Has BitLocker Been Broken? What YellowKey Means to You

It’s complicated, but important to understand.

by

A security researcher just showed that bypassing BitLocker on Windows 11 takes little more than a USB stick and a reboot. I'll discuss what we know, who needs to worry, what the risks are for most people, and what you can do about it right now.
Applies to Windows: 11
A Corgi looking at a computer screen. The perspective is over the Corgi's shoulder. The computer screen shows a BitLocker icon which has been cracked in half.
(Image: Gemini)

News broke recently of an exploit called YellowKey that allows attackers to access BitLocker-encrypted hard drives without needing the usual credentials.

WHAT!?

It’s pretty simple, too: copy some files to a USB stick, reboot to a Windows Recovery Environment (WinRE), and the drive is available in unencrypted form.

While that’s bad — really bad — a few things make it slightly less of a total disaster than you might think.

TL;DR:

YellowKey Bitlocker exploit

A new exploit called YellowKey lets attackers into your BitLocker-encrypted drive just by rebooting your laptop with a USB stick. The encryption itself isn’t broken, but if your computer gets lost or stolen, your data could be accessed. Switching to a different encryption technology or adding a boot password can help.

As they say in the news biz, this is a developing story. Hopefully, we’ll hear from Microsoft, which has so far remained silent, soon. What I discuss below may change or be contradicted as more information comes to light. Stay tuned.

The process

I’ll just quote the information provided by the discoverer1 of the exploit on GitHub.

  1. Copy the FsTx folder to “YourUSBStick:\System Volume Information\FsTx” as is and make sure to use a filesystem that’s compatible with Windows (NTFS is preferable but I think FAT32/exFAT should work as well). Funny thing is, the vulnerability is extremely convenient, you don’t even need to plug an external storage device, you can just pull out the disk, copy the files in the EFI partition, put it back and it will still work. That’s how bad it is.
  2. Plug the USB stick in your target windows computer with bitlocker protection turned on.
  3. Reboot to Windows Recovery Environment Agent (you can do that by holding SHIFT and clicking on the restart button using your mouse)
  4. Once you click on the restart button, lift your finger off the SHIFT key and hold CRTL and do NOT lift your finger off it.
  5. If you did everything properly, a shell will spawn with unrestricted access to the bitlocker protected volume.

Note that nowhere did you have to sign in or provide a recovery key.

Unrestricted access to the BitLocker-protected volume.” Yikes.

Ask Leo! is Ad-Free!
Help keep it going by becoming a Patron.

The conditions

Fortunately, there are some conditions that must be met for those instructions to work.

  • The computer must have Windows 11 (or Server 2022/2025) only.
  • The drive must be within the computer on which it was encrypted. This means you can’t remove the drive and gain entry elsewhere.
  • You must be able to reboot into the recovery environment already on your hard disk or on an external USB stick.

That this only works when the drive remains in the computer (with the associated TPM) mitigates the danger somewhat. To gain access, the attacker must have access to the computer.

Related


How Do I Know If My Hard Disk Is BitLocker-Encrypted?

 Even running Windows Home edition, your hard drive might be BitLocker-encrypted without you realizing it. If you don’t have the recovery key, you could lose everything. Learn how to check, why it matters, and the simple steps to protect yourself before it’s too late.
#179885

The risks

Even with those conditions in play, the risks remain substantial.

  • Lost or stolen Windows 11 laptops with BitLocker enabled are at risk of exposure. This is perhaps the most ironic aspect of the situation, as these computers are most likely to have BitLocker enabled specifically because they could be lost or stolen.
  • Discarded or decommissioned machines that perhaps relied on BitLocker encryption to ensure data could not be stolen are at risk.
  • Devices handed over to authorities in various situations are at risk of exposing their contents.

There may be more scenarios, but the common thread is that someone who shouldn’t have access to your computer does, and they’re interested in examining what’s on your BitLocker-encrypted drive.

The mitigations

Mitigations to lessen your risk are tricky. Most commonly suggested is a boot-time (BIOS or UEFI) password, available on most systems, but possibly restricted on some.

Also suggested, but less helpful, is changing the boot order options so the computer won’t boot from USB drives. However, there’s a technique that allows the attacker to modify the WinRE on the hard disk (remove it, make the changes to the recovery partition, and reinstall it) so that no boot order modifications would be needed.

There’s also a scenario where you can add a PIN to TPM access, but the exploit discoverer claims to have a working proof of concept that would bypass even that.

However, there’s one action I haven’t seen discussed that is pretty much guaranteed to make this exploit harmless.

  1. Turn off BitLocker.
  2. Use a different encryption technology: VeraCrypt for whole-disk or mountable volume encryption, or Cryptomator for specific file/folder encryption.

Neither relies on anything related to the current kerfuffle.

Should you be worried?

As horrific as this all sounds (and there’s no question it is terrible and embarrassing for BitLocker), I don’t think the average user needs to be too concerned.

To begin with, the average user probably doesn’t need whole-disk encryption most of the time. Unless you travel with your computer, the chances of someone getting physical access or possession of your computer and being savvy enough to try to break into BitLocker are pretty low.

On the other hand, if you travel or take your laptop from place to place, I hope you have some form of encryption enabled.

  • If you use BitLocker,
  • and you have sensitive data on your laptop,
  • and you consider yourself a possible target for hackers,
  • then you probably need to take action.

The only actions I’m aware of right now that would resolve the issue are configuring a boot-time password, if your UEFI/BIOS supports it, or switching encryption technologies.

Corporations, on the other hand, are very likely to be in a slight panic right now, and rightfully so.

Horrific and embarrassing

I try to maintain a balanced perspective when it comes to the latest news in technology. I do my best not to overstate things for the sake of a headline. It’s unlikely you’ll see others stating that “the average consumer probably doesn’t need to be concerned”, even though I believe that.

All that being said…

That this exploit exists, and that it’s this simple, is horrifying. The anti-Microsoft crowd will have a field day, I’m sure, and I’ll have a hard time arguing against them. This is an appalling, fundamental screw-up for what many would call mission-critical software.

What’s worse, apparently, is that it’s going to be difficult to fix. Reports are that it’s an issue with the WinRE, which is difficult to update. I don’t see how Windows itself won’t be affected somehow, since old WinREs with the issue aren’t going to magically disappear and could still be used to gain access.

What it is not

It’s important to point out here that BitLocker encryption has not been broken.

This is something else.

If you take a BitLocker-encrypted drive out of the computer on which it was encrypted, meaning the TPM in use at the time is no longer available, then the contents of the drive remain solidly encrypted.

It’s unclear, and more than a little confusing, exactly what this is, but what we do know is that this is a bypass, not a hack of the encryption itself.

Is it a backdoor?

A backdoor is an intentionally placed hidden access method. The original researcher had this to say:

I just can’t come up with an explanation beside the fact that this was intentional.

So, there’s no proof that this is a backdoor, but it kinda sorta acts like one.

Dave Plummer makes a good point that I can absolutely attest to:

In software, forgotten debug, plumbing, test hooks, and recovery shortcuts can look indistinguishable from malice once they survive into production. Intent is interesting in the end, but impact is what actually lands on the Incident Report. And the impact here is pretty brutal.

In other words, I’d jump immediately to Hanlon’s Razor before hauling out the “backdoor” claim.

Do this

Don’t panic unless you’re in the corporate world; then, panic away.

If you’re an average user who doesn’t use BitLocker or who uses it only because Microsoft turned it on by default, then don’t sweat it. Watch from the sidelines.

If, on the other hand, you rely on BitLocker for security, then it’s probably time to change your allegiance to a different encryption solution. At least add a boot-time password, if you can.

Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.

Podcast audio

Play

Download (right-click, Save-As) (Duration: 10:17 — 9.5MB)

Subscribe: RSS

Related Video

Footnotes & References

1: Or hacker, if you prefer.

References

4 comments on “Has BitLocker Been Broken? What YellowKey Means to You”

  1. I saw this news about Bitlocker a few days ago and started reading up on it. What I took away from what I read about it was “Okay, so what?”.
    I use Bitlocker on my laptop. I also use a UEFI password on that laptop because without it, the laptop would boot into Windows even with Bitlocker enabled. Without that password, my laptop won’t boot from anything and according to the manufacturer would require the replacement of the motherboard if I forgot it, which also would block this exploit (different TPM). Even better, my laptop is no longer supported by the manufacturer and parts are no longer available.
    I also use Cryptomator.

    Reply

  2. Additional thoughts.
    I’ve been using Bitlocker since Windows 7. As Windows evovlved, so did how I used it. From using passwords to USB drives and then learning about TPM modules. I was on the road a lot and was always concerned about the security of my laptops. I can’t recall exactly when I first purchased a laptop with a TPM module except it was long before Microsoft required one for Windows 11. It occurred to me early on not to enable Sleep or Hibernate and to always shutdown the laptop when I was away from it. Even that wasn’t enough as I realized all someone had to do was hit the power button and when Windows started they could use account recovery methods to see what was on the computer. That’s when I learned about BIOS/UEFI passwords and how they worked. I’ve set up every laptop I’ve owned over the past 15 years with one. And every time I’ve been asked about securing a laptop, it has always been one of the recommendations I make. Using one on a PC isn’t as effective as there are ways to reset the BIOS password just by opening it up, but motherboards on laptops generally don’t have that capability.
    Being mildly paranoid, I’ve also deleted the Bitlocker recovery key from my Microsoft account, instead printing it out.

    Reply

Leave a reply:

Before commenting please:

  • Read the article.
  • Comment on the article.
  • No personal information.
  • No spam.

Comments violating those rules will be removed. Comments that don't add value will be removed, including off-topic or content-free comments, or comments that look even a little bit like spam. All comments containing links and certain keywords will be moderated before publication.

I want comments to be valuable for everyone, including those who come later and take the time to read.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License.
Additional information is available at https://askleo.com/creative-commons-license/.