Youtuber cracks BitLocker encryption in minutes with Raspberry Pi Pico

[R0H1T]

Hey just because you're paranoid doesn't mean there's no one out there (looking?) for you!

Spoiler

 

[bug]

Let's be honest here, once wrong-doers gain physical access, your data is screwed anyway. These things aren't meant to be a one-stop-shop solution, proper defenses are always layered.

 

[Lauri]

Let's be honest here, once wrong-doers gain physical access, your data is screwed anyway. These things aren't meant to be a one-stop-shop solution, proper defenses are always layered.

The whole point of Bitlocker is to protect your data if your computer is stolen. It's a big issue for large corporations, journalists and security professionals. This might not matter to normal people but that executive traveling by airplane to do business on an other continent might have data worth millions in his laptop. The amount of computers that get lost or stolen at airports alone is staggering.

 

[bug]

The whole point of Bitlocker is to protect your data if your computer is stolen. It's a big issue for large corporations, journalists and security professionals. This might not matter to normal people but that executive traveling by airplane to do business on an other continent might have data worth millions in his laptop. The amount of computers that get lost or stolen at airports alone is staggering.

That's what Microsoft says, yes. But any security engineer will tell you if your laptop is stolen, your data is compromised. Maybe not right away, maybe you have a chance to erase it remotely change your passwords (no brainer, this one doesn't take long). But give it a few months, someone will get to it. Idk how OPAL encryption works, that may provide better security...

 

[chrcoluk]

So I knew this would make it here

Only works because:

- physical access
- TPM is a separate chip
- board literally had contact pads for the traces

Newer CPUs by AMD and Intel (read the past few years) have on die TPM so this won’t work.

no it’s not a flaw communication between CPU and other ICs is not encrypted on pretty much all things. That’s why you could lift the encryption keys from the Xbox using a buss pirate.

this isn’t a bitlocker crack. He literally lifted the keys, he did not break the encryption.

Yep, anything that needs an already compromised state I just ignore now days, its overhyping silly things.

 

[bug]

Yep, anything that needs an already compromised state I just ignore now days, its overhyping silly things.

To you maybe. But think just how many conspiracy theories you can build on top of that

 

[Tahagomizer]

Bitlocker is a solution to protect against a casual thief who steals your laptop on the street, if you have something you really want to protect - and important enough for anyone to seriously want it or you seriously not wanting anyone to have it - you look elsewhere.
Tinfoil or not, Bitlocker is allowed, even encouraged, in countries which vilify or actively want to ban encryption, like the UK. This alone puts it on the "absolutely not trustworthy" list as far as I'm concerned.

 

[Bill_Bright]

Does anyone want to argue that microsoft is not incompetent and incapable of providing true security? The microsoft method is NOT TRUSTWORTHY people! Stop trusting them and start doing your own thing!

Bitlocker is allowed, even encouraged, in countries which vilify or actively want to ban encryption, like the UK. This alone puts it on the "absolutely not trustworthy"

look elsewhere

This is little more than pure, biased, anti-Microsoft, "The sky is falling! The sky is falling!" FUD! And yes, it is time to invest in tin futures again.

There is NO SUCH THING as "true security". Yet people demand it from Microsoft and then when they can't deliver, they are vehemently chastised for failing to do the impossible.

To suggest something is "incompetent", "incapable" and "absolutely not trustworthy" implies and insinuate it is useless, perhaps even harmful and to be avoided - therefore, users should "look elsewhere" and "do your own thing". NONSENSE!!!! Worse is when such suggestions are accompanied with ignorance about the facts.

Do locks on your front door ensure your door is impenetrable? Do you "trust" those locks will stop a "determined" bad guy from breaking in? No and no! So do you avoid locking them? Of course not.

Is Wells Fargo competent and capable of protecting my money? Yes. Do I "trust" them? Absolutely not!!!!! There are ~2000 bank robberies every year - not to mention there are greedy bank leaders constantly plotting on ways to cheat us out of our money.

Is the data of users of BitLocker being compromised right and left as these biased MS bashers want everyone to believe? NO!!!! How do we know? Easy. CNET, ZDNet, AnandTech, Bleeping Computer would be all over it, constantly reporting real examples of "real world" (not contrived, simulations) compromises if BitLocker was "incompetent", "incapable" and "absolutely not trustworthy" as some here want everyone to believe. Where are those reports? There should be millions compromises if this were true.

What is the purpose of BitLocker? BitLocker is a security feature that encrypts "drives" (as in our "LOCAL" storage media) to "help" mitigate threats of data theft due to lost, stolen, or incorrectly secured (wiped/destroyed), no longer used/discarded storage devices.

Where is the corroborating evidence BitLocker is not doing this? Claims of vast experience is all anyone needs for substantiating evidence is NOT proof of anything (except, perhaps, see post #23).

Notice I said "LOCAL". Why does that matter? Because the UK does NOT want to ban encryption as being claimed above. That too is total tin-foil hat wearing, nonsense! What's been proposed in the UK is a ban the use of "end to end" encryption in point-to-point online messaging apps. The proposal is to deny terrorist, human traffickers, and other criminal elements a safe and secure communications network. That is TOTALLY DIFFERENT from local drive, data encryption.

BitLocker is just another layer of protection, along with strong passwords, keeping our computers and anti-malware solutions current, avoid being "click-happy" on unsolicited links, firewall, router, etc., and of course, good physical security as well. NO ONE, and especially NOT MICROSOFT, is suggesting BitLocker is the panacea for data protection. So it is just pure, tin-foil hat wearing FUD to suggest or imply Microsoft's intent for BitLocker is to be that.

Now before the personal attacks begin, have I said anywhere to trust Microsoft? Nope. I trust them as much as I trust my bank will work with MY best interests in mind. I trust Microsoft as much as I trust our elected "representatives" (cough cough choke choke) to put my country over their own self-interests. I trust Microsoft to protect me as much as I trust The Louvre to protect The Mona Lisa from all possible attacks.

Physical access isn't a limitation, it's the entire scope here.

Huh? Of course its a limitation - it's a HUGE limitation! Do you not see the difference between a computer sitting out-of-sight in a locked room versus a computer sitting, unattended, in-plain-sight, on a table in Starbucks?

Of course you can. So clearly, physical access is a limitation. And yet, a bad guy could still break into that locked room and steal the computer. So the vulnerability ("entire scope") is still there, as you noted, regardless. However, it is a matter of exposure - that is, how likely is it the computer locked up, out-of-sight will be stolen compared to the one left unattended, out in-the-open, in a public place?

So again, clearly, physical access, or rather, the lack of it, is a HUGE limitation.

MAKE NO MISTAKE - the "user" is, always has been, and always will be the weakest link in security. And who is in charge of physical security? The user.

 

[ShiBDiB]

Physical security is half the reason a SCIF is a thing.

And yes, we run Microsoft on our secure networked computers.

 

[Shihab]

Huh? Of course its a limitation - it's a HUGE limitation! Do you not see the difference between a computer sitting out-of-sight in a locked room versus a computer sitting, unattended, in-plain-sight, on a table in Starbucks?

Of course you can. So clearly, physical access is a limitation. And yet, a bad guy could still break into that locked room and steal the computer. So the vulnerability ("entire scope") is still there, as you noted, regardless. However, it is a matter of exposure - that is, how likely is it the computer locked up, out-of-sight will be stolen compared to the one left unattended, out in-the-open, in a public place?

So again, clearly, physical access, or rather, the lack of it, is a HUGE limitation.

MAKE NO MISTAKE - the "user" is, always has been, and always will be the weakest link in security. And who is in charge of physical security? The user.

The operative word is "here."

If the topic at hand was information security in general, then sure, physical access is one giant wall to get past. The topic, however, is about a specific tool that addresses a specific scenario. Discussion about effectiveness (and failings) of said tool are only applicable with said scenario as a given. We wouldn't call the rarity of fires a limiting factor when our sprinklers fail with the first spark now, would we?

Humans are idiots, no objection there. But this is no excuse for flawed tools.

 

[Bill_Bright]

The operative word is "here."

Huh? And no where in my comment that you quoted did I use the word "here".

I feel like you are arguing just to argue.

If the topic at hand was information security in general, then sure, physical access is one giant wall to get past.

Yes. A giant wall! A wall just before said was NOT a limitation.

The operative word that IS in your comment is "IF" - but that's not even relevant. Physical security is ALWAYS a part of "information security in general." There is no if this or if that. It is always there. If you don't believe and accept that "availability" which includes, but it not limited to, physical access is an integral part of "information security", then you have failed to understand "security in general."

The topic, however, is about a specific tool that addresses a specific scenario.

Yeah! The protection of data on a "physical" device being accessed by "physically" having access to that device.

 

[DaemonForce]

Can't wait for Cybermedicine Security to go kerchunk because everything gets bitlock'd over some nonchalant driveby update and someone watching this thinks that cracking bitlocker is as easy as having physical access to the original machine.

.....

I always say the snifferer is smart but in this case it appears to be genuinely smarter than the people writing these dumb articles.

Keep your keys safe.

Keep your snifferers safe.

Try not to get wrapped up in some one-way feature disaster that nobody actually seems to understand.

✓

 

[lexluthermiester]

It's primarily driven by personality defects, namely the narcissistic belief that they're somehow important enough for Microsoft to want to spy on them.

As opposed to some who are clearly compensating for blatantly obvious shortcomings...

Through the network - then you can do it from the other side of the world. Piece of cake, right?

Right?

I mean corporate networks seem to be breached every day.

Exactly.

Now before the personal attacks begin

Not going to get personal. You have your perspectives and they are based on your experiences.

have I said anywhere to trust Microsoft? Nope.

Well that's good.

I trust them as much as I trust my bank will work with MY best interests in mind.

That seems a bit much. A financial institution has legal and ethical obligations to protect your money and interests. No such obligations exist for microsoft. They KNOW this as is clearly demonstrated by the wording of their pathetically one-sided EULA documents.

I trust Microsoft as much as I trust our elected "representatives" (cough cough choke choke) to put my country over their own self-interests.

Couldn't agree more on this point. Common translation is: Very little trust given.

I trust Microsoft to protect me as much as I trust The Louvre to protect The Mona Lisa from all possible attacks.

May we presume you have little faith in the Louvre?

I trust microsoft to watch out for their own interests, which sometimes overlaps ours, but most of the time does not. Like law-enforcement(as ANY well qualified attorney will tell you), microsoft is not our friends. They can only be trusted in ways and areas where they show, through action, that they can be trusted. Beyond that, they are worthy of none!

 

[Bill_Bright]

That seems a bit much. A financial institution has legal and ethical obligations to protect your money and interests. No such obligations exist for microsoft.

That's not entirely true. While not as tightly regulated as financial institutions, Microsoft is a publicly owned and traded corporation and therefore, is indeed heavily regulated. They are not necessarily required to work in the best interests of their customers, but they are with their shareholders and are held accountable to the SEC and other state and federal statutes.

All that is beside the point.

The problem is some people so often on this site, and as illustrated in this thread, are incapable of separating their biases and hate for Microsoft from the products they provide.

Just to illustrate, starting with your first post in this thread, and each one since is riddled with Microsoft bashings and little if any technical commentary about BitLocker itself. Others joined in with absolute nonsensical misinformation.

"Physical access" IS a HUGE limitation. BitLocker is NOT an "end-to-end" messaging encryption tool!

BitLocker is not 100% perfect 100% of the time, therefore Microsoft is "incompetent", "incapable" and "absolutely not trustworthy". Name 1 company that does provide "true security". Name a security company that provides "true security". Where are attacks on them?

Come on!!!

BitLocker is designed (with TPM) to protect the data on LOCAL storage devices. So I ask again - where's the evidence "BitLocker" is failing to protect the data on the LOCAL storage devices of its users?

I despise my cable company. They are just as monopolistic, if not more so than Microsoft. They charge me more for my cable TV and Internet service each month than my power, water, sewer, trash and gas companies combined! If I want to watch BBC America, I must pay for some extra package that contains 25 channels I never watch. HOWEVER, I get great Internet speeds and my TV service is incredibly stable with HD and full range surround sound. I still hate the company.

See the difference?

May we presume you have little faith in the Louvre?

I have more than a little - but not a whole lot more considering it has been attacked at least 6 times in my lifetime (that we know of), including less than 2 years ago and again as recently as 2 weeks ago. Yes, this last time it remained unharmed behind bullet proof glass but the offenders were still able to get close enough to climb under the barriers, yell and scream and dance around in front of the painting, then throw pumpkin soup on the glass before security finally decided to step in.

 

[R-T-B]

The whole point of Bitlocker is to protect your data if your computer is stolen. It's a big issue for large corporations, journalists and security professionals. This might not matter to normal people but that executive traveling by airplane to do business on an other continent might have data worth millions in his laptop. The amount of computers that get lost or stolen at airports alone is staggering.

If this is a serious concern I'd advise using a disk encryption solution that does not involve the TPM. I can vouch for VeraCrypt.

 

[lexluthermiester]

That's not entirely true. While not as tightly regulated as financial institutions, Microsoft is a publicly owned and traded corporation and therefore, is indeed heavily regulated. They are not necessarily required to work in the best interests of their customers, but they are with their shareholders and are held accountable to the SEC and other state and federal statutes.

All that is beside the point.

The problem is some people so often on this site, and as illustrated in this thread, are incapable of separating their biases and hate for Microsoft from the products they provide.

Just to illustrate, starting with your first post in this thread, and each one since is riddled with Microsoft bashings and little if any technical commentary about BitLocker itself. Others joined in with absolute nonsensical misinformation.

"Physical access" IS a HUGE limitation. BitLocker is NOT an "end-to-end" messaging encryption tool!

BitLocker is not 100% perfect 100% of the time, therefore Microsoft is "incompetent", "incapable" and "absolutely not trustworthy". Name 1 company that does provide "true security". Name a security company that provides "true security". Where are attacks on them?

Come on!!!

BitLocker is designed (with TPM) to protect the data on LOCAL storage devices. So I ask again - where's the evidence "BitLocker" is failing to protect the data on the LOCAL storage devices of its users?

I despise my cable company. They are just as monopolistic, if not more so than Microsoft. They charge me more for my cable TV and Internet service each month than my power, water, sewer, trash and gas companies combined! If I want to watch BBC America, I must pay for some extra package that contains 25 channels I never watch. HOWEVER, I get great Internet speeds and my TV service is incredibly stable with HD and full range surround sound. I still hate the company.

See the difference?


I have more than a little - but not a whole lot more considering it has been attacked at least 6 times in my lifetime (that we know of), including less than 2 years ago and again as recently as 2 weeks ago. Yes, this last time it remained unharmed behind bullet proof glass but the offenders were still able to get close enough to climb under the barriers, yell and scream and dance around in front of the painting, then throw pumpkin soup on the glass before security finally decided to step in.

To be fair, you've made some good points. However, I'm not willing to offer counter-points on this one, for a very good reason. So I'll take this opportunity to gracefully bow out.

The whole point of Bitlocker is to protect your data if your computer is stolen. It's a big issue for large corporations, journalists and security professionals. This might not matter to normal people but that executive traveling by airplane to do business on an other continent might have data worth millions in his laptop. The amount of computers that get lost or stolen at airports alone is staggering.

If this is a serious concern I'd advise using a disk encryption solution that does not involve the TPM. I can vouch for VeraCrypt.

Veracrypt is a very good disk encryption solution. It has yet to be cracked when setup up properly. There is only one better and it's anything but free! I will completely agree with @R-T-B 's statement.

 

[Bill_Bright]

If this is a serious concern I'd advise using a disk encryption solution that does not involve the TPM. I can vouch for VeraCrypt.

For sure, one (one and a half?) issue with BitLocker is it is not available with Windows 10 "Home" and only partially functional with Windows 11 "Home". I don't understand Microsoft's decision for this. But I can guess/assume.

I have heard some argue that, because Home users tend to be less technically savvy (by choice or not) than Pro users (NOT a criticism, just an observation) that Microsoft does not want to deal with warranty support (with "Retail" licenses) with those less savvy people - either due to the added expense, or with the hassles involved trying talk the less savvy through complex technical procedures.

Similar to that, I have heard the big computer makers (Dell, HP, Acer, Lenovo, etc.), those who install "OEM/System Builder" licenses and who, therefore, are responsible for Windows tech support for the 1 year warranty period, didn't want to deal with the expense and hassle dealing with less savvy users. And so they pressured Microsoft to leave it out of Home.

Others argue it is simply because Microsoft wants users to spend more money on the higher priced and more profitable "Pro" version.

Any way you look at it, it boils down to $$$ and profits (yes, corporate greed) and so I have no doubt and will assume that is a large part, if not the whole reason the Home versions don't support it fully.

I personally have never tried VeraCrypt with the Home versions of W10/11, but I know others who have and say it works perfectly. I have used it with W10 Pro and yes, it works great there too.

DISCLAIMER: I say it works great but I have NOT done a side-by-side, blind test comparison to see if encryption affects performance. All I can say is I've only used VeraCrypt (or BitLocker) with SSDs and have not noticed any performance issues - or problems with corruption.

 

[Onasi]

Any way you look at it, it boils down to $$$ and profits (yes, corporate greed) and so I have no doubt and will assume that is a large part, if not the whole reason the Home versions don't support it fully.

I would just like to note that, while by and large agreeing with you, this point being brought up (not only by you) is always amusing to me. Corporate greed. Yes. Aren’t publicly traded corporations literally obligated to maximize profits for their shareholders if they are able? And failure to do so, if proven, can lead to litigation? Like, that’s Capitalism 101 here, whether we like it or not said corporate greed is a cornerstone of society that exists in modern world. Complaints that corporations are greedy are akin to complaining that mosquitoes bite or raccoons dig through trash. Like… yeah, that’s their whole raison d’etre. For better or worse.

 

[Bill_Bright]

Aren’t publicly traded corporations literally obligated to maximize profits for their shareholders if they are able? And failure to do so, if proven, can lead to litigation?

Yes and no.

Yes, they are (more or less) obligated to maximize profits. But no, they are not subject to litigation (assuming no actual crimes have been committed). But for sure, if shareholders are not making money on their investments, those C-Level executives will be voted out and looking for new jobs real soon.

What I don't like about how this work is "The City" in the UK or Wall Street the US expect company profits to increase year after year, or else they deem the company is failing. Forget the fact they are still profitable - they must "grow" year after year.

And I believe that frequently leads companies to cut corners in the production of their products by using cheaper parts and less robust and reliable production techniques. Consequently, the life expectancy of many products has gone down in recent years compared to those made 20 years ago.

But all this is for a different discussion/thread.

 

[unwind-protect]

Now hold on a second. Does the Raspberry pie have to be sniffing at any time, or does it have to be sniffing when the user enters their keyphrase?

Why would the TPM send the key to the CPU at a point in time when the legitimate user didn't enter their part of the key?

 

[R-T-B]

I say it works great but I have NOT done a side-by-side, blind test comparison to see if encryption affects performance.

One of the great things about Veracrypt is it's undergone a formal security audit, so really, there isn't much need for us to endorse it anymore. Pro's already did it for us.

That being said most don't need security at it's level (it uses three layers of software encryption by default, which is quite the performance penalty on something like an nvme drive). Bitlocker is fine for protecting against 99% of use cases. Bitlocker uses bog standard AES encryption IIRC, which is fine for most US government things, so it's probably fine for you.

Why would the TPM send the key to the CPU at a point in time when the legitimate user didn't enter their part of the key?

One of the ways bitlocker can be setup is not proceed with decryption if the hardware does not significantly change.

I would guess this case would be vulnerable.

 

[lexluthermiester]

(it uses three layers of software encryption by default, which is quite the performance penalty on something like an nvme drive)

I'm guessing you haven't used it then? Because what you just stated is not at all correct. The default is 256bit AES, the user has to actively select anything else when setting up an encrypted volume, whether a file, partition or full disk. Nearly every CPU from 2014 forward generally has AES hardware instructions built into the CPU, so any software using AES is very snappy and buttery smooth. Additionally, the penalty to SSDs of any kind is so minimal that it's margin of error kinds of small. The penalty to HDDs is also very small, small not to make a difference.

 

[P4-630]

Personally I keep my my most important files on multiple external storage.

 

[lexluthermiester]

Personally I keep my my most important files on multiple external storage.

That is a very wise backup ethic.

 

[R-T-B]

I'm guessing you haven't used it then? Because what you just stated is not at all correct. The default is 256bit AES, the user has to actively select anything else when setting up an encrypted volume, whether a file, partition or full disk. Nearly every CPU from 2014 forward generally has AES hardware instructions built into the CPU, so any software using AES is very snappy and buttery smooth. Additionally, the penalty to SSDs of any kind is so minimal that it's margin of error kinds of small. The penalty to HDDs is also very small, small not to make a difference.

Have not used it in years no so perhaps things have changed or I just misremembered. We generally use opal solutions for no performance penalty at all here... AES256 as well but thats fine for our requirements.

Additionally, the penalty to SSDs of any kind is so minimal that it's margin of error kinds of small.

CPU overhead. But if you are indeed just using AES even on nvme peaks its not going to be too bad.