What you need to know
- Windows 11's TPM requirements have been a point of confusion and contention.
- Researchers have just illustrated why these requirements matter.
- They utilized TPM's plaintext data to exploit security vulnerabilities in a Windows laptop.
If you were confused by Windows 11's Trusted Platform Module (TPM) requirements and their connotations, you're not alone. Many people didn't and still don't understand what TPM technology is all about.
Before we dive into the news of what researchers have achieved via TPM exploits in Windows laptops, here's Microsoft's official definition of TPM (opens in new tab):
"Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that is designed to carry out cryptographic operations. The chip includes multiple physical security mechanisms to make it tamper-resistant, and malicious software is unable to tamper with the security functions of the TPM."
Sounds intense, right? Well, here's the issue, as told by Dolos Group in its attempt to exploit vulnerabilities found in a Windows laptop: "At the time of this writing BitLocker does not utilize any encrypted communication features of the TPM 2.0 standard, which means any data coming out of the TPM is coming out in plaintext, including the decryption key for Windows. If we can grab that key, we should be able to decrypt the drive, get access to the VPN client config, and maybe get access to the internal network."
Dolos Group likens this to targeting a car coming out of Fort Knox rather than the fort itself. By utilizing this exploit in conjunction with other exploits, researchers were able to take a "stolen" corporate laptop and effectively sneak inside its associated corporate network, leaving data exposed and vulnerable.
The research is an intensely technical read, good for if you want to stretch your mental muscles and learn a bit about Windows exploits. With that in mind, Windows' heightened TPM requirements could forecast a more secure future for BitLocker where compromisation methods such as the one Dolos Group employed are no longer possible.
Windows Central Newsletter
Get the best of Windows Central in in your inbox, every day!
Robert Carnevale is the News Editor for Windows Central. He's a big fan of Kinect (it lives on in his heart), Sonic the Hedgehog, and the legendary intersection of those two titans, Sonic Free Riders. He is the author of Cold War 2395. Have a useful tip? Send it to email@example.com.
Well, until we get to homogenic encryption (where the data is NEVER decrypted, even when used) there will always be someplace in the system that either the decryption keys or the data itself is present in non-hashed format SOMEWHERE, either in a register in the CPU or in working memory someplace.
That kind of encryption is several years away, at best, and will require new hardware to handle it.
When Bitlocker came out, most systems could not support TPM anyway, so they had to make it work somehow. You CAN require that Bitlocker use TPM 2.0 to store the keys, but only in the Enterprise version of W10.
Now, whether W11 will actually USE TPM 2.x to store the keys by default, that's another matter. If they do, it will break some Win32 software, but in my opinion, it would be worth it. It STILL won't get around the issue of the keys/data existing in a CPU register someplace in unencrypted format. That will require new CPU architectures and software stacks, or at the very least new Hashing layers in the OS along with "protected" memory.
Interesting insights. Thanks for the thoughts on this topic.
An interesting attack. The weakness here was the laptop using an external TPM IC. I'd like for them to do it with a laptop with PTT (I.e. TPM in the processor). Should be a lot harder to attack.
Thank you for signing up to Windows Central. You will receive a verification email shortly.
There was a problem. Please refresh the page and try again.