This week at the Chaos Computer Club (CCC) annual Chaos Communications conference, hacker Thomas Lambertz proposed:Windows BitLocker: No need for a screwdriver to tighten“, details how users can break BitLocker encryption and gain access to protected data. Bugs that have been fixed from old reports, CVE-2023-21563still available on current versions of Windows, requires only one-time physical device access and network connection. However, like other drive decryption vulnerabilities, the attack does not require the computer to be turned on or accessed for several hours [h/t Heise].
This attack belongs to the “bitpixie” attack category and has been well documented since mid-2022. Although this specific error is Technically Fixed via the November 2022 update, which unfortunately indicates that this fix is only superficial. Update the version by booting the outdated Windows bootloader using Secure Boot, extracting the encryption key to memory, then using Linux to retrieve the memory contents and find the BitLocker key Windows 11 It can still be effectively exploited as if it was never updated to address bitpixie attacks.
MicrosoftDue to UEFI firmware storage space limitations, attempts to fix this issue are not sufficient. The release of new secure boot credentials is currently not expected until 2026 at the earliest. Thomas Lambertz warns that even a simple USB network adapter is enough to perform this attack.
This is unlikely to be a major issue for everyday users, as they are unlikely to have someone on site trying to decrypt their BitLocker-protected drives. However, for corporate, enterprise and government environments where network security is critical and complete BitLocker decryption can be achieved with just a single PC access instance, USB network adapters are certainly a concern.
The CCC is the largest association of hackers and cyber security mediators in the European Union. For those hungry for more peripheral information and with at least 56 minutes to spare, we recommend the complete Windows BitLocker: No need for a screwdriver to tighten The briefing was uploaded to the CCC Media Center this morning. The entire speech was in English, unlike previous reports. It provides detailed technical information on how current vulnerabilities operate and why they are so difficult to fix.