BitLeaker: Subverting BitLocker with One Vulnerability

Presented at Black Hat Europe 2019, Dec. 5, 2019, 11:55 a.m. (50 minutes)

Trusted Platform Module (TPM) is a tamper-resistant security module. It has been widely deployed in commercial devices to protect secret data and ensure the trustworthiness of a system. There are two typical types of TPMs, hardware-based discrete TPM (dTPM) and firmware-based TPM (fTPM). Microsoft Windows has used both types of TPMs to protect the Volume Master Key (VMK) of their disk encryption software, BitLocker.

BitLocker's TPM feature has not been analyzed in detail. It has hidden behind the TPMs because the TPM protected the VMK of BitLocker with sealing and unsealing functions. Most security researchers concluded the VMK sealed by the TPM was safe. Recent works also showed the only way to extract the VMK from the TPM was physical access like probing the Low Pin Count (LPC) bus or TPM pins. However, we found a novel way that can subvert BitLocker with only the software. So, free lunch for BitLocker is over.

In this talk, we introduce a sleep mode vulnerability of the dTPM and fTPM that can subvert BitLocker. We also present our new tool, BitLeaker, that can extract the VMK from the TPMs and decrypt a BitLocker-locked partition without physical access. Last year, we already introduced a dTPM vulnerability, CVE-2018-6622. However, we found another new vulnerability related to the fTPM this year, especially Intel Platform Trust Technology (PTT). The sleep mode vulnerability can subvert not only the fTPM but also the dTPM with system sleep mode, and it can forge Platform Configuration Registers (PCRs). PCRs are core parts of the sealing and unsealing functions to protect the VMK of BitLocker. By exploiting the vulnerability, we extracted the VMK from TPMs and decrypted a BitLocker-locked partition with our custom tool, BitLeaker. Additionally, we present detailed information on BitLocker's VMK protection process related to the TPM and countermeasures.

Presenters:

• Jun-Hyeok Park - Senior Security Researcher, The Affiliated Institute of ETRI
  Jun-Hyeok Park is a senior security researcher at the Affiliated Institute of ETRI. He has more than 10 years experience in embedded system development. He also has a special interest in firmware & IoT security. He was a speaker and an author at Black Hat Asia.
• Seunghun Han - Senior Security Researcher, The Affiliated Institute of ETRI
  <p>Seunghun Han is a security researcher at the Affiliated Institute of ETRI. Seunghun focuses on the root of trust, firmware, hypervisor, and kernel security, so he has made his own hypervisor and contributed various patches to the Linux kernel and TPM-based security software.</p><p>Seunghun was a speaker and an author at USENIX Security, Black Hat Asia, HITBSecConf, BlueHat Shanghai, TyphoonCon, beVX, Becks Japan, and KimchiCon. He also authored two books about building 64bit OS from scratch, "64-bit multi-core OS principles and structure, volume 1 (ISBN-13: 978-8979148367) and volume 2 (ISBN-13: 978-8979148374)".</p><p>Seunghun is a member of the Black Hat Asia Review Board and KIMCHICON Review Board.</p><p>Twitter: @kkamagui1</p>

Links:

• https://www.blackhat.com/eu-19/briefings/schedule/#bitleaker-subverting-bitlocker-with-one-vulnerability-17245

Similar Presentations:

• Black Hat Europe 2015 / Bypassing Local Windows Authentication to Defeat Full Disk Encryption
• Black Hat Asia 2020 Virtual / BitLeaker: Subverting BitLocker with One Vulnerability
• Black Hat Asia 2019 / Finally, I Can Sleep Tonight: Catching Sleep Mode Vulnerabilities of the TPM with the Napper