The background for this came from the recent blog post https://dolosgroup.io/blog/2021/7/9/from-stolen-laptop-to-inside-the-company-network and from the earlier https://labs.f-secure.com/blog/sniff-there-leaks-my-bitlocker-key/ post, they’re well worth a read.
- It’s a Dell E7450 with Windows 10 Professional and BitLocker full drive encryption enabled. Keys are stored in the onboard TPM 1.2 module
We have physical access to a turned off laptop in a hotel room. When I do this I first like to do a full tear down of the machine. Googling for ‘motherboard replacement’ is usually a good start and for me, up pops this video.
To open the notebook, there is a video.
https://youtu.be/jfP7EamGw98This is what we’re left with.
We need to get access to the TPM module for this attack, but we have no idea what it looks like.
To fix this we’re going to start picking chips at random and Googling the writing on top of them. You end up with diagrams that look a bit like this
Bingo! We’re found the TPM module.
A google for the data sheet turns up http://ww1.microchip.com/downloads/en/devicedoc/Atmel-8884S-TPM-AT97SC3205-Datasheet-Summary.pdf which tells us it communicates over the SPI protocol and is in a TSSOP28 chip, which is not exactly easy to connect to. As seen in the Dolos attack there might be another way though
For cost and simplicity, manufacturers often bundle several chips onto the same SPI ‘bus’. If we can find another chip that’s easy to connect to on the same bus, we can sniff the key off the wire.
What I’m doing here is ‘walking’ my multimeter over the TPM pins while connected to various different chips to see if any of them ‘beep’ to tell us there is a connection.
Unfortunately, no dice. Either that means there isn’t anything else on that SPI bus, or it might mean there is a resistor in the way.
A google for ‘e7450 schematic’ turns up this diagram though which looks promising.
Look back earlier where I labelled the chips. There are two Winbond flash modules that look like they might be the ones on the diagram, so this attack might not be dead in the water yet. Trouble is, our laptop won’t do anything when it’s in bits…
Reassembling the laptop again and we can see those little flash chips just poking out. All we had to do to access them in this case was remove the back covers, which is 8 screws.
To determine whether is an attack vector or not, we’re going to have to hook up a logic analyser. We’re using a Salae here because there is a nice extension for it that’ll pull out any bitlocker keys it sees. We just connect up and boot the laptop.
Success! With the laptop booting come booting into Windows, the analyser has sniffed all of the SPI communications and the script has found a bitlocker key hiding in there. Remember to invert the ‘enable’ line if you’re doing this yourself and capture at a good speed.
Now you’ve got a key, we need a way to decrypt the hard drive. Here, I’ve pulled the drive out but you could do it in the machine if it boots from USB. As you can see, Kali sees an encrypted drive.
As we have the BitLocker VMK key, we can now use the Dislocker toolkit in Kali to decrypt it.
But stealing data is one thing, all we have access to is what’s contained on the laptops drive. What makes this attack so insidious is that we can also plant malware on the drive to execute on next boot, giving us access to all of the CEOs data and a foot inside the organisation
With a little prior knowledge, this entire attack can be pulled off in as little as 10 mins, it’s certainly a viable attack method.