Dumping Memory to Bypass BitLocker on Windows 11

Original Article ↗ Hacker News Discussion ↗

BitLocker configuration & real-world behavior

  • Several commenters suspect many “bypasses” are actually cases where BitLocker was not enabled or was misconfigured.
  • Default setups often use TPM-only “transparent” unlock; stronger options add a PIN/password at boot.
  • Secure Boot and TPM measurements (PCRs) can force BitLocker recovery if firmware or boot order truly changes, but behavior differs between TPM 1.2 and 2.0 and between platforms.

Nature of the demonstrated attack

  • The attack is a warm reboot into a custom UEFI binary that dumps RAM and searches for BitLocker volume keys (FVEKs) that Windows left in memory.
  • It does not rely on classic cold-boot decay; DDR4/DDR5 type is largely irrelevant in this scenario.
  • Discussion notes that TCG’s “Reset Attack Mitigation” (MOR bit) should cause firmware to wipe RAM after an unclean reset, so the attack implies broken or incomplete platform/OS handling.

Limitations, scope, and threat model

  • Requires physical access and a machine that auto-unlocks BitLocker without user input.
  • Typically needs one precisely timed reset while Windows is booting but before the login screen.
  • Some argue it’s “narrow” or “theoretical”; others counter that most real-world laptops use TPM-only auto-unlock, making it practically relevant.
  • Consensus that BitLocker’s main value is protecting data on lost/stolen drives from simple off-line access, not from sophisticated physical attacks on a powered-on system.

TPM, Secure Boot, and MOR discussion

  • TPM bus traffic is not encrypted by BitLocker; sniffing attacks and logic analyzers remain possible.
  • Debate over TPM’s trustworthiness and possible backdoors vs its role as a practical, smartcard-like key store.
  • Conflicting views on how persistently TPM state reflects boot changes and when BitLocker demands recovery.

Mitigations and alternatives

  • Stronger setup: BitLocker with TPM+PIN, or password-only, prevents this warm-boot attack on a powered-off device.
  • Additional hardening: BIOS/UEFI password, locked boot order, disabling USB boot, custom Secure Boot keys.
  • Modern CPU features like AMD SME and Intel TME(-MK) encrypt RAM contents and would block such RAM-dump attacks, but are usually disabled and mainly targeted at servers.
  • Self-encrypting drives (OPAL/eDrive) are discussed; Microsoft de-emphasized them after serious firmware flaws, though some still use them for performance.