Wake up and Smell the BitLocker Keys

This report demonstrates a practical local hardware attack against TPM-backed BitLocker on enterprise laptops: by connecting a logic analyzer to the TPM/SPI bus, an attacker can capture the TPM response that contains the VMK, use the extracted VMK to decrypt the FVEK, and therefore mount the BitLocker volume. The write-up details required low-cost tooling, connection and capture procedures, how to identify the VMK in traffic, a decryption example using dislocker, the attack's feasibility and impact, and recommends enforcing pre-boot authentication (PIN or USB key) to mitigate the issue.