @[email protected]
              link
              fedilink
              English
              2
              edit-2
              10 months ago

              A modern celeron costs like 150 bucks after a motherboard and ram, you can buy an old pc that’s bound for a landfill for like 20 bucks, and they are perfectly usable for something like a nas, a tor node, or a minecraft server

              Edit: 150’s a bit high prolly like 90 is possible

              • @Specal
                link
                English
                210 months ago

                The old wholesale of PCs for 20 buckeroos doesn’t really exist here in the UK so I never considered that

  • bruhduh
    link
    English
    3411 months ago

    Yet another example of “hardware access is root access”

  • circuscritic
    link
    fedilink
    English
    3211 months ago

    $10… not really in video. He had a custom PCB made so the pogo pins were on the board, all in one.

    Honestly, pretty awesome. Although as noted, this is for older boards without TPM integration in CPU.

    It can also be done with a logic analyzer.

    • LazaroFilm
      link
      English
      1011 months ago

      The pi is $10. The rest is much more.

      • @Treczoks
        link
        English
        511 months ago

        That is a PI Nano. They gave them away for free at a trade fair. I’ve got a bag of them laying around for my next project.

    • circuscritic
      link
      fedilink
      English
      19
      edit-2
      11 months ago

      It’s a Pi Pico (RP2040), which is an MCU, not CPU. Similar to an Arduino UNO (ATmega328p).

    • bruhduh
      link
      English
      111 months ago

      deleted by creator

  • @[email protected]
    link
    fedilink
    English
    16
    edit-2
    10 months ago

    The concept and implementation of TPM use has been a joke since inception.

    veracrypt or luks; bitlocker is a total joke.

  • @kadu
    link
    English
    1611 months ago

    deleted by creator

    • @[email protected]
      link
      fedilink
      English
      2411 months ago

      Isn’t the whole point of BitLocker protection from direct access? When a computer is turned off, encryption should keep the data safe. Also when a computer is turned off, basically no remote vector is going to work. AFAIK, when the computer is on, the drive is mounted and BitLocker provides no additional protection over an unencrypted drive.

      • @kadu
        link
        English
        611 months ago

        deleted by creator

        • @[email protected]
          link
          fedilink
          English
          211 months ago

          Veracrypt drive encryption does not have the same problem, it would be secure even with physical access

          • @kadu
            link
            English
            211 months ago

            deleted by creator

            • @[email protected]
              link
              fedilink
              English
              111 months ago

              Yeah, it’s safe because of no TPM usage. You can boot from an encrypted drive, it’ll prompt for the key instead of auto loading from vulnerable hardware

              • Natanael
                link
                fedilink
                English
                310 months ago

                Bitlocker supports the same usecase, but everybody wants that automatic boot feature so…

                It also lets you store a secondary key on a server and require the computer to be on trusted networks to be able to retrieve it to boot, but I’ve never ever heard of anybody using that

    • @[email protected]
      link
      fedilink
      English
      1111 months ago

      Correct. However, if you have a way to run a PowerShell command as an administrator, you can run a single cmdlet to get access to the bitlocker recovery key.

  • @[email protected]
    link
    fedilink
    English
    1211 months ago

    Unsurprised. Physical security seems to be a lot tougher for the industry to “nail”

    Just look at this UEFI boot fail vuln/exploit. Crazy.

  • Optional
    link
    English
    311 months ago

    Hey - hey member that time when Truecrypt was like, “Peace, we out. Use bitlocker. lol”

    When’s the new Truecrypt coming out? Yeah yeah Veracrypt, I know. It’s cool, its just not. I dunno.

    • Natanael
      link
      fedilink
      English
      1910 months ago

      Bitlocker’s threat model is physical access, though. And it’s 50% of TPM’s threat model too.

      • @[email protected]
        link
        fedilink
        English
        0
        edit-2
        10 months ago

        Yeah which is why no one cares about either. The threat vector is usually not discussed and mostly ignored by non state-level actors in practice.

        I do agree that it’s fascinating. My master’s degree thesis was on sourcing trust and eliminating various evil maid type attacks, including supply side targeted poisoned hardware aimed at state level.