BitUnlocker: Leveraging Windows Recovery to Extract BitLocker Secrets
Black Hat USA 2025 · Day 1 · Briefings
Microsoft's own offensive security team discovered four vulnerabilities in the Windows Recovery Environment (WinRE) that allow a physical attacker to bypass BitLocker and access all encrypted data without knowing the recovery key. Three distinct exploitation techniques — manipulating the boot SDI file, abusing the offline scanning scheduled operation via TTTracer, and hijacking the SetupPlatform TrustedApp — were demonstrated live on stage and patched in July 2025 Patch Tuesday. ---
AI review
Microsoft's own offensive team found four independent ways to bypass BitLocker via WinRE, each exploiting a different design assumption, all patched July 2025. The boot.sdi offset trick is elegant in its simplicity; the BCD volume iteration confusion leading to a DecryptVolume directive is sophisticated architecture exploitation. This is what internal red teaming should look like.