Windows 11 BitLocker zero-day bypasses default protections
▼ Summary
– A zero-day exploit named YellowKey allows someone with physical access to a Windows 11 system to bypass default BitLocker encryption and access the drive within seconds.
– The exploit was published by a researcher known as Nightmare-Eclipse and bypasses BitLocker’s reliance on a Trusted Platform Module (TPM) to store the decryption key.
– The core of the exploit involves a custom FsTx folder, which appears to relate to Microsoft’s transactional NTFS feature.
– The attack requires booting the device into Windows Recovery with a USB drive containing the custom FsTx folder, then opening a command prompt that has full drive access.
– Multiple researchers, including Kevin Beaumont and Will Dormann, have confirmed the exploit works, though the exact mechanism within the FsTx folder that causes the bypass is unclear.
A newly surfaced zero-day exploit is making headlines for its ability to sidestep default BitLocker encryption on Windows 11 systems, giving anyone with physical access to the machine full control over an encrypted drive in just seconds.
Dubbed YellowKey, the exploit was released earlier this week by a researcher known as Nightmare-Eclipse. It targets the standard configuration of BitLocker, Microsoft’s built-in full-volume encryption tool that typically locks drive contents behind a decryption key stored in a trusted platform module (TPM). BitLocker is a critical security requirement for many organizations, especially those handling government contracts.
The trick lies in a specially crafted FsTx folder. Documentation on this folder is scarce, but it appears to be linked to Transactional NTFS (TxF), a Windows feature that enables atomic file operations across multiple files or sources. The exploit method is straightforward:
- Copy the custom FsTx folder from the YellowKit page to a USB drive formatted as NTFS or FAT.There are two ways to trigger recovery mode: either boot into Windows, hold the Shift key, click the power icon, and select restart, or power on the device and restart it as soon as Windows begins loading.Once inside the recovery environment, a command prompt (CMD.EXE) appears with full access to the drive’s contents. An attacker can then copy, modify, or delete any file. Normally, Windows Recovery would demand a BitLocker recovery key before granting such access. YellowKey somehow bypasses this safeguard. Security researchers Kevin Beaumont and Will Dormann have independently verified the exploit’s effectiveness.Exactly how the custom FsTx folder achieves this bypass remains unclear. Dormann suggests the mechanism is tied to Transactional NTFS, which uses a command-log file system underneath. He also points out that examining Windows’ fstx.dll reveals code in the FsTxFindSessions() function that explicitly searches for the path `\System Volume Information\FsTx`.
