Bypassing BitLocker

thanks everybody for joining my name is Miguel Martinez I am the CTO of tech refresh also I help run the derbycon community chapter out of Inland Empire which is in Southern California so again this talk is on BitLocker it's mainly kind of our the talk is based around actually a real-life scenario that we went through with one of our customers actually reached out to us and we'll kind of go through the the to to attack methods we went through and what we learned and kind of what what transpired so for it so again what would is BitLocker I mean everybody knows biz Locker is essentially you know encryption solution available in Windows operating system it can do dis level

volume level encryption there's multiple encryption methods you know there's TPM which is the chip on the motherboard that stores help stores encryption keys and essentially it's like an escrow for those those keys specifically in this talk we're gonna we're focusing on TPM only that that's what are the essentially our system that we were or the laptop they were test to gain access into had had was running and again as mentioned before you have TPM plus pin which essentially when when the system boots up your user has to enter their their pin there's also pin plus USB which again is there's a physical aspect there and again like I mentioned TPM only is transparent what happens is

essentially the key stored in TPM where the system boots up you know that DPM sends over the key and decryption to drive as mentioned oh if I haven't mentioned before my I asked my daughter for suggestions on themes for the for this talk and her suggestion was to use one of our or favorite anime series so if hopefully you guys can check out attack on titan if your anime fan so again our subject was the HP EliteBook 1040 g2 it's a fairly older system Windows 10 Enterprise had BitLocker enabled with TPM only which was a huge plus in our search for this scenario Windows Firewall was enabled with zero ports inbound right so for the four just by

what we have here is you know you you can boot the system up you you're sitting at a login screen but nobody had credentials from the system had been taken off the removed from the domain nobody had local credentials there was no network access to it it was it was essentially hardened the only thing to do is try to log in but you know it there's there was just and whoever encrypted the drive originally no laurent were worked at the organization so when they encrypted it wasn't tied to Active Directory it was essentially somebody saved the the recovery the recovery file onto a USB which nobody knew or were that was located and again the goal was to

retrieve the data that this laptop actually was owned by pretty higher up executive that actually reported directly to the to the owners and this big organization I think multi-million dollar organization so they spent a few weeks trying to get access to the box so they reached out and then spent a few weeks so that gave us a few days to kind of think about you know our our attack path and and what we could do to recover the data I mean this was our first attempt right so it's since we had a bit Locker we weren't able to you know just remove the drive and you know stick it into another system and decrypt right we

said we had to deal with BitLocker which was which was enabled you couldn't boot into us into a Linux OS again because it you you that TPM bitlocker essentially prevented you from from gaining access into that drive so our first attack path we we went down our first rabbit hole I should say was the cold boot attack this is nothing new this was published on a paper from Princeton back in 2008 essentially boil it down essentially it was a research that found that you know ram retains data for a few seconds to a few minutes after you power down the device and it even becomes more apparent when the the RAM chips or the are cooled right so the

cooler can get it the longer the data stays again this this attack was from back in 2008 back in those times it was really easy essentially what you could do is you take a essentially you take your compressed air can flip it upside down point at the memory chip cool it down power off the device power into something else like lint a bootable Linux OS and you can read the data off read the data directly author in the memory chip right in hopes that the decryption keys were still resonant in in the in the RAM again if you guys have any questions just pause me or you know we can open to having a discussion so again this is a

again our HP link book as you can see the RAM chip is right over here for sure you can see that or sorry the pie host chip is right up right here which I circled so Monaca lis locate there was nothing it wasn't hidden behind you know a thousand peripherals or anything like that her hardware as soon as we popped out pop the bot the the bottom cover were able to locate it and gain access to it

so one of the some of the countermeasures that that this attack from 2008 has now right I mean this is an older attack from 2008 manufacturers have actually implemented countermeasures since since that that paper was published and one of them I mean it's not really a big counter major tamper switches right some of these laptop motherboards or even desktop motherboards if if the case is open you know they have some some switches that were if they're left open you know that it it won't boot or essentially if they're left open it will clear memory during the BIOS post the other big countermeasure is essentially these this implementation essentially it's a it's an implementation that memory that's in

the BIOS essentially clears a memory that essentially sorry step back works with the OS that what's assistant boots it's a bit in the BIOS and if that but during the shutdown process that that bit is is changed normal nor during a clean shutdown so when the BIOS boots up again it could read that bit and whether it was a clean shutdown or not it can determine whether it needs a clear clear the memory right and this next slide kind of helps show that so on the top we have a clean shutdown right so let me grab my little pin here so again we have that memory overwrite request bit during the BIOS post it is red so as you can

see the arrow up by BIOS it's a zero then it checks whether it needs to needs to clear the memory if not then it goes straight into the OS right so this is the OS is running in this in this section here once it gets into a clean shutdown the OS will change it does it back to zero right so remember BIOS checks at zero then after it does its check it sets it to one and then it's up to the OS to set it back to zero during a clean shutdown on the subsequent boot let's say if there's a clean shutdown again the BIOS will read it it's a zero so it's not gonna clear memory down at

the bottom we see what would happen if we we try to launch a cold boot attack and actually you know just physically power off the system without doing a clean shutdown again first this is a clean the first boot again the memory overwrite request bit is set to zero and then it is you know not memory is not not cleared the BIOS sets the bit back to one and then you know the OS is running in this this section here if we were to when we pull power in this section here that bit is still set to one so the next time the up by the BIOS boots it's going to read hey there's a

one now it would in that bit so now bio says well I'm not going to boot the OS before I clear I need to clear the memory before the boot though so what happens is the BIOS clears the memory and then by the time you boot into your either your OS or let's say you you were trying to launch into a Linux OS that memory is already clear right there's nothing there so this is one essentially one of the attack countermeasures we had to get around for it for this this attack so our setup for the attack was essentially leveraging bootable USB leverage Arch Linux for memory acquisition we use lime and then for key recovery we used the AES key

finder was actually provided by the on the 2008 research paper from Princeton as as files for that present there for that research the interesting thing we went with a nice pretty fast a USB stick so again the purpose was to boot as fast as we could so we can get as much RAM out right so so again the attack one of the things we needed to do is essentially get around this memory overwrite request bit right in order to prevent the BIOS from changing right there was no point in us rebooting the box trying to boot into Linux and then pulling memory since that there was there's just not no there wasn't gonna be any data there right because BIOS was

gonna prevent us we're getting there so in order to do that what we tried first was sorry our try first was actually changing the more bit right we dumped memory using a BIOS essentially reader you know we connected into the pins with another system read it and then look found where the bit was and then pushed as change that just that section right we weren't trying to rewrite the Taira BIOS that would have taken some too much time so we needed to just reset that bit but after several tests we noticed that the more bit was placed in different sections of the memory so we weren't able to essentially create a script we weren't able to set

something where okay just focus on memory on the specific memory address we had to find a way to change the bit in essentially in a range which could have found in this particular range of memory so again mentioned flashing the Taira bios was not an option it was like 16 bag which took two to three to four minutes by that time vias would have warmed up and or the RAM chip would have weren't warmed up and most of the resident memory would have would have been gone by now so our plan or our approach was to actually flash a subsection of the BIOS that covered the more bit right so we what we did is we we reset the system

a couple times read the BIOS information multiple times and then just identified where the more bit fell within a particular range of the memory in the BIOS chip so that the memory address we found that we can overwrite took about 10 seconds so and again this is a this is a myself using the UEFI tool to identify the more bit as you can see this is essentially a BIOS dump at this moment the BIOS or sorry that the bit is set to 0 1 which is essentially set to on next boot to clear the memory right so again it this wasn't if it was easy enough if this bit was always in the same section because we just could have

easily just looked at the memory address and say I want to rewrite that address set it to 0 0 be done within a few milliseconds we would have gone into booting the OS but again that wasn't available Oh since most of the memory fell under multiple or that more bit after every reboot fell into different sections in a subcategory so we had to take the approach that we essentially had a essentially had to you know flash a subsection of the memory and not not the entire memory or sorry subsection of the memory not the specific memory because I get it moved and actually I can share a quick video of me this was the initial

this was Maya one of the first attempts this was actually getting a little carried away I don't know if you guys can see the video but this is me getting a little carried away with compressed air the OS on there is actually not Arch Linux I know this was my first attempt it was a full GUI that is there's that Corsair GTX on that memory while I was doing the acquisition and the acquisition only took about twenty ten to 20 seconds on once we got it down to leveraging Arch Linux in you know stripped down and here's what the ultimate attack looked like right so here's our Arch Linux at boot there's a service at or there's a service that

runs essentially will launch lime acquire the memory and dump it straight into the section inside the the core shared GTX which is also the the same USB we use to to to launch the the portable or to launch our clinics or to boot large Linux so again this is the the test probes kind of crimper clamping on to the BIOS chip here's the BIOS reader and writer one in my laptop so my laptop was used to essentially have pre-programmed commands to run run the programming software to write the specific bit and again what we found is actually looking at other laptops so this was again this was our target this HP elite notebook was the target however

I did look at a couple other manufacturers and BIOS what we found is not all of them are the same in fact some of them saved that more bit to the same location which would have made it a hell of a lot easier for us to to launch this attack but ultimately was it a success unfortunately not we did find multiple I aSG's however none of them were able to decrypt the drive I think could have been there's a new there's number of way a number of reasons this could have been right there the most most obvious one right that you probably didn't stay resident very much a memory or the TPM module you know

clear that section of memory right so it could have been a number of things too that could have prevented us from from getting that those keys so that we regrouped and kind of stepped back and thought of you know our our next approach and what we should do and again this is BitLocker TPM only so we when you boot it the Box you can boot into the OS but you couldn't touch anything in the you're essentially just staring at a login screen and you know there's no network access you can get it on the network but you can talk to it it wasn't talking to anything we we tried doing you know looking at DNS requests or any

calls going out is very little as there's nobody logged in very little applications running prior to login so the essentially the approach after the regroup is well why don't we take a different approach and maybe look at exploiting other things so the that second approach was the the DMA attack or the direct memory access to essentially to manipulate memory on the while the system is on and booted and take control or you know make changes readwrite on the OS this is again not a new attack this is back in 2012 and if you guys remember there was a a tool that was released and I actually didn't write the gentleman's name here but inception was the name of the the

tool it mainly focused on the firewire but it used essentially you leveraged firewire to talk directly into or use DMA and talk directly in a memory and essentially readwrite memory bits so what that means is you can essentially take plug in a device that interacts with that firewire you know look for specific three strings or information in memory and then change that section to whatever so that means you know if you can locate the section that stores the password in memory or the hash you can change the hash to something you know or just clear it all together and then you know simply just log into the system but again that that that attack has been

mitigated fairly um actually pretty reser shortly after that I think within a year so that attack was was mitigated by most most os's which prevented firewire access into DMA without actually approval right so when you plug it in you get a little pop-up says you know you want to give permissions and you hit OK right so that that's been negative for fire work but but what about this other tool from and I'm probably butchering his name all frisk which is PCI leach and this actually leverages PCIe to interact with memory same same same approach uses DMA the the neat thing about this it used common interfaces or common PCI interfaces like thunderbolt em two slots Express card or

even mini PCIe since we lured we were dealing with with the laptop one of the two things we could have used was Express card which unfortunately if I remember correctly Express the 10/40 did not have an Express card slot however it did have an m2 slot actually I had a few when for the one for the drive which unfortunately we couldn't use because we needed the drive on the system be able to launch the attack the other one was actually another section in another peripheral which was the wireless card or the wireless m2 adapter that we can leverage to to launch or to essentially borrow that to tie into and get access to the to to memory so what kind of

countermeasures are are there for their DMA or for this this attack well actually Microsoft has the ability to do this and believe the it's actually introduced in 1809 Windows 10 but it's still not disabled not enabled by default it is a name you can enable this through policy I believe it's the V I should have provided more information on it but it's a VSS I don't remember these what the acronym actually stands for but essentially you can block disable hot pluggable PCI to downstream ports where the computers locked and again this is available to a group policy so if your organization or industry is concerned with this kind of attack definitely recommend looking into that the other

thing is having virtualization enabled which could prevent access to certain sections of the RAM but again this is configurable through bios and as we all know you can get into the bios pretty much if you have physical access to box you can get X to the BIOS if the BIOS has a password most manufacturers either have a hard-coded password or there's a method to clear the BIOS or clear the bios password through a simple you know keister key combination or shorten a couple pins in the motherboard right so that can easily be disabled which we did and for this device actually this the HP EliteBook elite book did not have a bios password so we were able to

simply disable the virtualization we didn't have to worry about the the countermeasure the mic the OS countermeasure being enabled as we had verified with the organization's they did not have that enabled in this picture I actually showed the the empty slot that was leveraged to to launch the attack so again this is the wireless card as you can see it's got the antennas still attached to it so one important thing is it has to be a card that supports PCI our m2 slot that supports BCA in this this example we had an AE slot m2 slot that we were able to leverage here's another years again our attacks set up where we used the again this is a

USB actually some step back sorry this is our set up for PCI leach in order to interact with the PCIe there needs to be Hardware right so the hardware in this situation was a USB development board it's a mini PC a USB development board USB 3380 it's actually fairly inexpensive I believe we paid about a hundred and fifty dollars shipped actually we got it like next day locally [Music] and the we had a m2p two mini PCIe adapter here so again this is m2 the board is PCIe or mini PC to be exact so this this whole ribbon is essentially a mini PCIe 2m to essentially make sure we got the right form factor there one

drawback to leverage in the USB 3380 it is limited to four gigs of memory acquisition luckily this laptop only had four gigs of memory again if you have a laptop to have that has more than that there's more there's various things you can do one thing is there there's other devices that are available that you can acquire someone a little bit more expensive however there is benefits to them you can purchase a FPGA there's a I'll share the link here but there's a on the github page for PC aah there's a whole list of hardware that's supported some of them are a little bit pricey but they do give you faster reads and writes and they give you a limited access to

the memory one other thing you can do if if your device has more than 4 gigs if it has multiple memory cards just remove cards or replace cards until you get to the 4 memory right and then you're certain that you could read all sectors of memory but for our actually example here we actually didn't read need to read the entire memory right normally one assist of boots it starts writing to the first couple of sections of the memory so as long as we can read that section that has what we need we should be golden right we don't need the entire 16 gigs but again we were fortunate enough at this laptop had 4

gigs of memory here's a next picture here is kind of a close-up on the on the USB 3380 again this is mini PCIe this other connector here is USB 3.0 which this side plugs into the attack system and is this essentially where you you launch the PCIe software our PCI each software - to interact with the memory and fortunately I had actually had a video of this and I misplaced it or I must have deleted it but uh it's nothing more than these following screenshots with actually helped show actual just the command I ran right so this is a as you can see this is Callie this is PCIe leach essentially just running the patch

command what I did is I switched one of the signatures is to look for the sticky keys and switch the switch the sticky keys from presenting that you know that sticky key message to actually prompting a administrative command prompt again so after a clicking after you know entering or running the command it goes and looks for memory as you can see it got through about 10 percent of the memory before it found it and successfully patched the location after such I was able to just essentially go over the laptop while I was sitting on it was actually sitting and I'm still on that login screen and I just hold the shift key until I got a

command propped up and at that point essentially I had an administrative logon or administrative shell or command prompt which allowed me to essentially create a user right this is not the actual screen as I can't show the users but this is essentially what we did right so we did the net user account the net user command to create a new user and then we added the user to the local admin and after that we were able to use that local admin to login to the laptop and essentially gain you know gain access to the data after which you know we we did with any during any Inquisition we copied we made a copy of the data just in case anything weird

happen to another external drive and then provided the laptop and external drive to the customer again it was this a success yes it's actually a lot easier I would say by the time I received again we ordered the USB 3380 during I think I was on a Tuesday we got it by Wednesday I didn't start working this up until 5:00 p.m. when I got back home by like 6:30 7 o'clock I had access to the laptop and was already copying data in comparison to my first attempt which was cold boot attack which essentially took me several days to do the you know do the research acquire the I had to order the BIOS programmer had ordered the that

Corsair USB drive had to essentially build from scratch not build from scratch but essentially build a bootable Arch Linux USB create a script to automatically dump it and essentially that took me a few days to actually I mean a few after evenings I should say not not spending entire days but a few evenings of me essentially building this whole toolkit just to dump memory memory from key or keys from memory and then analyze and looking for the keys and then testing if those keys actually work and actually spent a few weeks on this this DMA attack was kind of our last resort and actually was very successful I kind of wish we would have gone that

route my initial thought was that this was going to be a bit more expensive actually being price was actually being on par right after factoring and the programmer the USB the Corsair USB and you know not even factoring in time spent I think going down the DMA a path would have been a lot I mean it was a lot faster maybe just to recap what the attack was essentially we took a we took that USB 33 development board we flashed it with the PC a leach firmware and that firmer is available again through instructions are available through old frisks PC LH github page or he provides you the firmware for it for this board so you put plug it into your attack

system flash it with the PCH firmware you know unplug it power back in plug it into the system open up PCI leach on the attack system plugging into USB 3.0 and then boot the system up and at that point you can just launch the PC you leave software on the tech system to either patch memory dump memory or whatever you need to do in our in our situation we we looked for the sticky key command and replaced it with a command prompt and essentially after that we were able to get a command line or administrative command prompt where we entered creating a user and added that users to local admins again you know giving credit where credit's due a

lot of the the kind of the path I took for the cold boot attack was based heavily on the research done by f-secure here's a quick little that there's an article that talks about their the research and some other presentations they did it around the cold boot attack fortunately they didn't share the the the bootable OS that they create that you leverage dump the memory however it looks it seemed like they were based on the the notes I saw and the research and some of the presentations and didn't look too much different than what I was doing with arch linux and lime for the memory acquisition and again thanks to old frisk for PC a leech

that's available on github with a list of supported hardware and had a you know definitely recommend picking up one of these devices probably recommend going for one that doesn't have a four gig limitation again our our we went with that four gig just because it was our first time trying it was a fairly inexpensive comparatively [Music] and but again I'd recommend having any securitisation or even organization right having one of these as a means to get him back into systems but again you know thank you which picture be again thank you for for the time again my name is Miguel Martinez at DEFCON also I also might call sign here w6 bit or EIT again I'm a CTO tech

refresh you can find us at tech hard at i/o also if you guys are in if know anybody in the Southern California area that's interesting interested in joining or is in the InfoSec community we'd love to have people join us fortunately by current situations we're not hosting on-site meetings but again you can find our derbycon community Inland Empire chapter at Derby calm ie calm again I'll pause there if see if anybody has any questions or comments

and people can't take themselves off me to ask a question awesome okay no questions great yeah I appreciate everybody's time and hope everybody has a good a good afternoon and sorry was there a question there how long did you say it took you to say after flashing getting the drivers I would say between an hour from like I had the car an hour and a half to two hours by the time I had the car I would say I mean it's you would have probably have to understand a little bit of hardware um definitely some Linux background and understanding and how you just kind of I mean I would say like very hard high-level just kind

of know enough to understand how memory works and stuff I think what I showed here is pretty much that that command is pretty much how you run it the risk makes it really easy to to run this I think the hardest part was flashing the the card right because the instructions were were a little bit weak on flashing the USB 3380 or maybe I just wasn't reading the right instructions but from what my experience is I thought the card was gonna pull power from the USB 3 port but in fact it actually pulls power from the PCIe side so you need to have it in the PCIe you need to have it in order to

flash it you need it in the PCIe system that you can access to flash at first then you can use it to attack but once you flash it you can use it anytime have you tried it with the TV I have not but it will probably uh yeah I have not most likely won't work again there's there's a few other attack methods that I didn't go into that I probably would have kind of got into which was like actually soldering into the the leads on the TPM chip and see if I could read it using like a logic analyzer as its talking to the you know to the to the board and stuff thanks yep thanks hello

we will your slide to be made available I could definitely share the slides I can I could send you a copy the slides Mike and then and if you you have a method of sharing that

sorry Mike were you there Mike yes well if you send the slides we'll make them available awesome thank you sir thank you great presentation thank you thank you yeah and you're welcome to reach out to me you can also send me an email if you guys have any questions Miguel de Martinez at tech refresh calm or you can just read probably find through our support portal to card that tech RI oh I'm always happy to help anybody he's looking for if they're trying to do this and they're stuck somewhere happy to help