Recently, I read an excellent blog post about how a security firm outlined how they could extract the Bitlocker keys from a TPM 1.2 or TPM 2.0 device. This brute force penetration attack (test) was possible because the Bitlocker OS drive did not have a startup PIN enabled but simply a Bitlocker encrypted volume. Denis Andzakovic with Pulse Security (based in New Zealand) detailed how he was able to use open source and logic analyzer tools to extract the VMK (Volume Master Key) to ultimately decrypt the drive.
In my observations over the years when working with various customers, I’ve noticed some are hesitant to require their client user community use a Bitlocker startup PIN. The fear is the client users may reject the adoption of a process that requires them to enter a 4-6 digit PIN once they turn on their devices. In addition, decision-makers such as CIOs, VPs of IT and IT managers often compromise security in favor of the client user experience.
In contrast, most client users use something every day or every few minutes that require them to enter a PIN or fingerprint – their mobile phones. Requiring a startup PIN for Bitlocker is like a multi-factor authentication challenge with something the client user would know much like an ATM PIN that they are required to use with their debit card.
These additional security measures (startup PIN) provide multi-factor authentication and assurance that the computer will not boot or resume from hibernation until the correct PIN or USB flash drive are presented. Although it’s possible to use a USB as a startup device for Bitlocker I would not recommended its use but a PIN instead.
As you can see in the NIST document table listed below, TPM and PIN have the ability to achieve a higher level of security, unlike the default Bitlocker encryption without a PIN. You can read the full details from the NIST BitLocker™ Drive Encryption Security Policy here.
Volume Master Key Scenario
Default (TPM Only): SRK (VMK)
TPM and PIN: (SRK+SHA256 (PIN) (VMK)
EXTRACTING BITLOCKER KEYS FROM A TPM
In his article post, Dennis outlined the basics of Bitlocker and what he did to reproduce the issue and how he performed the hardware hack on the TPM chip of a Surface Pro 3 and HP laptop.
“When you enable BitLocker in its default configuration, no additional user interaction is required at boot. This is due to the TPM only being used to decrypt the VMK. The idea behind this is that if the laptop is stolen, and the attacker does not know your login password, they can not pull the drive and read the contents. Any modifications to the bios or boot loader code should change the PCR values, and the TPM will not unseal the VMK.
As the decryption happens automatically, if we can sniff the VMK as its being returned by the TPM then we can enter that information into any number of BitLocker libraries and decrypt the drive.”
So to recap, using the default Bitlocker without a startup PIN means it’s possible to sniff or brute force attack the TPM chip VMK secrets and
Solution / Mitigation
Simply put the mitigation would be to require/enable TPM+PIN pre-boot protectors using the MBAM or standard Bitlocker group policy settings. Microsoft outlines the countermeasures for this kind of attack here. Decision makers such as CIO’s and VPs of IT should discuss the risk to reward of requiring their users use a Windows 10 startup pre-boot PIN regardless if the Bitlocker keys are stored in Azure or MBAM on-premise.
While an inconvenience to the client users enforcing a Bitlocker startup PIN is a best practice and achieves a higher level of security. As with anything security measures are applied in layers and no one security setting or tool can stop everything but making attacks difficult by using such features as TPM+PIN can help mitigate the risk.
EXTRACTING BITLOCKER KEYS FROM A TPM – A detailed blog post from Denis Andzakovic with Pulse Security demonstrating how he was able to sniff TPM VMK secrets from a Surface Pro 3 and HP laptop. Linked here.
NIST BitLocker™ Drive Encryption Security Policy – A detailed document outlining the Bitlocker Drive Encryption standards. Linked here.
Why TPM 2.0? Reasons for Upgrade: Use Cases for the Latest Release of the TPM Specification. Linked here.
Enable Pre-boot authentication – Microsoft article outlining how to enable TPM+PIN as pre-boot startup requirement each time a PC reboots. Linked here.
Filed Under: Bitlocker, MBAM, MBAM 2.5 SP1, Security, TPM 2.0 // /