Microsoft's Bitlocker & TPM encryption combo defeated with a $10 Raspberry Pi and a bit of braininess

The point of Microsoft's Bitlocker security feature is to protect personal data stored locally on devices and particularly when those devices are lost or otherwise physically compromised. With Bitlocker, it shouldn't matter if you lose your laptop or somebody pinches your SSD. Your data still can't be accessed.

Except it can and all that's needed is a $10 Raspberry Pi and a little (OK, a lot of) ingenuity, according to YouTube channel Stacksmashing(via Hardwareluxx). How so? Well, it involves the TPM or Trusted Platform Module chip.

The TPM is a secure crypto-processor designed to carry out cryptographic operations and installed in many Windows PCs. Microsoft says Bitlocker works best when used in combination with a TPM chip. Which is ironic, because Stacksmashing's hack is only possible thanks to the TPM chip.

Long story short, Stacksmashing physically intercepts signals from the TPM chip and isolates the master encryption key. It's then relatively straightforward to pull the SSD, plug it into a Linux machine and use open source tool to fully decrypt the drive.

To make the process of physically connecting to the laptop's TPM chip simpler, Stacksmashing cooked up a bespoke Raspberry Pi Pico PCB to which spring loaded contact pins were attached in an arrangement to perfectly align with the contact pads for the TPM in the Lenovo laptop that was subject to the attack. Apparently, the total cost of the parts were less than $10.

Your next upgrade

Nvidia RTX 4070 and RTX 3080 Founders Edition graphics cards

(Image credit: Future)

Best CPU for gaming: The top chips from Intel and AMD.
Best gaming motherboard: The right boards.
Best graphics card: Your perfect pixel-pusher awaits.
Best SSD for gaming: Get into the game ahead of the rest.

In the video, it all looks incredibly simple. Just pull the back cover of the laptop off, uncover the TPM contact points, physically apply the modded Pi's pins, boot the machine and—boom!—within a few seconds you have your enrcyption keys, allowing the SSD to be fully decrypted.

You can dive into the comments below the video for a discussion of the merits of the TPM module in this context, what Microsoft perhaps should or shouldn't have done to prevent all this, whether this applies to all versions of TPM and other measures you can take to ensure your drive is secure (or largely secure) even in the event of an attack like this.

Moreover, this doesn't necessarily make Bitlocker and TPM totally pointless. And given enough effort, most security measures are vulnerable. But if you thought your data was secure courtesy of those technologies to all but the most well-resourced attacks in the event you lost your laptop, well, you might want to think again.

Jeremy Laird
Hardware writer

Jeremy has been writing about technology and PCs since the 90nm Netburst era (Google it!) and enjoys nothing more than a serious dissertation on the finer points of monitor input lag and overshoot followed by a forensic examination of advanced lithography. Or maybe he just likes machines that go “ping!” He also has a thing for tennis and cars.

Read more
Retro 1990s style beige desktop PC computer and monitor screen and keyboard. 3D illustration.
Microsoft nixes details of its Windows 11 TPM 2.0 security bypass though there are still other ways of getting the latest OS on 'unsupported' hardware
Pipboy holds up an open padlock.
A BIOS update could be all that's stopping you or someone else from jailbreaking your old AMD CPU
The Buffalo RUF3-KEV USB drive on a red-orange gradient
This USB flash drive has a built-in anti-malware system, but I still wouldn't use one I found in a parking lot
Microsoft Majorana 1 quantum processor
Microsoft's wacky Majorana 1 chip, powered by an 'entirely new state of matter', could have industrial quantum computing here 'in years, not decades'
Microsoft Windows 11
If you installed Windows 11 with certain security updates and a USB stick, you may not get any more security updates warns Microsoft
Hacker
$1.5 billion crypto heist could be the biggest yet, more than doubling the previous record, but don't worry: The affected firm says it can take the hit
Latest in Hardware
A pink GameSir Nova Lite, and a purple 8BitDo Ultimate 2C float in a teal void.
Hall effect controllers are so cheap now I’ve got a deal for you AND your player two
Peely from Fortnite with banana-fied Wolverine claws.
Fortnite comes to Snapdragon: Epic Games announces upcoming Arm support for its Easy Anti-Cheat software
Texas Instruments MSPM0C1104 tiny chip
World's smallest microcontroller looks like I could easily accidentally inhale it but packs a genuine 32-bit Arm CPU
Varjo Aero
Varjo Aero VR headsets seem to be not working on RTX 5090s, and its community is opting for strange solutions while waiting for an Nvidia driver release to fix it
A pasta "display" on a table showing the word "keep" surrounded by fruit. Obviously.
Penne for your thoughts: This pasta display can show three individual frames and it's trying its best, okay
Intel engineers inspect a lithography machine
Finally some good vibes from Intel as stock jumps 15% on new CEO hire and Arizona fab celebrates 'Eagle has landed' moment for its 18A node
Latest in News
Man facing camera
The Day Before studio reportedly sues Russian website for calling infamous disaster-game a 'scam'
Will Poulter holding a CD ROM
'What are most games about? Killing': Black Mirror Season 7 includes a follow-up to 2018 interactive film Bandersnatch
Casper Van Dien in Starship Troopers
Sony, which is making a Helldivers 2 movie, is also making a new Starship Troopers movie, but it's not based on the Starship Troopers movie we already have
Assassin's Creed meets PUBG
Ubisoft is reportedly talking to Tencent about creating a new business entity to manage Assassin's Creed and other big games
Resident Evil Village - Lady Dimitrescu
'It really truly changed my life in every possible way': Lady Dimitrescu actor says her Resident Evil Village role was just as transformative for her as it was for roughly half the internet in 2021
Storm trooper hero
Another live service shooter is getting shut down, this time before it even launched on Steam