BitLeaker: Subverting BitLocker with One Vulnerability

The presentation discusses the process of extracting the VMK from BitLocker-encrypted drives using TPM vulnerabilities and reverse engineering techniques.

• The speaker discovered sleep mode vulnerabilities CVE 2018.602 and CPE2020526 that can be exploited to access the DTPM and FDPM using the F3 sleeping state trigger.
• The speaker used reverse engineering to extract the VMK from DPMS and mount the encrypted partition.
• The speaker created a custom bootloader version with hooks to the TPM protocol of UEFI format to dump all commands and parameters.
• The speaker was able to extract the VMK from other PCs by finding the public and private data of CLVMK and the PCR policy and bitmap.
• The speaker reset DTPM and FTPM and replayed the hashes to the TPM to extract the VMK.
• The speaker was able to successfully extract the VMK from the exploited TPM.

The speaker overcame adversity and went back to their peaceful life after discovering the vulnerabilities and successfully extracting the VMK. They also became a speaker and member of Blacklasia.

Trusted Platform Module (TPM) is a tamper-resistant security module. It has been widely deployed in commercial devices to protect secret data and ensure the trustworthiness of a system. There are two typical types of TPMs, hardware-based discrete TPM (dTPM) and firmware-based TPM (fTPM). Microsoft Windows has used both types of TPMs to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker.BitLocker's TPM feature has not been analyzed in detail. It has hidden behind the TPMs because the TPM protected the VMK of BitLocker with sealing and unsealing functions. Most security researchers concluded the VMK sealed by the TPM was safe. Recent works also showed the only way to extract the VMK from the TPM was physical access like probing the Low Pin Count (LPC) bus or TPM pins. However, we found a novel way that can subvert BitLocker with only the software. So, free lunch for BitLocker is over.In this talk, we introduce a sleep mode vulnerability of the dTPM and fTPM that can subvert BitLocker. We also present our new tool, BitLeaker, that can extract the VMK from the TPMs and decrypt a BitLocker-locked partition without physical access. Last year, we already introduced a dTPM vulnerability, CVE-2018-6622. However, we found another new vulnerability related to the fTPM this year, especially Intel Platform Trust Technology (PTT). The sleep mode vulnerability can subvert not only the fTPM but also the dTPM with system sleep mode, and it can forge Platform Configuration Registers (PCRs). PCRs are core parts of the sealing and unsealing functions to protect the VMK of BitLocker. By exploiting the vulnerability, we extracted the VMK from TPMs and decrypted a BitLocker-locked partition with our custom tool, BitLeaker. Additionally, we present detailed information on BitLocker's VMK protection process related to the TPM and countermeasures.