The article discusses a vulnerability known as “bitpixie” that allows attackers to access encrypted files on Windows devices using BitLocker without needing to disassemble the device. This exploit takes advantage of a bug in the Windows Boot Manager and requires only physical access to the device and a network connection. The article outlines the technical details of the exploit, the motivation behind the research, and potential mitigations for affected users. Affected: Windows 11, BitLocker
Keypoints :
- Bitpixie exploit allows access to encrypted files on Windows devices without disassembly.
- The vulnerability exists due to a bug in the Windows Boot Manager.
- Attackers need physical access, a keyboard, and a network connection to exploit the vulnerability.
- The exploit can be executed without any widely available tools at this time.
- Mitigations include using a pre-boot PIN and applying specific security updates from Microsoft.
MITRE Techniques :
- T1552.001 – Unsecured Credentials: Exploit BitLocker Device Encryption to access encrypted data.
- T1203 – Exploitation for Client Execution: Utilize the bitpixie vulnerability to downgrade the Windows Boot Manager.
- T1069 – Permission Groups Discovery: Analyze the BitLocker configuration to identify vulnerable setups.
Indicator of Compromise :
- [file hash] 4a50 39 47 d7 0d aa ea 23 44 d1 d4 fc aa 9c a4 e4 10 ae e7
- [others ioc] CVE-2023-21563
- Check the article for all found IoCs.
Full Research: https://neodyme.io/en/blog/bitlocker_screwed_without_a_screwdriver/#38c3-talk—windows-bitlocker–screwed-without-a-screwdriver