Attacking Bitlocker disk encryption: internal Direct Memory Access (DMA) attack

in STEMGeeks2 months ago

In my last post I showed an external port DMA attack. This post I will perform an internal port DMA attack. This attack can be used if the external ports are blocked (filled with epoxy) or are disabled in the BIOS. This attack is still possible to succesfully perform on newer laptop/OS versions.

I will be performing a DMA attack with the USB3380EVB, a mini-PCIe to USB adapter on a Windows 7 machine, using Bitlocker full volume encryption with TPM only authentication. The USB3380 is inserted into a mini-PCIe slot used by the wifi card, this slot has direct memory access. ​After the Windows authentication signature has been found and patched by the PCILeech software, it is possible to log in to Windows without entering the correct password. When logged in, the files have been decrypted and can be viewed.

The video doesnt have any sound.

1: Check if the Windows login screen can be accessed. Bitlocker PIN could be enabled.
2: Turn off the laptop.
3: Unscrew the lid and locate the wifi card.
4: Remove modules needed to gain access to the wifi card and remove the wifi card.
5: Insert the USB3380 in the victim machine and connect it to the attackers PC.
6: Turn on victim machine.
7: Run PCILeech software.
8: Log in to Windows without knowing the password.

PCILeech tool:


Congratulations @devect!
You raised your level and are now a Minnow!

Check out the last post from @hivebuzz:

False-Positive phishing alert reported by antivirus software
Feedback from the May 1st Hive Power Up Day
Support the HiveBuzz project. Vote for our proposal!