SySS Research Releases iCEstick FPGA Tool to Capture and Decrypt BitLocker Volume Keys

Open source security specialist SySS Research has released code for the Lattice iCEstick FPGA development board that sniffs traffic to and from the Trusted Platform Module (TPM) in order to disclose secrets up to and including the cryptographic key for BitLocker-encrypted drives.

Shipping as a feature of the Microsoft Windows operating system since Vista, at least for selected variants, BitLocker is designed to protect data at rest: Drives are protected such that any data written to the drive is invisibly encrypted and decrypted again as it is read. For further security, BitLocker can store its cryptographic keys in a system's Trusted Platform Module (TPM) — a chip which is, in theory at least, protected from attack.

Early last year, security researcher Hector Martin disclosed a means of retreiving the BitLocker key from the TPM by sniffing the Low Pin Count (LPC) bus — and SySS Research has now released the code required to turn a Lattice iCEstick into a tool for doing exactly that.

"The iCEstick LPC TPM Sniffer is a modified version of Alexander Couzens' LPC Sniffer including the TPM-specific modifications by Denis Andzakovic (LPC Sniffer TPM) for sniffing specific LPC messages of trusted platform modules (TPMs)," the organization explains. "In order to extract the current BitLocker Volume Master Key (VMK) of a BitLocker-encrypted partition, the following steps are required: Turn off the target system; Connect the iCEstick with the TPM of the target system; Start the Python command tool iCEstick LPC TPM Sniffer on the attacker system; Turn on the target system."

Once captured, the keys are encrypted — but can be quickly decrypted using a secondary tool, then the decrypted key used to mount the BitLocker volume in either read-only or read-write modes.

The tool is available to download now under the GNU General Public Licence v3, from the SySS Research GitHub repository.