As an exten­si­on of the SEC4YOU Pen­Test port­fo­lio, we offer a stan­dar­di­zed audit of Micro­soft Bit­Lo­cker encrypt­ed sys­tems (ser­vers, work­sta­tions, note­books, tablets) with the aim to bypass the Bit­Lo­cker encryp­ti­on and extra­ct all data.

The method used is the TPM snif­fing attack on the TPM chip descri­bed in March 2019, here is the Link to the Exploit.

The attack requi­res phy­si­cal access to the PC, with a spe­ci­al­ly pre­pared FPGA (a Field Pro­gramma­ble Gate Array) being atta­ched to the TPM 1.2 or TPM 2.0 as part of the intru­si­on attempt. During Win­dows boot with Micro­soft encryp­ti­on enab­led, the Volu­me Mas­ter Key (VMK) is trans­mit­ted from the TPM to the Win­dows sys­tem, whe­re it is inter­cept­ed and log­ged by the FPGA. This key is used to decrypt the Full Volu­me Encryp­ti­on Key (FVEK) of the sys­tem drive.

The fol­lo­wing sys­tems are vulnerable:

  • All Bit­Lo­cker ver­si­ons of the ope­ra­ting sys­tems: Win­dows 7, Win­dows 8, Win­dows 10 incl. ver­si­on 1903.
  • Any TPM-only pro­tec­ted hard­ware: ser­vers, work­sta­tions, note­books, tablets.

After the attack, the FPGA is remo­ved from the TPM chip and the sys­tem can be reboo­ted. Reco­very through the reco­very key is not pro­vi­ded for this hack.

Data reco­very or simu­la­ti­on of a cyber attack.

The Pen­Test is useful in two cus­to­mer requirements:

  1. Veri­fi­ca­ti­on of the ope­ra­tio­nal effec­ti­ve­ness of deploy­ed Bit­Lo­cker encryption.
  2. Data reco­very from Bit­Lo­cker encrypt­ed end devices
    • that no lon­ger boot cor­rect­ly, e.g. blue screen, bad sec­tors, update pro­blems, dri­ver problems
    • who­se reco­very key and user pass­word has been lost

We will be hap­py to cla­ri­fy the pro­ce­du­re and tech­ni­cal requi­re­ments in a per­so­nal meeting.

As a result of the Pen­Test, the decrypt­ed data of all users will be made available on an exter­nal sto­rage medium.

  • Request Quo­te Bit­Lo­cker Attack / Bit­Lo­cker Data Recovery