That’s the most puzzling part to me. What’s the point of the PIN then? I was assuming it was mixed with the TPM secret somehow but if it can be bypassed then it shows it just an IF statement somewhere. Dang…

God I hate this stupid design of burying the decryption key in the TPM and hoping the software does not get fooled to reveal it.

Microsoft always sucks. Why don’t you ask for the password at boot time and derive the key from it. So much simpler and makes this kind of attacks impossible. Nobody is going to bypass LUKS or FileVault like this.

solenoid0937•6 minutes ago

The amount of trust put into buggy TPM implementations chock full of vulnerabilities has always confused me.

Does anyone really trust these shitty Windows laptop/desktop manufacturers to get these things right? These guys couldn't even get basic hardware features like trackpad drivers right.

aiscoming•5 minutes ago

how about we wait for proof for such grandiose claims

author could become famous by being the first to proove an actual backdoor in an OS disk encryption

AnonC•about 2 hours ago

The BitLocker exploit seems simple and very dangerous. Companies and individuals have been relying on BitLocker to protect information if the device is lost. Despite promises, Microsoft doesn’t seem to be serious about security.

What will it take for more companies to truly understand their risks with Windows and being locked into Microsoft’s platforms?

cookiengineer•13 minutes ago

Note that RedSun and Bluehammer were silently patched, with no response to the CVEs by Microsoft, and not accrediting the researcher's work.

That's what this is about. Microsoft doing bad security practices while trying to get away with it, leading to this outcome.

The researcher also claims to have another version ready which allows to also bypass TPM+PIN via a similar backdoor, which I'm inclined to believe.

Why do I believe that? 5 ring 0 zero days within 3 months are so statistically unlikely to be found, by the same person, in such a short time. Whoever this person is really knows their exploits, and must be in the league of Juan Sacco.

aiscoming•9 minutes ago

the only way to bypass PIN would be an actual backdoor in Bitlocker. no way around that. an actual backdoor in microsoft encryption was never documented, and there are Snowden documents showing FBI pressing Microsoft into introducing one and Microsoft refusing

so I call bullshit on the PIN bypass

cookiengineer•4 minutes ago

> the only way to bypass PIN would be an actual backdoor in Bitlocker. no way around that. an actual backdoor in microsoft encryption was never documented, and there are Snowden documents showing FBI pressing Microsoft into introducing one and Microsoft refusing

A USB stick containing a masterkey to decrypt a bitlocker volume is literally the definition of a backdoor.

Go on, try it out. It works.

ranger_danger•about 2 hours ago

How does a bug equate to "not serious about security"?

navigate8310•about 2 hours ago

There's no way this is not a backdoor

Our_Benefactors•about 2 hours ago

Read the article. It’s pretty clear that this is a backdoor, and calling it a bug would be so generous as to be misleading.

HDBaseT•about 1 hour ago

It seems undeniably a backdoor, why on earth would a very specific folder/file name and a specific boot combination just "magically" open up an encrypted drive.

It also doesn't help this comes from a person who likely was close to the development at Microsoft (one way or another) as their recent disclosures are quite alarming.

Of course, this could technically be the stars aligning type bug, but it seems like a purposefully planted backdoor to me.

forestry•about 2 hours ago

*in your opinion.

forestry•about 2 hours ago

The blog author calls it that but given there’s no root cause yet it’s foolish to jump to conclusions.

ungreased0675•about 3 hours ago

Remarkable. Does MS take a huge reputational hit for having a backdoor, or are they so essential to most places this won’t matter?

avazhi•16 minutes ago

I think anybody who has been paying attention has assumed for at least 20 years that all of Microsoft’s shit is backdoored anyway. I mean, the original Snowden revelations made that abundantly clear if it wasn’t before then.

Businesses use Microsoft because they figure if it’s backdoored it doesn’t matter and won’t affect them (because they aren’t terrorists or child pornographers or whatever, and they’d comply with a subpoena regardless of if Bitlocker is backdoored or not) and individuals who care about security and privacy put their shit on a Veracrypt drive somewhere else.

peroids•about 2 hours ago

I’m assuming the EU speeds up the uncoupling cause of some of this.

charcircuit•about 1 hour ago

It's not an actual backdoor. An attacker found a way to exploit Windows after booting it up in this recovery mode. The security of files on the device depends on it being impossible for Windows to be pwned by an attacker on any surface exposed before the user is unlocked.

This is why operating systems like GrapheneOS disable the USB port on the initial boot to limit the attack surface that an attacker has.

tsimionescu•24 minutes ago

Having a specific file name trigger the decryption to happen automatically, while also removing said files after this is achieved, is an extremely unlikely bug. I think for most people evaluating this, the onus is now on anyone thinking this is not a backdoor to prove how a mistake in the code can trigger this very specific scenario.

This is like finding out that an OS accepts an SSH private key circulating online that the sysadmin for those OS boxes never authorized, and saying "wait, we don't know that this is a backdoor into that system, the attackers just found a bug".

charcircuit•14 minutes ago

>Having a specific file name trigger the decryption

That is not what happens. There is nothing wrong with decrypting the drive. If you just powered on the computer normally, it will "trigger the decryption." There just isn't way to read a file from the lock screen. This exploit is getting you to a state where the drive is unlocked but the user has access to a command prompt. A command prompt, unlike a basic login screen gives the user the ability to actually see the contents of arbitrary files.

>specific file name

It's a specific file name because Windows stores transaction logs under that name. If it was a random name it wouldn't be able to exercise this vulnerable code.

>also removing said files after this is achieved

It doesn't seem farfetched for a transaction log to be deleted after it is successfully replayed.

ranger_danger•about 2 hours ago

As far as I can tell, there's no concrete evidence that it is actually an intentional "backdoor."

3eb7988a1663•29 minutes ago

What would you require to feel confident it is a backdoor?

Nadella gives a press release, "Alright guys, you got us fair and square. Backdoor on Bootlocker. Various versions of it for years on behalf of the spooks."

You are unlikely to ever get a confirmation of wrong doing. That being said, for a first line security posture, there is no way external media should have anything to do with the encryption process. Even if the OS chose to read a USB drive, to also delete the magical files is ridiculously suspect.

It could always be plain old incompetence, but that is a damning level of technical ineptitude assigned to such critical infrastructure. This is not a project you assign to the intern, but paranoid security experts. Multiple levels of code review and red-teaming.

skeptic_ai•about 1 hour ago

lol it’s an obvious backdoor. No way a security system would ever allow this blatant workaround to bypass all encryption. Backdoor is the only answer

majorchord•about 1 hour ago

> lol it's an obvious backdoor

in your opinion

Nition•about 1 hour ago

This looking so much like an intentional backdoor just makes me wonder even more about TrueCrypt's sudden recommendation in 2014 that everyone switch to BitLocker. This particular backdoor didn't exist then (it's only Win11 apparently) but this sure makes it seem more plausible that another one might have.

Though if TrueCrypt was killed to try and get people to switch to encryption that could be backdoored, then why allow its successor VeraCrypt to exist? It's open source and independently audited, so it really shouldn't be backdoored.

Cakez0r•about 1 hour ago

Funny you should say that... https://news.ycombinator.com/item?id=47690977

iscoelho•30 minutes ago

What's with all the replies on these threads downplaying this? Why is it mainly brand new accounts? What's going on here?

I've seen every variant of:

1) "this is an authentication/privilege escalation bug, not a bitlocker exploit" (? what are you even trying to say)

2) "even though the attacker explicitly warns that this is capable of bypassing TPM+PIN, that isn't actually true or what he meant"

3) "we shouldn't jump to conclusions that this is a backdoor"

4) "we already knew BitLocker with just TPM isn't secure" (? except many organizations depend on it to be)

cookiengineer•9 minutes ago

Microsoft doing their shenanigans, likely.

It's such a ridiculous backdoor, trying to deny that this is the TAO bitlocker backdoor makes it so bad, no matter how Microsoft would try to spin it.

Either cryptography by Microsoft was never working in the first place (which means hundreds of people are absolutely incompetent)... or it is a backdoor for federal agencies. Either way, this is reaaally bad.

gib444•17 minutes ago

Most submissions involving criticism of big tech gets those kind of replies. Par for the course here.

You just have to skip reading them because it seems there's no stopping those 100% genuine replies

bombcar•about 2 hours ago

How is this even possible, backdoor or no? Isn't the whole point of this type of encryption that even a compromised machine can't decrypt without the passphrase? If this works it means that the key is stored unencrypted somewhere?

majorchord•about 2 hours ago

Most setups only have the key stored in the TPM, so all you need to get it back is a signed/trusted bootloader.

Ideally you'd want that key to be further protected with a password or some other mechanism because it's not impossible to extract TPM keys.

andrecarini•about 2 hours ago

Presumably the key is stored in the TPM

pajko•about 2 hours ago

Earlier thread: https://news.ycombinator.com/item?id=48114997

ChrisArchitect•about 1 hour ago

[dupe] https://news.ycombinator.com/item?id=48129789

And earlier

https://news.ycombinator.com/item?id=48114997

ranger_danger•about 2 hours ago

For those who use password (not PIN) based pre-boot authentication with BitLocker... do we know if that setup is safe?

I can't imagine there would be a way to bypass that if a password is required, unless it was a situation where like, there was originally some secret secondary key made that needs no password... or the password was never tied to the key in the first place.

andrecarini•about 2 hours ago

The exploit developer themselves say [1] TPM+PIN is vulnerable, though no public PoC.

[1]: https://deadeclipse666.blogspot.com/2026/05/were-doing-silen...

forestry•about 2 hours ago

I’m skeptical of that claim. The key material presumably is inaccessible even to the OS without the passcode.

cookiengineer•6 minutes ago

If someone drops 5 confirmed ring 0 exploits within 3 months and claims that they got a 6th one... why on earth would you doubt that the 6th one suddenly is fake?

Do you know how hard discovering even one of those is? And how many months of work it takes?

ranger_danger•about 1 hour ago

> presumably

That's the thing, we don't actually know how involved the PIN is in relation to the key... it might be completely separate (and hence bypassable).

Similarly I also wonder if password-based pre-boot auth is affected.