YellowKey Bitlocker Bypass Vulnerability

15 points by polywolf

refi64

Also see this tweet (and followup):

I just reverse engineered the YellowKey BitLocker bypass

Microsoft shipped code that checks for a flag called "FailRelock" in every Windows 11 recovery image. When it's set to 1, after recovery unlocks your BitLocker drive, it never relocks it. All you need is a USB stick.

This code only exists in the recovery environment. Not in normal Windows. They left an entire debug testing framework in production.

How it works:

  1. Recovery tools look for a config file called RecoverySimulation.ini on the OS drive
  2. If Active=Yes, it enables "test mode" for the recovery tools
  3. Test mode unlocks your BitLocker drive but a flag called FailRelock tells it to skip relocking
  4. cmd.exe spawns with full access to your "encrypted" drive

It's not fully clear to me how the purported ini file ties into things though, how would that end up there in the first place? Other people have tried it and confirmed it works, and I doubt they set up any of that manually. Is the check wrong somewhere, or maybe the file ends up there when you reboot to recovery from within the OS? Or perhaps the poster simply misread the code...