Hector Martin

Anyway, if you rely on BitLocker in TPM mode (boot without PIN), you should know that anyone can steal your computer, sniff 32 bytes off of the LPC bus, stick them into libbde, and decrypt your disk. Yes, it's that easy. Solder 7 wires to $favorite_fpga_board, decrypt drive.

We all knew it was going to be this dumb, but today I'm here to tell you it *is* this dumb and I just implemented it.

Great work! Do you think a similar attack could be made against Android "DE" storage on a Pixel phone?

ARM devices are usually a few orders of magnitude closer to being potentially secure than x86 systems. The "TPM" on those is integrated into the SoC. I'm sure you could still find a way in though, like a glitching attack. This is why I refuse to use Android FBE.

You prefer FDE to FBE? Because all storage is CE, none is DE? Would be interested to know more about the kind is attack you have in mind...

Yes, except I use a different (much longer) FDE passphrase that is not my normal unlock code (this is possible on rooted devices). Also FDE encrypts *everything*, including all metadata, so I'm immune from "someone used the wrong data class" bugs.

The problem with FBE and all the DE stuff (and what iPhone does too) is that it's quite secure if nobody made any mistakes all the way through the stack; everything has to work together perfectly. A security flaw could make the whole thing moot, as we've seen many times.

With FDE I know that the storage is cryptographically bound to the long and not crackable passphrase, period. As long as the much simpler code from that to the storage crypto is secure, if my phone is off, you aren't getting any data out of it.