A recent revelation by a YouTuber known as stacksmashing has uncovered a significant security vulnerability affecting devices running Windows 10 Pro or Windows 11 Pro with an external Trusted Platform Module (TPM). By utilizing a mere $10 Raspberry Pi Pico and a bit of technical know-how, stacksmashing demonstrated how one could decrypt and access encrypted data by exploiting unencrypted communication between the CPU and the external TPM during boot-up.
The process, showcased on an older laptop equipped with Bitlocker encryption, is alarmingly simple and quick, taking less than a minute to complete. The attacker only needs physical access to the device, to open it up, and to connect the Raspberry Pi Pico to an unpopulated connector on the motherboard capable of reading LPC bus data. This connection allows the Raspberry Pi Pico to intercept the raw data transmitted to the TPM, including the Volume Master Key stored within, effectively bypassing the encryption.
This exploit is particularly concerning for devices with external TPMs, as it lays bare a “colossal security flaw” in the encryption process. However, devices with TPMs integrated directly into the CPU—common in most modern Intel and AMD processors—are not affected by this vulnerability.
The demonstration and its implications have sparked a mix of reactions online. Some viewers appreciate the potential utility of this method for recovering lost encryption keys, while others criticize the glaring security oversight this exploit represents. The discovery calls attention to the need for heightened security measures, particularly in the encryption communication protocols between CPUs and external TPMs, to safeguard sensitive data effectively.