Zero‑Day “YellowKey” Exploit Bypasses Windows 11 BitLocker Encryption
What Happened — A researcher publishing under the alias Nightmare‑Eclipse released a zero‑day exploit, dubbed YellowKey, that can bypass the default BitLocker full‑disk encryption on Windows 11 when the attacker has brief physical access to the machine. The technique extracts the TPM‑protected key and decrypts the volume without triggering any alert.
Why It Matters for TPRM —
- BitLocker is a mandated data‑at‑rest control for many regulated vendors and government contractors.
- A physical‑access bypass undermines the confidentiality guarantees that third‑party risk assessments rely on.
- The exploit is publicly available, increasing the likelihood of rapid weaponisation by opportunistic actors.
Who Is Affected — Enterprises across all sectors that deploy Windows 11 with default BitLocker settings, especially those handling sensitive government, health, or financial data.
Recommended Actions —
- Verify that BitLocker is configured with additional safeguards (e.g., pre‑boot authentication, TPM 2.0 with Secure Boot, and hardware‑based key storage).
- Accelerate deployment of the latest Windows 11 security updates and monitor Microsoft advisories for patches.
- Review physical security controls for laptops and workstations; enforce tamper‑evident seals and secure storage when devices are unattended.
Technical Notes — The exploit leverages a vulnerability in the TPM‑key handling path, allowing an attacker with brief physical access to extract the volume‑encryption key. No CVE identifier has been assigned yet; the technique is classified as a zero‑day. Data types at risk include any files stored on the encrypted volume, ranging from intellectual property to personally identifiable information. Source: Schneier on Security