The BitLocker key can be easily extracted from SPI traffic

A recent report mentions that it is possible to extract the key from BitLocker, an encryption tool on Windows systems, by simply using SPI traffic. Although this attack would require physical access to the target system, experts mention that it is relatively easy to complete.

The report, prepared by security firm F-Secure, mentions that this attack is to trace the TRUSTED Platform Module (TPM) SPI interface using tools available to any user. Experts developed a complementary tool to extract the BitLocker key from compromised SPI traffic.

TPM is a cryptographic coprocessor that implements a predefined set of encryption operations, a secure key storage tool, and a platform configuration record (PCR). This is one of the most commonly used protectors for BitLocker as it allows the ability to reveal some of the secret after verifying the integrity of the platform.

This verification is achieved by measuring each step during upload and saving the results to the PCR. The secret can be linked to specific PCR values and can only be disclosed if the current PCR state matches these original values.

Usually the TPM chip is a separate module on the motherboard, while the CPU communicates with this chip through the platform hub (PCH). The TPM specification describes three different interfaces: LPC, I2C, and SPI. Serial Peripheral Interface (SPI) is a synchronous serial communications protocol that supports full duplex communications at a high-speed clock frequency.

Accessing the TPM chip usually requires disassembling the target device, which is not very practical. However, UEFI firmware is often stored on an SPI-based flash chip that has a SOIC-8 package. This type of packaging is very easy to connect to conventional probes, and since multiple devices can be connected to the same SPI bus, the flash chip and TPM chip are likely to use the same bus.

In addition, the flash chip can usually only be accessed by removing the back cover or keyboard and therefore the flash chip is an ideal target for listening to messages on the SPI bus. This tactic eliminates the need to re-weld the equipment and the attack can be performed at a convenient time.

In their demo, experts used a Dell Latitude E5470 laptop with BitLocker-compatible Windows 10; in this particular model, the TPM can be accessed by removing the back cover of the device. The Nuvoton NPCT650JAOYX TPM 2.0 chip comes with the QFN-32 package and it is not possible to test the chip directly. The timing pins of both chips are joined, confirming that they are using the same SPI bus.

Each SPI device has its own dedicated SS line, but the scanned laptop has only two devices connected to the bus. Therefore, the SS line of the TPM can be built by taking the denial of the SS line from the flash memory chip. The SS line can also simply be ignored. However, in this situation, it is possible to decode the flash memory exchange as TPM data exchange. SPI signals were recorded using a Saleae Logic Pro 8 logic analyzer. The ample plug space of the SOIC-8 package makes it easy to assemble the sensors, and the entire acquisition process can take less than a minute.