Hacker News new | ask | show | jobs
by georgyo 1208 days ago
By passing secure boot is pretty bad, but the article doesn't mention anything about the TPM. Even if you trick uefi to execute this exploit, surely the TPM will have different measurements and not release the encryption key.

The article says it can run on windows 11, which does imply it also tricks the TPM but I would love confirmation.
2 comments
bayindirh 1208 days ago
From the official analysis [0]:

> The next feature deactivated by the installer is BitLocker Drive Encryption. The reason for this is that BitLocker can be used in a combination with Trusted Platform Module (TPM) to ensure that various boot files and configurations, including Secure Boot, haven’t been tampered with since BitLocker drive encryption was configured on the system. Considering that the installer modifies the Windows boot chain on a compromised machine, keeping BitLocker on for systems with TPM support would lead to a BitLocker recovery screen at the next bootup and would tip the victim off that the system had been compromised.

[0]: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

link
moremetadata 1208 days ago
> [0]: https://www.welivesecurity.com/2023/03/01/blacklotus-uefi-bo...

So how do you remove it?

link
jeroenhd 1208 days ago
Disable-Bitlocker should do the trick: https://learn.microsoft.com/en-us/powershell/module/bitlocke...

Obviously requires admin permissions on a running host, but if you're injecting into the bootloader you're already admin (or you can get it easily).

link
moremetadata 1207 days ago
So doesnt things like windows defender offline scans and other offline scans where the HD bitlocker codes is typed in manually not detect the rootkit?

Half the problem I find with these security products is knowing what their actual abilities are and inabilities. I've assumed wrongly in the past that some security products are doing things when in fact they are not, and thats obviously an area for exploitation.

link
mavhc 1208 days ago
Bitlocker? If you're Admin in Windows you can just unencrypt your drive
link
mjg59 1208 days ago
It doesn't trick the TPM, but as mentioned in the other comment, it does disable Bitlocker before compromising the boot chain so that won't be obvious from an end-user perspective. Remote attestation would still demonstrate that the boot chain had changed, and something like https://www.osfc.io/2022/talks/user-friendly-lightweight-tpm... would let you use your phone to determine that before logging in.
link