Out of curiousity, I started reading about Microsoft’s BitLocker technology. This is a way of encrypting a whole hard drive that stores keys in the machine’s trusted platform module (TPM).

My conclusion (though I may be wrong) is that a laptop that uses BitLocker without either an external crypto token or a secure boot ROM is likely susceptible to some relatively easy hardware attacks. BitLocker may defend against casual snooping on random stolen laptops, but a determined attacker with a deliberate target probably won’t be thwarted unless the extra precautions mentioned above are taken.

While on the surface it appears to be a good idea, it seems to have a number of flaws that seem apparent at first glance.

Note that asking for a PIN would add some complexity to the attack, but would be vulnerable to poor PIN choices.

  1. The algorithm assumes that BIOS code is immutable. Since the OpenBIOS/LinuxBIOS people have been replacing BIOS chips for a while, this seems to be something that can be easily circumvented. The replacement BIOS need only extend the base PCR with the original BIOS image, effectively inserting itself into the chain of execution.

Note that Microsoft’s document here talks about BIOS upgrades and how they can destroy keys. See this BitLocker presentation for some more information.

The solution for this problem is getting laptop manufacturers to add a secure bootloader that checks the cryptographic signature of the BIOS and embeds a secret key in the TPM. This would be a tricky operation – requiring a hidden boot ROM like what is available on the XBOX.

Difficulty: best case: replacing socketed BIOS or backup BIOS. Worst case: desoldering/resoldering chips.

  1. The TPM can be transplanted. By running the TPM in a controlled environment, any software can extend the PCR registers as they would be extended on a real boot, which would then allow the TPM to unseal the keys. The solution, again, is to have a hidden boot ROM that embeds a secret key.

Diffculty: desoldering/resoldering chips.

  1. The whole authentication system can be emulated after boot in a non-secure OS. It might be possible to reset the TPM without resetting the system itself. I don’t have specific facts here, but I know that the TPM does have a way to reset the PCR registers, but this doesn’t reset an internal “resets after reboot” counter. An alternative might be to cut one of the Vcc leads of the TPM and allow it to be power-cycled externally.

Once the TPM has been reset, the user may then use an x86 emulator such as QEMU to run the BIOS and boot loader and recover the decryption keys from memory or a more sophisticated attack.

Difficulty: best case: software-only attack, worst case: hardware hack to reset TPM after boot.

Read full post