Bypassing BitLocker Encryption Via Physical Technique

Executive Summary

A new vulnerability has been identified in Windows’s BitLocker security feature that can bypass PIN authentication. Attackers can steal data from BitLocker encrypted hard drives with physical access to the device. Any organization that uses this security feature to secure their hard drives should use physical security to prevent this type of attack. Since this attack requires the device to be disassembled, safeguarding the device is the best course of action to prevent data theft. 

Background

BitLocker is a Windows security feature used to encrypt device drives to prevent unauthorized access and data theft. This feature encrypts data on a hard drive, securing it even if the device or hard drive is physically stolen. BitLocker also has an added feature that uses a Trusted Platform Module (TPM) to provide even more protection. A TPM is a physical chip on the device’s motherboard that stores encrypted Personal Identification Numbers (PIN) that need to be verified before the device boots and the drive is decrypted [3].

A hardware vulnerability has been identified by researcher Guillaume Quéré that can bypass BitLocker drive encryption with PIN protection. Quéré’s research builds on previous research of bypassing BitLocker without PIN protection using a logic analyzer to capture the electrical signals being sent from the TPM to the hard drive. In this experiment, Quéré could capture the Volume Master Key (VMK) in transit along the motherboard’s traces during the boot sequence. Since the VMK is used to encrypt and decrypt the drive, an attacker would be able to bypass BitLocker and access the drive [5]. What this experiment shows is that TPMs do not provide the level of protection that one would expect. It is still possible to bypass BitLocker by physically monitoring electrical signals.

Impact

Quéré’s latest research uncovered that certain commands sent to the TPM would result in keys being returned to an attacker using a logic analyzer [4]. By listening in on traffic from the TPM, an attacker could retrieve an encrypted Intermediate Key (IK) used to encrypt the Volume Master Key (VMK). Since the VMK is stored on the drive rather than the TPM, an attacker could decrypt the drive by stealing the IK and reverse engineering the encryption on the VMK. With the appropriate equipment and access to the device, an attacker could decrypt a BitLocker protected drive [1]. This provides adversaries a new vector of attack for stealing sensitive data. 

Mitigation

There is no current mitigation from Windows to prevent an attack like this. It is recommended to physically secure their devices using best practices to reduce risk of exploitation. Devices should not be unattended, especially in public areas, and devices should be stored in secure locations whenever possible. This prevents physical theft of the device which could lead to data being stolen as well. Securely destroying the data on the device is also recommended if the device will no longer be used. Since encrypted data can be retrieved from a drive, wiping a hard drive or physically destroying it will prevent data theft [2].

Relevance

Windows BitLocker is a commonly used security feature that pertains to all sectors. People relying on this technology to keep their data secured should be aware of its vulnerability. It is not enough for businesses and government organizations to rely on BitLocker to protect their data at rest. Using best practices to physically secure devices is the most effective way to prevent this type of vulnerability from being exploited. This recent research shows that physical vulnerabilities still exist and continue to have an impact on our overall security posture.

References

[1] Baran, G. (2025, October 25). Decoding PIN-Protected BitLocker Through TPM SPI Analysis To Decrypt And Mount The Disks. Cyber Security News. https://cybersecuritynews.com/decoding-pin-protected-bitlocker/

[2] CISA. (n.d.). Protect the Physical Security of Your Digital Devices. Cybersecurity & Infrastructure Security Agency. Retrieved November 4, 2025, from https://www.cisa.gov/resources-tools/training/protect-physical-security-your-digital-devices

[3] Microsoft. (2025, July 28). BitLocker overview. Microsoft Ignite. https://learn.microsoft.com/en-us/windows/security/operating-system-security/data-protection/bitlocker/

[4] Priya, A. (2025, October 27). New Technique Bypasses BitLocker PIN Protection Through TPM SPI Data. Cyber Press. https://cyberpress.org/new-technique-bypasses-bitlocker-pin-protection-through-tpm-spi-data/

[5] Quéré, G. (n.d.). Bypassing Bitlocker using a cheap logic analyzer on a Lenovo laptop. Errno. Retrieved November 4, 2025, from https://www.errno.fr/BypassingBitlocker#architecture-of-a-passwordless-bitlocker-with-a-discrete-tpm