Sign in Subscribe
cyber security

Is BitLocker broken? What's this about Yellow Keys?

Brief thoughts and guidance on the YellowKey exploit.

Jonathan

2 min read
Share
Screenshot showing a screen titled "BitLocker Drive Encryption". BitLocker shows as on for drive C, and there are options to suspend protection along with management tasks.

BitLocker is a full disk encryption tool that's been built into Microsoft Windows since Windows Vista. BitLocker is typically found in Professional, Enterprise, and Server editions of Windows.

Full disk encryption means that files stored on the disk (be that "spinning rust", SSD, NVMe, or other supported media) are unreadable by anyone that doesn't have access to the decryption key. Trying to read the storage would result in what looks like random noise.

What happened? 🗓️

On Tuesday 12th May (last week), an individual known as Nightmare Eclipse released a proof of concept exploit called "YellowKey" that allowed someone in possession of a device encrypted with BitLocker to decrypt the drive. No recovery key required.

The exploit, available on GitHub, involves putting a collection of files onto a USB stick, then rebooting Windows in recovery mode. Usually this would prompt for a recovery key, but in this case the drive is simply unlocked.

Nightmare Eclipse hasn't shared exactly how and why this works yet, but if you're running Windows 11 then the exploit will work on your devices. Windows 10 is not affected.

We require a PIN to unlock BitLocker, so we're fine, right? 🔐

While the exploit isn't published yet, Nightmare Eclipse has indicated that they have an exploit that would defeat the "TPMandPIN" BitLocker configuration too.

Is it time to panic? 😱

Well, that depends on your threat model. BitLocker is still a very useful layer of defence, and turning it off would be worse than having it on.

In order to access your data an attacker requires physical access to your device. They have to be able to plug a USB stick in and tell Windows to enter recovery mode. If your team regularly leaves laptops unattended, and you know you're being targeted by attackers that could access your equipment, you may consider this a greater risk.

Regardless, panic rarely helps anyway.

What should I do? 🤔

  • Keep an eye out for updates from Microsoft that address this vulnerability
  • Remind colleagues not to leave their devices unattended (good advice anyway)
  • Consider the data that you keep on laptops. Does that data need to be there in the first place? Remove data that should be stored elsewhere (again, good advice anyway)
  • Avoid reading into conspiracy theories about backdoors

I've never heard of "Nightmare Eclipse" 🕴️

You may also see Nightmare Eclipse referenced as Chaotic Eclipse, Chaos Eclipse, and Dead Eclipse - they seem to use multiple aliases across GitHub, their blog, and elsewhere.

Banner image: Screenshot of the "Manage BitLocker" control panel screen.