Microsoft's BitLocker encryption technology is one of the more accessible encryption solutions, allowing users to securely encrypt and protect data from threats. However, BitLocker doesn't seem to be as secure as people think. Earlier this week, YouTuber user stacksmashing posted a video showing how he intercepted BitLocker data and stole encryption keys, thereby decrypting the data stored on the system. Not only that, but he did it in 43 seconds using a Raspberry Pi Pico that probably costs less than $10.

To carry out the attack, he leveraged the Trusted Platform Module (TPM). In most computers and laptops, the TPM is external and uses the LPC bus to send and receive data from the CPU. Microsoft's BitLocker relies on the TPM to store critical data such as platform configuration registers and volume master keys.

During testing, stacksmashing discovered that the LPC bus communicates with the CPU through communication lines. These communication lines are not encrypted at startup and can steal critical data. Stacksmashing connects a Raspberry PiPico to metal pins on an unused connector to capture encryption keys on boot. The RaspberryPi is set up to capture the TPM's binary 0s and 1s at system boot so he can piece together the volume master key. Once completed, he removed the encrypted drive and decrypted the drive using an unlocker with the volume master key.

Microsoft notes that these attacks are possible, but says it would require sophisticated tools and prolonged physical access to the device. However, as the video shows, someone ready to carry out the attack can complete it in under a minute.

However, there are some caveats to keep in mind. This attack only works on external TPM modules, the CPU needs to get data from the module on the motherboard. Many new laptop and desktop CPUs are now equipped with fTPM, where critical data is stored and managed inside the CPU itself. Microsoft recommends setting up a BitLocker PIN to block these attacks, but doing so is not easy as a group policy needs to be set to configure the PIN.