Bitlocker hacked?!

The good, the bad, the ugly

As of recent a youtube video has been released under the title "Breaking Bitlocker - Bypassing the Windows Disk Encryption (youtube.com)".

There are a couple of fundamental issues that I would like to comment on to document what is really going on and call for other experts to chime in.

First off the title:

It is NOT Bitlocker which got broken, but anything that relies on the trusted communication of the CPU and TPM. So it actually should read: "Breaking security of distinct, external TPM's." But obviously this would not generate as many clicks so it is more efficient to claim that Bitlocker (as per sé) got proven to be insecure. Which in the end it isn't.

Second:

Following the above it has already been communicated by Microsoft during the launch of Windows 11 22H2 that hardware can be compromised. The communication of a CPU and an external TPM may be sniffed if people are careless with their PC and do not upgrade soft- and hardware at meaningful times.

It was just a matter of time that someone finds an inexpensive way to do so. It is a surprise to me that it took a year though.

Third:

The exposed design flaw is NOT in Bitlocker (as I already pointed out above) but in the design of what I would refer to an old PC design. A PC design in which security is compromised over profitability. A design in which a TPM is on a discrete chip outside the CPU. Obviously that means that any communication of the two can be sniffed. Any key can be derived. Any solution which puts trust into the TPM can be exploited.

Microsoft and hardware partners are pointing out since long, that a better implementation is to keep the TPM inside the core CPU die or even better put it in the CPU itself. As Microsoft we have created the concept of a TPM run as software (Microsoft Pluton security processor - Windows Security | Microsoft Learn).

People who are complaining about security being weak but in parallel do complain about the Windows 11 need for a TPM 2.0 are not doing customers or our industry a favor.

Four:

In the beforementioned announcement of Windows 11 22H2 Microsoft also released Personal Data Encryption. PDE keeps users' data safe even if Bitlocker has been compromised. Read about PDE: Personal Data Encryption (PDE) - Windows Security | Microsoft Learn

Five: The wrong mole to whack.

Instead of hitting a hammer on the security concepts people should hit those who remain on a "never change a running system" philosophy rather than adopting "manage the change" paradigm. Keeping old devices, old OS and applications is the biggest threat to IT security (next to careless, uneducated users with high system privileges). People delaying an upgrade to Windows 11 and raising concerns about high device acquisition cost should consider a change of mind and choose a device as a service strategy so that innovations can be adopted swiftly.

My last point: the social media bubble

People referring to the video above without providing context do not expose a carefully crafted growth mindset. Putting things in context and starting a meaningful discussion on how things could be better, would suit everybody a great deal.

If you have enough time to repost the youtube video, think again on HOW you do it. Do you provide a state of the art solution or is it just you want to impress someone with less knowledge around the true issue underneath?

Dominique (Dom) C?té ... feel free to add your 2cts