Ever wondered how Cellebrite and law enforcement gain access to encrypted devices without knowing the password? In this talk, we’ll demonstrate how to bypass BitLocker encryption on a fully up-to-date Windows 11 system using Secure Boot. We’ll leverage a little-known software vulnerability that Microsoft has been unable to patch since 2022: bitpixie (CVE-2023-21563).
We'll live-demo the exploit, and will walk through the entire process—from the prerequisites and inner workings of the exploit to why Microsoft has struggled to address this flaw. We'll also discuss how to protect yourself from this and similar vulnerabilities.
BitLocker is Microsoft’s implementation of full-volume encryption. It offers several modes of operation, but the most widely used is Secure Boot-based encryption.
Many consumer and corporate clients use it, and it’s starting to be enabled by default under "Device Encryption" on newer Windows 11 installations.
In this mode, the harddrive is encrypted at rest but is automatically unsealed when a legit windows boots, meaning users don't need a separate decryption password. They just have to sign in with their usual user account.
Unfortunately, this configuration has been broken for quite a while. Hardware attacks against a dTPM are widely known, but software attacks are possible as well, at least since 2022, when Rairii discovered the bitpixie bug (CVE-2023-21563).
While this bug is 'fixed' since Nov. 2022 and publically known since 2023, we can still use it today with a downgrade attack to decrypt BitLocker.
In this talk, we'll dive into:
- How does Secure Boot work, and what role does the TPM play?
- How can Bitlocker leverage the TPM?
- How does the bitpixie exploit work? What are PXE boot and BCD?
- What are the prerequisites for running this exploit?
- How can you protect yourself against it?
- Why is it so challenging for Microsoft to fully fix this?
- How does this affect Linux secure boot?
Licensed to the public under http://creativecommons.org/licenses/by/4.0
This Talk was translated into multiple languages. The files available for download contain all languages as separate audio-tracks. Most desktop video players allow you to choose between them.
Please look for "audio tracks" in your desktop video player.