Cyber Security News

Windows 11 BitLocker Encryption Bypassed to Extract Full Volume Encryption Keys

A cybersecurity researcher has demonstrated a method to bypass BitLocker encryption on Windows 11 (version 24H2) by extracting full volume encryption keys (FVEK) from memory.

Using a custom-built tool named Memory-Dump-UEFI, the researcher was able to retrieve sensitive cryptographic keys to decrypt a BitLocker-protected partition.

BitLocker, Microsoft’s full-disk encryption system, is designed to protect data by encrypting the entire volume of a device.

It is especially crucial for safeguarding sensitive information in enterprise environments. However, its security relies heavily on preventing unauthorized access to the encryption keys.

The method used in the demonstration exploits a common weakness: the residual data stored in RAM.

When a device is abruptly restarted, its RAM contents may remain intact for a short period. By leveraging this time window, an attacker can extract sensitive data stored in memory, including encryption keys.

The demonstration highlights several advanced methods to mitigate memory degradation, including techniques like physically cooling RAM modules or maintaining power to prevent data decay.

Bypassing BitLocker: Demonstration of the Attack

The researcher carefully outlined the steps to bypass BitLocker encryption. Here’s the summarized process:

  1. Preparing a Bootable USB Tool
    A USB storage device larger than the system’s RAM was prepared using a script provided by the research tool.
  2. Restarting the Target System
    By shorting the reset pins on the motherboard, the researcher forced an abrupt restart of the system while preserving power to the RAM. This ensured minimal data degradation.
  3. Dumping Memory Data
    The system was booted using the USB device, launching the Memory-Dump-UEFI tool. This program dumped the contents of the RAM into files for further analysis.
  4. Analyzing Memory Dumps
    Using tools such as concatDumps and xxd, the researcher analyzed the memory dumps. Key cryptographic data, including FVEK, was located by identifying specific memory pool tags such as dFVE (allocated by dumpfve.sys).
Boot from the USB Device

The FVEK keys were traced to specific memory pools, with one consistent recovery location marked by the dFVE pool tag.

Key Recovery

The keys were extracted in hexadecimal format and prepped for decryption by appending metadata about the encryption algorithm, such as XTS-AES-128. Using tools like Dislocker, the researcher successfully unlocked the encrypted volume.

According to the NoInitRD, this research underscores a critical vulnerability in systems where attackers can gain physical access.

While Microsoft has incorporated measures to overwrite sensitive data, some keys persist in memory and can be extracted under the right circumstances.

  1. Enable Device Lockdown: Ensure devices are secured in tamper-proof environments to prevent unauthorized physical access.
  2. Configure BitLocker with TPM: A Trusted Platform Module (TPM) adds a layer of hardware-based security, reducing the risk of key theft.
  3. Rapid Shutdown Protocols: Emphasize complete power-off mechanisms to clear RAM.
  4. Educate Users: Organizations should train employees on best security practices, especially regarding physical device security.

This revelation serves as a reminder that even sophisticated encryption systems like BitLocker can be vulnerable under specific attack conditions. Microsoft is expected to investigate these findings and improve BitLocker’s resilience.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Divya

Divya is a Senior Journalist at GBhackers covering Cyber Attacks, Threats, Breaches, Vulnerabilities and other happenings in the cyber world.

Recent Posts

NSO Group Ordered to Pay $168 Million to WhatsApp in US Spyware Verdict

A federal jury in California has ordered Israeli spyware maker NSO Group to pay approximately…

37 minutes ago

BFDOOR Malware Targets Organizations to Establish Long-Term Persistence

The BPFDoor malware has emerged as a significant threat targeting domestic and international organizations, particularly…

15 hours ago

Uncovering the Security Risks of Data Exposure in AI-Powered Tools like Snowflake’s CORTEX

As artificial intelligence continues to reshape the technological landscape, tools like Snowflake’s CORTEX Search Service…

15 hours ago

UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has…

15 hours ago

Over 2,800 Hacked Websites Targeting MacOS Users with AMOS Stealer Malware

Cybersecurity researcher has uncovered a massive malware campaign targeting MacOS users through approximately 2,800 compromised…

15 hours ago

Hackers Bypass AI Filters from Microsoft, Nvidia, and Meta Using a Simple Emoji

Cybersecurity researchers have uncovered a critical flaw in the content moderation systems of AI models…

16 hours ago