US USB Exploit Bypasses Windows 11 BitLocker Encryption

Security researcher Thomas Lambertz demonstrated a USB-only exploit called YellowKey that bypasses Windows 11 BitLocker encryption without requiring the machine to be opened [1, 2].

This discovery is significant because it undermines the primary defense used by millions of users to protect sensitive data on lost or stolen laptops. By bypassing this encryption, an attacker with physical access to a powered-off device can potentially access private files and system data.

Lambertz, also known as th0mas, presented the findings this month at the 38th Chaos Communication Congress (38C3) in Hamburg, Germany [1, 2]. The exploit allows an attacker to gain command-line access and decrypt files from a device that is shut down [4, 5].

Some reports describe the vulnerability as a zero-day exploit that completely defeats default BitLocker protections [3, 6]. According to these reports, the bypass can be achieved within seconds ^[6]. Other sources suggest the exploit may leverage an older BitLocker vulnerability to achieve the bypass on updated versions of Windows 11 ^[7].

YellowKey operates entirely via a USB stick, meaning no internal hardware modifications are necessary to compromise the system ^[4]. This removes the need for complex physical tampering that often leaves visible evidence of a breach.

In addition to the BitLocker bypass, Lambertz disclosed three recent exploits targeting Windows Defender ^[4]. The presentation at 38C3 highlights a continuing struggle for Microsoft to secure the boot process and encryption layers against physical-access attacks.

While BitLocker is designed to protect data at rest, the YellowKey demonstration suggests that default configurations may not be sufficient against a determined attacker with a specialized USB tool [3, 6].