AMD Ryzen Pluton PC can save you as BitLocker breaks on modern Windows 11 Intel with TPM 2.0

Back when Microsoft announced the system requirements for Windows 11, one of the key criteria was the need for relatively modern CPUs, though users have continued to run it on very old hardware but probably not for long.

The tech giant reasoned that the need for the higher requirements was mainly due to improved security on Windows 11. Alongside new CPUs, Trusted Platform Module (TPM) 2.0 became mandatory. Later on, the company explained why things like TPM 2.0 and VBS (Virtualization-based Security) were so important to have, and also published a video demo to show hacking attempts on a PC with no TPM and VBS.

However, TPM is not flawless and TPM sniffing attacks are possible. Last year, we covered such a case on Ryzen where the vulnerability dubbed "faulTPM" was affecting Ryzen 3000 (Zen 2) and Ryzen 5000 (Zen 3). This was affecting firmware TPM (fTPM) but such sniffing attacks are possible on discrete TPM as well.

As demonstrated by a security researcher recently, the LPC (low pin count) bus was tapped using a cheap Raspberry Pi Pico to extract critical data like the Volume Master Key (VMK) by bypassing BitLocker encryption. This is not the first time that such attacks have been brought to light by security experts. Here is another instance (YouTube link) of proof of concept (PoC) of LPC bus sniffing.

While the Raspberry Pi Pico trick was done on a somewhat older PC, such BitLocker encryption breaks via sniffing are possible on modern PCs as well. As demonstrated by Twitter (now X) user Stu Kennedy, who sniffed a Lenovo ThinkPad X1 Carbon Gen 11, which uses an Intel 13th Gen chip with discrete TPM 2.0. This time the attack was executed using SPI (Serial Peripheral Interface) sniffing.

BitLocker Key retrieval on a Windows 11, Lenovo X1 Carbon Gen 11 via SPI Sniffing.

The TPM on the backside of the Motherboard, there are various test pads. pic.twitter.com/JGu0riEr1c

— Stu Kennedy (@NoobieDog) February 7, 2024

In case you are wondering, TPM sniffing works by intersecting communication buses like the LPC, SPI, or I2C (Inter-integrated Circuit) protocols.

One way to prevent this is by using Microsoft Pluton security chip which is currently on AMD Ryzen 6000 (Zen 3+)/ Rembrandt and newer processors. Unfortunately, it has not quite become the standard yet with Intel seemingly not quite ready for it and vendors like Lenovo disabling it by default even when it is available.

Report a problem with article
Next Article

Apple Studio Display gets a rare $300 discount, now available for an all-time low price

Previous Article

Windows 11 24H2 build 26052 breaks ExplorerPatcher