Attacking Bitlocker disk encryption: external Direct Memory Access (DMA) attack

in STEMGeeks2 months ago (edited)

I created a video where I am performing a DMA attack with a PCMCIA to FireWire adapter on a Windows 7 machine, using Bitlocker full volume encryption with Trusted Platform Module only authentication. After the Windows authentication signature has been found and patched by the Inception software, it is possible to log in to Windows without entering the correct password. When logged in, the files have been decrypted and can be viewed.

Although in this video Windows 7 is used, this attack is still relevant for any operating system.

All computers with DMA ports are vulnerable: PCMCIA, ThunderBolt, FireWire, PCI, PCI-Express. For a secure computer add a second authentication method, such as, a Bitlocker pre boot PIN or USB key.

The video doesnt have any sound!

If it is possible to access the Windows login screen, then the computer is vulnerable for a physical cyber attack. Multiple ports use the principle of DMA, this makes the transfer of high speed data possible, but it also makes the computer vulnerable for attacks. When the computer is connected through the PCMCIA to FireWire adapter, malicious code can be run (Inception tool: https://github.com/carmaa/inception), this will patch the Windows authentication signature. If the signature has been found and patched, every password can be used to log in regardless of the correctness.

Later this week I will post a video where a DMA attack is performed while all the external ports are closed for interactions (PCMCIA port cant be used). In other words, the attack will be performed through an internal port.

Sort:  

hmm, isn't the IOMMU there to prevent DMA access to random/unregistered memory regions - why is the full lower 4G region opened at all?

Windows 10 IOMMU vt-d can mitigate this attack! But vt-d has to be manually configured, it's turned off by default and only available on windows 10.

thanks! kind of scary that it's still comparably easy to access system memory from the outside...

Congratulations @devect! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :

You distributed more than 200 upvotes.
Your next target is to reach 300 upvotes.

You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word STOP

Support the HiveBuzz project. Vote for our proposal!

Its good to see, do you have methods to unlock the bitlocker key which is added to the drives of laptop running on Windows 10. The company claims it to be available in the microsoft account, but when you enter those keys it shows wrong key and denies to recover

Could you explain your question a little bit?