BitLocker without a pre-boot PIN is widely deployed across enterprise environments and often considered a sufficient protection against physical access attacks. In practice, several techniques can defeat it, including long known hardware attacks; the bitpixie PXE-based software attack published in early 2025; and a boot manager downgrade attack we developed that exploits the slow rollout of Microsoft's UEFI CA 2023 certificate transition to revive a patched vulnerability (CVE-2025-48804) on fully updated machines.
This talk is a practitioner's field report. Drawing from real penetration testing engagements, we compare hardware and software attacks across the dimensions that matter in the field — setup time, required hardware, risk to the target device, success rate, and post-exploitation impact. We walk through the open-source PoCs we developed to operationalize bitpixie and the BitUnlocker downgrade attack, and share honest observations on the effectiveness of recommended mitigations in real-world enterprise configurations.
See https://github.com/garatc/BitUnlocker
