I’ve been doing a bit of work recently, attacking laptops that are protected by Microsoft Bitlocker drive encryption.
Join me on a journey where we break into this CEO’s laptop to steal company secrets and plant malware.
Join me on a journey where we break into this CEO’s laptop to steal company secrets and plant malware.
The background for this came from the recent blog post dolosgroup.io/blog/2021/7/9/… and from the earlier labs.f-secure.com/blog/sniff-the… post, they’re well worth a read.
This is your threat scenario.
Your CEO has gone to a high risk country for a well publicised business trip. They’ve been targeted by a criminal gang that wants to steal the laptop data and implant malware but without raising any suspicions.
Your CEO has gone to a high risk country for a well publicised business trip. They’ve been targeted by a criminal gang that wants to steal the laptop data and implant malware but without raising any suspicions.
The gang has bribed a hotel employee to let them into the room one night while the CEO has gone out for drinks. They have only a few hours to pull off this attack, which is plenty of time.
If you’re playing along at home, this is how the laptop is set up.
It’s a Dell E7450 with Windows 10 Professional and BitLocker full drive encryption enabled. Keys are stored in the onboard TPM 1.2 module
It’s a Dell E7450 with Windows 10 Professional and BitLocker full drive encryption enabled. Keys are stored in the onboard TPM 1.2 module
Back to our attack.
We have physical access to a turned off laptop in a hotel room. When I do this I first like to do a full tear down of the machine. Googling for ‘motherboard replacement’ is usually a good start and for me, up pops this video.
We have physical access to a turned off laptop in a hotel room. When I do this I first like to do a full tear down of the machine. Googling for ‘motherboard replacement’ is usually a good start and for me, up pops this video.
This is what we’re left with.
We need to get access to the TPM module for this attack, but we have no idea what it looks like!
To fix this we’re going to start picking chips at random and Googling the writing on top of them. You end up with diagrams that look a bit like this
To fix this we’re going to start picking chips at random and Googling the writing on top of them. You end up with diagrams that look a bit like this
Bingo! We’re found the TPM module.
A google for the data sheet turns up ww1.microchip.com/downloads/en/d… which tells us it communicates over the SPI protocol and is in a TSSOP28 chip, which is not exactly easy to connect to. As seen in the Dolos attack there might be another way though
A google for the data sheet turns up ww1.microchip.com/downloads/en/d… which tells us it communicates over the SPI protocol and is in a TSSOP28 chip, which is not exactly easy to connect to. As seen in the Dolos attack there might be another way though
For cost and simplicity, manufacturers often bundle several chips onto the same SPI ‘bus’. If we can find another chip that’s easy to connect to on the same bus, we can sniff the key off the wire.
What I’m doing here is ‘walking’ my multimeter over the TPM pins while connected to various different chips to see if any of them ‘beep’ to tell us there is a connection.
Unfortunately, no dice. Either that means there isn’t anything else on that SPI bus, or, as @Iskuri1 pointed out to me a while ago, it might mean there is a resistor in the way.
A google for ‘e7450 schematic’ turns up this diagram though which looks promising.
A google for ‘e7450 schematic’ turns up this diagram though which looks promising.
Look back earlier where I labelled the chips. There are two Winbond flash modules that look like they might be the ones on the diagram, so this attack might not be dead in the water yet. Trouble is, our laptop won’t do anything when it’s in bits…
Reassembling the laptop again and we can see those little flash chips just poking out. All we had to do to access them in this case was remove the back covers, which is 8 screws.
To determine whether is an attack vector or not, we’re going to have to hook up a logic analyser. We’re using a Salae here because there is a nice extension for it that’ll pull out any bitlocker keys it sees. We just connect up and boot the laptop.
Success! With the laptop booting come booting into Windows, the analyser has sniffed all of the SPI communications and the script has found a bitlocker key hiding in there. Remember to invert the ‘enable’ line if you’re doing this yourself and capture at a good speed.
Now you’ve got a key, we need a way to decrypt the hard drive. Here, I’ve pulled the drive out but you could do it in the machine if it boots from USB. As you can see, Kali sees an encrypted drive.
As we have the BitLocker VMK key, we can now use the Dislocker toolkit in Kali to decrypt it.
But stealing data is one thing, all we have access to is what’s contained on the laptops drive. What makes this attack so insidious is that we can also plant malware on the drive to execute on next boot, giving us access to all of the CEOs data and a foot inside the organisation
With a little prior knowledge, this entire attack can be pulled off in as little as 10 mins, it’s certainly a viable attack method.
• • •
Missing some Tweet in this thread? You can try to
force a refresh
