Comment on Raspberry Pi Pico cracks BitLocker in under a minute
themeatbridge@lemmy.world 8 months agoIt’s a security vulnerability none the less. If there is an external TPM, then you could use a Pico to make a device that intercepts the unencrypted key. Microsoft has downplayed this vulnerability because it requires physical access to the hardware (true) and it requires significant time (false as demonstrated).
“Cracking” is a nebulous term, but generally includes any methods or tools used to steal encryption keys, which this does in under a minute IF you have physical access to the hardware AND it connects to an external TPM.
thantik@lemmy.world 8 months ago
If you have physical access to the hardware, have spent weeks researching it and produced a custom solution specific to that board and revision, etc.
This is kind of a moot point now because most TPM nowadays are not external modules and nobody focused on security is keeping this kind of hardware around.
halm@leminal.space 8 months ago
Fair point, let’s acknowledge the preparation and research that goes into something like this. While the Pico may have performed the decryption in less than a minute, there were days and weeks of labour leading up to that.
A stage magician will pull a rabbit out of a hat in less than a minute, but the audience must never see the effort of the performance. Too often, for the sake of brevity and a catchy headline, journalists tend to make every slightly technological performance sound like a magic trick.
DoomBot5@lemmy.world 8 months ago
That’s not what anyone means when they say quick. They’re talking from the moment the attempt is initiated until the time data is extracted. In this case countdown starts the moment you get access to the hardware.
thantik@lemmy.world 8 months ago
And the moment he got access to the hardware was weeks ago when he opened it up and started probing around for the right points to access.
DoomBot5@lemmy.world 8 months ago
That’s great and all, but he owned that hardware. You’re not developing hardware exploits on a target’s hardware, you do it on a copy of the target’s hardware.
That’s like claiming the NSA spent months breaking into your phone. In reality, they spent months developing exploits on the iPhones they bought and minutes breaking into your phone once they have it.