Les Bell
Blog entry by Les Bell
Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.
News Stories
BitLocker Broken Using Cheap Logic Analyzer
One of the most common - and, generally, most effective - safeguards for mobile devices such as laptop computers is the use of encrypted filesystems such as BitLocker, Veracrypt and others. And, of course, to protect the encryption key used for an encrypted volume, the best option would be to store it, not on the disk itself, but in the Trusted Platform Module.
This is the way that BitLocker works; the BitLocker partition on a laptop is encrypted using a Full Volume Encryption Key, which is itself encrypted using the Volume Master Key and then stored on the disk, next to the encrypted data. The Volume Master Key is sealed in the TPM chip, and only unsealed when the system is booted.
Now, pen tester and security engineer Guilaume Quéré has demonstrated a fairly simple and inexpensive attack which extracts the Volume Master Key as it is transferred over the laptop SPI (Serial Peripheral interface) bus from the TPM to the CPU. Quéré accomplished this attack on a Lenovo L13 laptop, using a sub-$US100 logic analyzer, admittedly pushing it to its limits. The SPI bus has several lines, but the best the DSLogic analyzer can do is to sample three of them without exceeding its limits - but fortunately only the clock (CLK) and the two data lines (MOSI and MISO) are required. And rather than trying to connect to the tiny pins of the TPM chip, he was able to pick these signal lines of a larger nearby flash memory chip which is also on the SPI bus.
Once the logic analyzer was successfully capturing the signal, the next step was to decode the protocol used to transfer the VMK. In fact, there are three layers involved:
- SPI (the physical layer)
- TIS (TPM Interface Specification)
- TPM 2.0 (which carries the TPM commands and the VMK itself)
According to Quéré, it was the TIS layer that proved most challenging, perhaps because his captures did not include the SPI bus's CS (Chip Select) signal. In the end, Quéré resorted to manually decoding these frames. From there, he was able to identify the TPM_Unseal command in the TPM 2.0 frames, and then find the response, which comes around 10 ms later and carries the 256-bit Volume Master Key. From there, it was a simple matter of a few commands to mount the disk and bypass the BitLocker protection.
According to Quéré, the use of the TPM does not increase the security of the system as expected, especially since a more expensive, professional-grade logic analyzer - well within the budget of even moderately serious threat actors - would have saved a lot of time and simplified the attack. Currently, the best safeguard will be to set a passphrase or PIN on BitLocker; in the longer term, integration of the TPM onto the CPU die will mean that the communication between them is not externally exposed.
Quéré, Guillaume, Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop, blog post, undated. Available online at https://www.errno.fr/BypassingBitlocker.html.
Rowntree, Dave, Bypassing Bitlocker With A Logic Analzyer, Hackaday, 25 August 2023. Available online at https://hackaday.com/2023/08/25/bypassing-bitlocker-with-a-logic-analzyer/.
These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.
Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.