Zero-day exploit completely defeats default Windows 11 BitLocker protections

Zero-day exploit completely defeats default Windows 11 BitLocker protections

Briefly

"A zero-day exploit circulating online allows people with physical access to a Windows 11 system to bypass default BitLocker protections and gain complete access to an encrypted drive within seconds. The exploit, named YellowKey, was published earlier this week by a researcher who goes by the alias Nightmare-Eclipse. It reliably bypasses default Windows 11 deployments of BitLocker, the full-volume encryption protection Microsoft provides to make disk contents off-limits to anyone without the decryption key, which is stored in a secured piece of hardware known as a trusted platform module (TPM)."

"The core of the YellowKey exploit is a custom-made FsTx folder. Online documentation of this folder is hard to find. As explained later, the directory associated with the file fstx.dll appears to involve what Microsoft calls the transactional NTFS, which allows developers to have "transactional atomicity" for file operations in transactions with a single file, multiple files, or ones that span multiple sources."

"The steps for carrying out the bypass are simple: Copy the custom FsTx folder from the Nightmare-Eclipse exploit page to an NTFS- or FAT-formatted USB drive Connect the USB drive to the BitLocker-protected device Boot up the device and immediately press and hold down the [Ctrl] key Enter Windows recovery There are at least two ways to accomplish the third step."

"In either case, a command (CMD.EXE) prompt appears. The prompt has full access to the entire drive contents, allowing an attacker to copy, modify, or delete them. In a normal Windows Recovery flow, the attacker would need to enter a BitLocker recovery key. Somehow, "