An attacker with physical access can abruptly restart the device and dump RAM, as analysis of this memory may reveal FVEK keys from recently running Windows instances, compromising data encryption.
The effectiveness of this attack is, however, limited because the data stored in RAM degrades rapidly after the power is cut off.
A lot of BitLocker setups unlock using just TPM though, which was my point. No password/PIN needs to be entered at boot time to unlock it, it uses the TPM to unlock. This is the default setup that many companies use. Password/PIN unlock is completely optional.
I’m not misreading that.
Not the default at any company I’ve been at. What’s the point of encryption if it’s unlocked right away? Whoever’s doing that deserves this exploit. However, since that’s factually correct I’ll edit my original comment to add in:
Exactly.
I don’t use BitLocker, but I do use FDE on Linux, and I use a password at the bootloader level. Why would I bother with all the downsides of FDE if it isn’t actually secured by a password?
If the computer doesn’t password protection and the attacker has physical access… They can just copy the data, why care about the keys?
I think that’s already a worst case scenario.
The user still has to login to their user account. The assumption is that the Windows login is secure so BitLocker can decrypt using TPM and an attacker still won’t have access to the data without being able to log in.
This article obviously shows a method how an attacker can potentially still get access to the data without logging in.