…is as easy as 1, 2, 3!
What a stupid thing, the BitLocker boot loader doesn’t do an integrity check upon itself, can you believe that!?
So an attacker with access to the target computer just boots from an USB flash drive and replaces the BitLocker bootloader with a substitute bootloader which mimics the BitLocker PIN query process and saves the PIN entered by the user to disk in unencrypted form.
After that you just need to pass by and get the USB key with the PIN, job done!
The Franhofer Institute in Germany just published a document “Attacking the BitLocker Boot Process“.
We discuss five attack strategies against BitLocker, which target the way BitLocker is using the TPM sealing mechanism. BitLocker is a disk encryption feature included in some versions of Microsoft Windows. It represents a state-of-the-art design, enhanced with TPM support for improved security. We show that, under certain assumptions, a dedicated attacker can circumvent the protection and break confidentiality with limited effort. Our attacks neither exploit vulnerabilities in the encryption itself nor do they directly attack the TPM. They rather exploit sequences of actions that Trusted Computing fails to prevent, demonstrating limitations of the technology.