Bypass Record

Pre-OS Boot × Microsoft BitLocker

A publicly-reported instance of Pre-OS Boot bypassing Microsoft BitLocker, recorded with its original source. Factual record; no assessment of any specific deployment.

Product

Microsoft BitLocker

Technique

Pre-OS Boot

MITRE ATT&CK

T1542

Confidence

High

Severity

High

Status

poc

Disclosed

2024-02-01

Config / version noted

Yes

Provenance

blog.compass-security.com
disclosed 2024-02-01 · original source · via exa

Reported as

bypass Microsoft BitLocker's default TPM-only encryption

Mechanism

The attack exploits the fact that in TPM-only mode, the plaintext VMK is transmitted over physical wires from the TPM to the CPU during boot. An attacker with physical access removes the laptop's back cover, attaches a logic analyzer or similar low-cost hardware to the TPM bus (e.g., SPI), and captures the VMK as it is sent. With the VMK, the attacker can decrypt the Full Volume Encryption Key (FVEK) from disk metadata and access the encrypted data, or recover the BitLocker recovery passphrase.

Detection & mitigation

Monitor for physical tampering indicators such as chassis intrusion detection logs from endpoint management systems or TPM attestation failures in remote attestation reports. Mitigate by configuring BitLocker with TPM+PIN or TPM+USB key to prevent VMK exposure even if the bus is sniffed, and enforce physical security controls to limit unauthorized access.

Pre-OS Boot has also been recorded against

AMI Google Insyde Qualcomm Unisoc

This is a record of a publicly-reported event, not an assessment of any specific organization's deployment. Detection and mitigation notes are drawn from the cited source. Where the source is silent, fields are omitted.