New York, U.S. – A critical vulnerability in Microsoft’s BitLocker encryption, identified as CVE-2023-21563, has been demonstrated to allow hackers to bypass its security with minimal effort and brief physical access to a device.
Security researcher Thomas Lambertz, known as “th0mas,” revealed this flaw during a keynote at the Chaos Communication Conference titled “Windows BitLocker: Screwed without a Screwdriver.” He showcased how attackers could exploit the vulnerability without turning on the device.
The attack requires physical access to the system. By forcing the target device into recovery mode and connecting it to a network, hackers can effectively decrypt a Windows 11 system protected by BitLocker encryption.
This discovery highlights significant risks for systems relying on BitLocker to protect sensitive data, particularly in environments where physical access to devices is not strictly controlled. Microsoft has not yet announced a specific fix for this vulnerability.
Security experts urge users and organisations to enhance physical security measures for devices and monitor Microsoft’s updates for potential patches to address this critical issue.
Microsoft fixed the CVE-2023-21563 vulnerability in 2022, but this demonstration shows that it has not been completely fixed. BitLocker enables the “Device Encryption” feature by default in newer Windows 11 systems. The hard disk is encrypted at rest, but it is automatically decrypted when the legitimate Windows system is started.
Lambertz used an attack method called “bitpixie” to run an old version of the Windows boot loader through Secure Boot, extract the encryption key into memory, and then use the Linux system to read the memory contents and finally obtain the BitLocker key.
Microsoft has long been aware of the problem, and the permanent solution is to revoke the certificate of the vulnerable boot loader, but the memory space used to store certificates in UEFI firmware is limited, so it is difficult to fully defend against it in the short term. Microsoft plans to distribute new secure boot certificates starting in 2026, which will force motherboard manufacturers to update UEFI.
Previously, users could only protect themselves by setting a personal PIN to back up BitLocker or disabling network access in the BIOS.
Lambertz warned that even a simple USB network adapter is enough to perform this attack. For ordinary users, the risk of this attack is relatively low. But for enterprises, governments and other institutions that attach great importance to network security, only physical access and a USB network adapter are needed to decrypt BitLocker, which is undoubtedly a major security risk.
