Bad news for BitLocker users — its encryption can be cracked remarkable easily

Security padlock in circuit board, digital encryption concept
(Image credit: Getty Images)

If you have a Windows 10 Pro, or Windows 11 Pro device, with a dedicated external Trusted Platform Module (TPM), all of your encrypted data could easily be decrypted and read - all that’s needed is a little brainpower, a $10 Raspberry Pi Pico, and physical access to the target endpoint.

A YouTuber with the alias stacksmashing has demonstrated what they call a “colossal security flaw” which allowed him to bypass Windows Bitlocker in less than a minute and gain access to the encryption keys, all with the help of the off-the-shelf cheap device.

You can read up on the technicalities of the flaw and its exploit here, but the short story is that the communication lanes between the CPU and the external TPM are completely unencrypted on boot-up. So, if an attacker were to have an unpopulated connector on the motherboard that can read LPC bus data, they would be able to connect the Pico to it and have the device read the raw ones and zeros from the TPM. That would grant them access to the Volume Master Key that’s stored on the module.  

Major oversight

During their demonstration, stacksmashing used a ten-year-old laptop with Bitlocker encryption, but explained that the same method works on newer motherboards with an external TPM. 

The devices with a TPM built into the CPU should be safe (which includes most Intel and AMD CPUs for sale today). In the video, the YouTuber is seen first removing the back cover of a laptop with a screwdriver, before touching the connectors with their Pico device. At the same time, a stopwatch running on a smartphone showed the entire process lasting less than a minute.

While some viewers praised stacksmashing’s findings, saying the tool could be really helpful for people who lost their encryption keys, others suggested that the flaw was a “major oversight”.

Via The Register

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
Bluetooth
Top Bluetooth chip security flaw could put a billion devices at risk worldwide
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
A person at a laptop with a cybersecure lock symbol floating above it.
Parallels Desktop has some worrying security flaws for Mac users
Concept art representing cybersecurity principles
Best encryption software of 2025
Man screaming at computer with TechRadar data privacy week logo next to it.
I almost lost my entire online identity – until one tool made all the difference
President-elect Donald Trump and Elon Musk pose for a photo during the UFC 309 event at Madison Square Garden on November 16, 2024 in New York City.
Trump 2.0 is a win for Big Tech – but it may not be for encryption
Latest in Security
ransomware avast
One of the most powerful ransomware hacks around has been cracked using some serious GPU power
person at a computer
Many workers are overconfident at spotting phishing attacks
A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
Microsoft 365 accounts are under attack from new malware spoofing popular work apps
Data Breach
Thousands of healthcare records exposed online, including private patient information
China
Juniper patches security flaws which could have let hackers take over your router
Representational image depecting cybersecurity protection
GitLab has patched a host of worrying security issues
Latest in News
An image of the Nintendo Switch 2
Nintendo Switch 2 could have AI upscaling similar to PS5 Pro’s PSSR according to patent, and it could be a gamechanger for graphics on the upcoming console
PowerColor Red Devil AMD RX 9070 XT graphics card shown side-on
Your next GPU could be from AMD, not Nvidia, if Team Red’s success with PC gamers continues
Quordle on a smartphone held in a hand
Quordle hints and answers for Tuesday, March 18 (game #1149)
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Tuesday, March 18 (game #380)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Tuesday, March 18 (game #646)
Samsung Galaxy S24 hands on handheld back straight white
The Samsung Galaxy S24 is getting one of the S25’s biggest video upgrades with One UI 7 – here’s why Log Video matters