A critical vulnerability referenced CVE-2023-21563 allows bypassing Microsoft’s BitLocker encryption in less than five minutes through a purely software-based attack called “Bitpixie.” The issue comes from the Windows bootloader which does not properly clean the encryption key (VMK) from memory after a PXE reboot. Two methods have been publicly demonstrated. The first uses a signed Linux environment to extract the VMK from memory. The second relies exclusively on Microsoft-signed components in a modified Windows PE environment. Both approaches allow decrypting a BitLocker-protected drive without prior authentication. A proof of concept is already available online. The only effective mitigation is to enable pre-boot authentication using a PIN, USB key, or key file.
Our experts’ analysis:
Microsoft has been praising the security of its encryption for years while promoting a default usage mode that is vulnerable, with no PIN or password. The result: an actor with physical access can extract the encryption key effortlessly, even on modern machines. The real risk here is not the use of an advanced technique but the illusion of protection.
Read the full article here.
