[iLoveOncall]

I'm not familiar at all with this kind of low-level knowledge so probably a stupid question but: does that require the device to be connected when the user types their password to actually retrieve the key, or is it an actual "crack" as in it can unlock BitLocker without key nor password ever being inputted on the device?

[bri3d]

It only works with Bitlocker which relies only on external/discrete (dTPM) key material and no configured PIN or password, so there is nothing to input. It’s just sniffing key material off of the external TPM bus after the bootloader asks for it. This is an ancient attack and not very technically interesting, but it comes up every few years because Microsoft still don’t switch to using TPM encrypted sessions.

[vel0city]

This is for non-password Bitlocker with discrete TPMs that aren't configured to encrypt their exchange.

There's a mode of Bitlocker where it boots into a basic boot environment, asks the TPM for the key, the TPM validates the environment, and then gives the decryption key. For some discrete TPMs, this last step of the TPM giving the key to the boot environment is done in the clear and can be sniffed.