BitLocker is one of the most accessible and popular data encryption solutions today. This is a built-in feature in Windows 10 Pro and 11 Pro, but its weak point is the dedicated TPM (Trusted Platform Module) chip on the motherboard, the data from which can be quickly captured using a Raspberry Pi Pico single board computer with a price tag of less than $5.
Image source: youtube.com/@stacksmashing
On some systems, the processor exchanges the disk encryption key with the TPM chip over the LPC bus, and this key is transmitted without encryption, allowing an attacker to intercept critical data between the two components. They decided to confirm the hypothesis using a Lenovo laptop from ten years ago – something similar could be implemented on some more modern machines, but intercepting LPC bus traffic might have required more effort.
In this case, information from the LPC bus was available through a free connector. The author of the experiment built an inexpensive device based on Raspberry Pi Pico, which was able to connect to this connector by touching its contacts. An inexpensive single-board computer was programmed to read a sequence of ones and zeros at a frequency of 25 MHz, that is, every 40 ns.
The result met expectations: Raspberry Pi Pico successfully read the disk encryption key from the TPM. A drive with an encrypted Windows system drive was connected to a Linux machine, the resulting encryption key was entered, and access to all files and folders on the drive was granted.. The author of the project measured the time on a stopwatch and repeated his experiment – he opened the computer and counted the key in less than 43 seconds.
It should be noted that this hack only works on motherboards with a dedicated TPM chip. The functions of this chip are built into modern Intel and AMD processors and are implemented in software via fTPM (Firmware TPM) – in this case, hacking using Raspberry Pi Pico will not work.