BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets

Presented at DEF CON 33 (2025), Aug. 8, 2025, 10 a.m. (45 minutes).

In Windows, the cornerstone of data protection is BitLocker, a Full Volume Encryption technology designed to secure sensitive data on disk. This ensures that even if an adversary gains physical access to the device, the data remains secure and inaccessible. One of the critical aspects of any data protection feature is its ability to support recovery operations failure cases. To support BitLocker recovery, design changes were applied in the Windows Recovery Environment (WinRE). This led us to a pivotal question: did these changes introduce new attack surfaces impacting BitLocker? In this talk, we will share our journey of researching a fascinating and mysterious component: WinRE. Our exploration begins with an overview of the WinRE architecture, followed by a retrospective analysis of the attack surfaces exposed with the introduction of BitLocker. We will then discuss our methodology for effectively researching and exploiting these exposed attack surfaces. Our presentation will reveal how we identified multiple 0-day vulnerabilities and developed fully functional exploits, enabling us to bypass BitLocker and extract all protected data in several different ways. Finally, we will share the insights Microsoft gained from this research and explain our approach to hardening WinRE, which in turn strengthens BitLocker.

Presenters:

• Alon "alon_leviev" Leviev
  Alon Leviev (@alon_leviev) is a self-taught security researcher working with the Microsoft Offensive Research & Security Engineering (MORSE) team. Alon specializes in low-level vulnerability research targeting hardware, firmware, and Windows boot components. He has presented his findings at internationally-recognized security conferences such as DEF CON 32 (2024), Black Hat USA 2024, Black Hat EU 2023, CanSecWest 2024, and CONFidence 2024. Prior to his career in cybersecurity, Alon was a professional Brazilian jiu-jitsu athlete, winning several world and European titles.
• Netanel Ben Simon
  Netanel Ben-Simon has been a security researcher for over eight years, and is currently working with the Microsoft Offensive Research & Security Engineering (MORSE) team. He specializes in low-level vulnerability research, fuzzing & Exploitation on various platform types such as Windows, Linux, and Embedded Devices. Over the past year, he has conducted in-depth vulnerability research on different UEFI components with a focus on Windows security posture around the boot environment, bug hunting and mitigations.

Similar Presentations:

• Black Hat Asia 2020 Virtual / BitLeaker: Subverting BitLocker with One Vulnerability
• DeepSec 2017 „Science First!“ / BitCracker: BitLocker Meets GPUs
• Black Hat Europe 2015 / Bypassing Local Windows Authentication to Defeat Full Disk Encryption