this post was submitted on 11 Feb 2024
385 points (93.5% liked)

Technology

58303 readers
12 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

Microsoft's Bitlocker & TPM encryption combo defeated with a $10 Raspberry Pi::The point of Microsoft's Bitlocker security feature is to protect personal data stored locally on devices and particularly when those devices are lost or otherwise physically compromised. With Bi

top 50 comments
sorted by: hot top controversial new old
[–] [email protected] 166 points 9 months ago (2 children)

It should be noted that this attack was demonstrated on a nearly 10 year old laptop that has the TPM traces exposed on the motherboard.

Most TPMs nowadays are built into the CPU which does not leave them vulnerable to this type of attack.

[–] [email protected] 104 points 9 months ago (1 children)

Too late, Canada's banned Raspberry Pi's already. :(

[–] [email protected] 64 points 9 months ago (1 children)

I don't get the downvoting. This is solid commentary on the Flipper Zero idiocy.

[–] [email protected] 22 points 9 months ago

Prolly from people who don’t yet know about the Flipper Canada bullshit hahaha

[–] [email protected] 28 points 9 months ago* (last edited 9 months ago) (1 children)

Its definitely sort or misleading but MS needs to really have its feet held to the fire when it comes to these things. It sort of pushes the narrative in the correct direction which is towards privacy AND security, not a half-ass balance where one or the other or both is compromised or is an illusion altogether

The Outlook stuff has demonstrated how fundamentally irresponsible and unserious they are about their obligation to secure and regulate their own systems, they need all the bad press they can get so they are compelled to do betwr

[–] [email protected] 18 points 9 months ago* (last edited 9 months ago) (1 children)

Because MS designed Lenovo motherboard for them and told them where to put the tpm debug pins? I think you're casting blame at the wrong vendor here.

Doesn't matter how good the software is if the hardware vendor fucks up like that.

load more comments (1 replies)
[–] [email protected] 91 points 9 months ago (3 children)

Fake news. Nobody is getting a raspberry pi for $10 lol

[–] [email protected] 35 points 9 months ago (1 children)

I get your joke, but it's even cheaper than a "Raspberry Pi". Pi Pico, one RP2040 chip, that's basically RPi's new version of a Teensy. I just installed one in my GameCube to defeat its "BIOS" and boot from micro SD card :P

[–] [email protected] 17 points 9 months ago

I just installed one in my GameCube to defeat its "BIOS" and boot from micro SD card :P

Coolest thing I heard all day. Didn't know that was a thing.

[–] [email protected] 4 points 9 months ago

With shipping it's more than ten but on it's own it's 6,10 for the H model

[–] [email protected] 34 points 9 months ago (1 children)

Yet another example of "hardware access is root access"

[–] [email protected] 4 points 9 months ago (1 children)

As it should be really so you can repair things.

load more comments (1 replies)
[–] [email protected] 32 points 9 months ago (1 children)

$10.. not really in video. He had a custom PCB made so the pogo pins were on the board, all in one.

Honestly, pretty awesome. Although as noted, this is for older boards without TPM integration in CPU.

It can also be done with a logic analyzer.

[–] [email protected] 10 points 9 months ago (1 children)

The pi is $10. The rest is much more.

[–] [email protected] 5 points 9 months ago (1 children)

That is a PI Nano. They gave them away for free at a trade fair. I've got a bag of them laying around for my next project.

[–] [email protected] 9 points 9 months ago (1 children)

Pi Pico. With a RP2040 MCU. Which retails for [$9.91 on Amazon](Seeed Studio Raspberry Pi Pico Flexible Microcontroller Board Based on The Raspberry Pi RP2040 Dual-core ARM Cortex M0+ Processor for Gamecube, 1pc. https://a.co/d/0A0hAXX).

I’m sure they were giving away at some events because we’re trying to popularize the new chip to get more devs to jump on board. I use a RP2040 on my current project and it’s a great chip.

[–] [email protected] 2 points 9 months ago (2 children)

What does that have to do with the GameCube?

[–] [email protected] 4 points 9 months ago* (last edited 9 months ago)

I’m not quite sure what you’re asking but I believe you are talking about PicoBoot, which is a way to hack your GameCube using a Raspberry Pi Pico RP2040.

https://hackaday.com/2022/07/05/raspberry-pi-pico-modchip-unlocks-the-gamecube/

And

https://github.com/webhdx/PicoBoot

Edit: I just realized the Amazon sale says GameCube. Makes sense now.

[–] [email protected] 2 points 9 months ago

Just your standard Amazon SEO product name.

[–] [email protected] 25 points 9 months ago (2 children)

Pis are 10$ again? That's the real story.

[–] [email protected] 19 points 9 months ago* (last edited 9 months ago)

It's a Pi Pico (RP2040), which is an MCU, not CPU. Similar to an Arduino UNO (ATmega328p).

load more comments (1 replies)
[–] [email protected] 16 points 9 months ago (2 children)

With hardware access, yes. Not remotely.

[–] [email protected] 24 points 9 months ago (1 children)

Isn't the whole point of BitLocker protection from direct access? When a computer is turned off, encryption should keep the data safe. Also when a computer is turned off, basically no remote vector is going to work. AFAIK, when the computer is on, the drive is mounted and BitLocker provides no additional protection over an unencrypted drive.

[–] [email protected] 6 points 9 months ago (1 children)

Yes, you're correct. It's just that if somebody is got full access to your hardware, with no time limits and can just poke around your pcb, BitLocker is the least of your concerns. It should still not be flawed - but at that point, even Samsung's Knox, Qualcomm's memory protection and Apple's Secure Enclave have failed in the past, allowing the tinkerer to extract decryption keys.

It's more realistic to expect BitLocker to protect your external hard drive in case I grab it and run away, rather than expecting your computer to be bullet proof in case I aprehend the entire device.

But again, I do agree, this is a vulnerability and it's an issue, though limited to people using an actual TPM module rather than the built in one in the CPU.

[–] [email protected] 2 points 9 months ago (1 children)

Veracrypt drive encryption does not have the same problem, it would be secure even with physical access

[–] [email protected] 2 points 9 months ago (4 children)

I don't think a Veracrypt setup could use a hardware pairing for the decryption key, and also boot from an encrypted drive, though.

load more comments (4 replies)
[–] [email protected] 11 points 9 months ago

Correct. However, if you have a way to run a PowerShell command as an administrator, you can run a single cmdlet to get access to the bitlocker recovery key.

[–] [email protected] 16 points 9 months ago* (last edited 9 months ago)

The concept and implementation of TPM use has been a joke since inception.

veracrypt or luks; bitlocker is a total joke.

[–] [email protected] 12 points 9 months ago

Unsurprised. Physical security seems to be a lot tougher for the industry to “nail”

Just look at this UEFI boot fail vuln/exploit. Crazy.

[–] [email protected] 9 points 9 months ago

Yet we still can't crack Denuvo...

[–] [email protected] 3 points 9 months ago (1 children)

Hey - hey member that time when Truecrypt was like, “Peace, we out. Use bitlocker. lol”

When’s the new Truecrypt coming out? Yeah yeah Veracrypt, I know. It’s cool, its just not. I dunno.

[–] [email protected] 8 points 9 months ago (1 children)
load more comments (1 replies)
load more comments
view more: next ›