Post

Zero-day Exploit Bypasses Windows 11 BitLocker Protection

Posted
By ictsec.pl
1 min read
Zero-day Exploit Bypasses Windows 11 BitLocker Protection

Zero-day Exploit Bypasses Windows 11 BitLocker Protection 🚨

A zero-day exploit circulating online allows individuals with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds. The exploit, named YellowKey, was published earlier this week by a researcher known as Nightmare-Eclipse. This exploit reliably bypasses default Windows 11 deployments of BitLocker, which is designed to protect disk contents from unauthorized access.

How the Exploit Works 🔍

The core of the YellowKey exploit involves a custom-made FsTx folder. Here’s how it works:

  • Copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive.
  • Connect the USB drive to the BitLocker-protected device.
  • Boot up the device and immediately press and hold down the [Ctrl] key to enter Windows recovery.

A command prompt (CMD.EXE) appears, granting full access to the entire drive contents, allowing an attacker to copy, modify, or delete files. Normally, a BitLocker recovery key is required, but the YellowKey exploit bypasses this safeguard.

Technical Insights 💻

It remains unclear what specifically in the custom FsTx folder causes the bypass. Researchers have noted that it appears to be related to Transactional NTFS. The contents of the FsTx directory used in the YellowKey exploit do not reveal any strings related to RecoverySimulation.ini, but they do show paths that control the Windows Recovery environment.

Implications ⚠️

A Microsoft representative has stated that the company is investigating the reported vulnerability. It is crucial for users to understand that, at present, BitLocker on Windows 11 is not providing the protection it is supposed to. This means that stolen or lost devices can still be accessed even when BitLocker is enabled. The exploit works only in the default mode of BitLocker, which stores decryption keys in the TPM (Trusted Platform Module).

Recommendations 🛡️

Security professionals recommend enabling a BIOS password lock to prevent YellowKey attacks. While this is a good practice, it is uncertain how effective it is against this specific exploit.

For more details, you can read the complete article here: Read full article

SECURITY
WINDOWS BITLOCKER EXPLOIT SECURITY
This post is licensed under CC BY 4.0 by the author.