Trusted Platform Module (TPM) is a tamper-resistant security module. It has been widely deployed in commercial devices to protect secret data and ensure the trustworthiness of a system. There are two typical types of TPMs, hardware-based discrete TPM (dTPM) and firmware-based TPM (fTPM). Microsoft Windows has used both types of TPMs to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker.
BitLocker's TPM feature has not been analyzed in detail. It has hidden behind the TPMs because the TPM protected the VMK of BitLocker with sealing and unsealing functions. Most security researchers concluded the VMK sealed by the TPM was safe. Recent works also showed the only way to extract the VMK from the TPM was physical access like probing the Low Pin Count (LPC) bus or TPM pins. However, we found a novel way that can subvert BitLocker with only the software. So, free lunch for BitLocker is over.
In this talk, we introduce a sleep mode vulnerability of the dTPM and fTPM that can subvert BitLocker. We also present our new tool, BitLeaker, that can extract the VMK from the TPMs and decrypt a BitLocker-locked partition without physical access. Last year, we already introduced a dTPM vulnerability, CVE-2018-6622. However, we found another new vulnerability related to the fTPM this year, especially Intel Platform Trust Technology (PTT). The sleep mode vulnerability can subvert not only the fTPM but also the dTPM with system sleep mode, and it can forge Platform Configuration Registers (PCRs). PCRs are core parts of the sealing and unsealing functions to protect the VMK of BitLocker. By exploiting the vulnerability, we extracted the VMK from TPMs and decrypted a BitLocker-locked partition with our custom tool, BitLeaker. Additionally, we present detailed information on BitLocker's VMK protection process related to the TPM and countermeasures.