|
|
|
|
|
|
by ranger_danger
32 days ago
|
|
|
> you can just get an LPE to access the running Windows environment after it boots Or if you have physical access, you can probe the TPM chip with a SPI decoder to get the key directly: https://post-cyberlabs.github.io/Offensive-security-publicat... Another method is via PXE (still not patched on most systems apparently): https://github.com/andigandhi/bitpixie > TPM+PIN should actually mean the TPM itself cannot release the keys It does release the (wrapped) key actually (the above cyberlabs link explains it), it's just that the KP data this time has additional layers of encryption that are based on the PIN, which is decrypted in software after the fact. This means you can crack it offline. With the default minimum of 6 digits you can probably bruteforce it within a day. If you're paranoid I might suggest switching to a full password-based pre-boot auth option instead of the PIN. |
|
|
> BitLocker hashes the user-specified personal identification number (PIN) by using SHA-256, and the first 160 bits of the hash are used as authorization data sent to the TPM to seal the volume master key.
So what's actually happening is that the PIN is used to derive an authValue passed to the TPM, which compares it to the expected value, and can trigger lockout on too many mismatches.
I can't find specifics to how Windows configures the TPM wrt. lockout, but the mechanism described in the article appeared fishy to me, and contradicts official docs. It also would not make sense that TPM+PIN was known to be safe against bus sniffing attacks if it would still reveal all data required to brute-force the PIN.
[1] https://learn.microsoft.com/en-us/windows/security/operating...