[gtsteve]

Given Microsoft's response, it seems this isn't new. I'm in charge of my company's security so now I'm a bit concerned. I mandated the use of Bitlocker with TPM across the business but no pre-authentication measures.

How accessible is this attack to the common person? Note that I am concerned about curious thieves as opposed to three letter agencies. I believe I would still be correct in saying that it's still really hard for your average person to extract data from a plain-TPM encrypted Bitlocker.

Are there commercially available TPM adapters that make the attachment easier for example? It looks like their attachment technique could be refined with custom hardware.

It is troubling to see that Bitlocker+TPM is essentially just obfuscation though.

[rficcaglia]

Common person? No. If you are a common EE grad student, no problem. However could someone take it to a nefarious local PC repair shop with better than average skills and pay someone? Yes.

So there is a vast middle ground between naive miscreants on one end and three letter agencies.

But if you are asking whether a casual thief who steals a company laptop out of a car cares about your data? Probably no. They will wipe the drive and sell it on Craigslist. However if someone might actually target you specifically, bitlocker+tpm is not a high hurdle. But then again nor are the weak passwords your users are using, or the phishing emails they will open, or the malware apps they will install...

All security is obfuscation really. Just moves the bar higher to deter those who don’t care or don’t value your data enough. The author hinted at some techniques you can use on boards to thwart (but not prevent) a determined hacker (still not three letter agency level). Chip cos have access to all sorts of equipment to probe and access chips themselves, so even inside the chip is not safe without specific countermeasures. Three letter agencies do chemistry at government lab facilities. That’s way beyond what most people care about.

[tallanvor]

The Bitlocker + TPM without PIN model is primarily aimed at preventing the contents of a drive from being accessed from a different system - you can send your old drive to the recycler without worrying about someone hooking it up to a different computer to scan for financial information or passwords.

For businesses that need to protect internal or customer data, the correct answer is requiring a PIN on boot, as this prevents the TPM from sending the key without receiving the PIN.

And it really shouldn't be surprising that if a computer doesn't require any user interaction before decrypting a drive that retrieving the encryption key is going to be relatively trivial if you're willing to put in some time and money.

[gtsteve]

I suppose in retrospect it shouldn't be surprising. I just thought it would be a lot harder than this. I imagined that the communication between the TPM chip and the CPU would be encrypted somehow; I should have verified that.

Does the TPM have a mechanism to lock out if the PIN is entered incorrectly? That sounds like a good move to me.

[tallanvor]

Yes. By default you get 3 or 5 chances and then you have to use the recovery key. In corporate environments the recovery key is often stored in AD or another location by default so it's retrievable by IT (whether because the user entered the wrong PIN or because they quite /were fired and you still need to be able to get data off the computer.

[crote]

You're probably fine. Adapters do exist which make this a bit easier, but it's still going to be at least $100 in custom hardware. A curious thief is not going to bother with this and will just wipe the disk when they notice it's encrypted.

About difficulty: Given this article, I'd expect that most serious electronics hobbyists can currently do this. It's certainly not easy, but not that hard either. It wouldn't be too hard to turn this into a tool which can be used by anyone with a screwdriver, like what happened with the iPhone [0]. But again, why would a common thief bother to do this?

[0]: http://www.iphonehacks.com/2015/03/this-tiny-box-uses-brute-...