If you have ever taken comfort in knowing your laptop is encrypted, a presentation at this year's Hackfest security conference in Quebec City, Canada, may give you pause. Pierre-Nicolas Allard-Coutu, a Canadian penetration tester, walked a room of security professionals through an elaborate, multi-stage attack chain capable of defeating Microsoft's BitLocker full-disk encryption on both Windows 10 and Windows 11 machines.
The short version: if someone has enough time, skill, and physical access to your device, the encryption protecting your data may not hold. The longer version involves custom firmware tools, a PCIe slot, a programmable chip, and at least one undisclosed vulnerability sitting quietly inside the firmware of multiple major hardware vendors.
How the attack works
BitLocker relies on a chip called the Trusted Platform Module (TPM), which stores the master key used to decrypt a drive when Windows starts up. On most laptops shipped today, the TPM automatically hands over that key at boot time without asking the user for anything extra. This is a convenience feature, designed to make startup seamless, but it is precisely that convenience which creates the opening Allard-Coutu exploited.
To gain direct access to system memory, Allard-Coutu connected a field-programmable gate array (FPGA) card via a PCIe connector. Think of it as a reprogrammable hardware chip that can impersonate other devices to the computer. Using the open-source PCILeech framework, he then developed two custom utilities, DMAReaper and FirstStrike, to systematically work through the machine's defences.
Modern PCs have a substantial list of protections intended to stop exactly this kind of attack: kernel DMA protection, input/output memory management units (IOMMU), Secure Boot, virtualisation-based security, and firmware-level protections. Allard-Coutu worked through each of them. At one point, he copied and modified BIOS images directly.
For Windows 11 machines specifically, the attack made use of the Windows Recovery Environment (WinRE), a troubleshooting mode that ships enabled on most consumer laptops and provides command-line access. That turns out to be a meaningful foothold.
The zero-day in the room
One section of the Hackfest presentation was deliberately obscured. Allard-Coutu has identified what appears to be a zero-day vulnerability allowing an attacker to modify a specific nonvolatile RAM (NVRAM) variable, effectively disabling pre-boot DMA protection without needing a BIOS password. Crucially, triggering this vulnerability does not prompt the standard BitLocker recovery process, meaning the attack can proceed without raising any obvious alerts.
Allard-Coutu is withholding technical details because the flaw affects firmware from multiple major vendors, and responsible disclosure is still underway. The affected vendors have not been publicly named.
This is the kind of finding that keeps enterprise security teams up at night. A silent bypass of a widely trusted protection mechanism, affecting hardware across the industry, with no visible warning to the user.
What organisations and individuals should do now
The good news is that the recommended defences are straightforward, even if they are not always popular with users.
First, setting a BIOS or UEFI password raises the cost and complexity of any physical attack significantly. It will not stop the most determined adversary indefinitely, but it meaningfully extends the time and skill required.
Second, and more importantly, adding a PIN to the TPM breaks the automatic decryption chain entirely. With a TPM-plus-PIN configuration, BitLocker requires the user to enter an alphanumeric PIN before the drive will decrypt, meaning the key is never handed over automatically at boot. Allard-Coutu confirmed his current attacks cannot defeat this configuration. Other BitLocker researchers have reached the same conclusion.
The trade-off is friction. A boot PIN is one more thing users have to type before they reach their desktop, and in enterprise environments, IT departments often resist this because it increases helpdesk calls and frustrates staff. That resistance has a real cost, as Allard-Coutu's work illustrates.
Who is actually at risk?
Allard-Coutu was clear that his threat model targets sophisticated, well-funded adversaries who have extended physical access to a device. This is not the scenario where a laptop is snatched from a café table and the thief pokes around for ten minutes. The attacks demonstrated require specialised hardware, custom software, and patience.
In practice, that means the realistic targets are government agencies, corporate executives, journalists working sensitive investigations, legal professionals, and anyone else whose data is valuable enough to justify a serious, resourced effort. For most people, basic encryption with automatic TPM decryption remains a reasonable baseline against casual theft.
The real question is not whether these attacks are technically impressive, though they clearly are. It is whether organisations that hold genuinely sensitive data are treating physical security with the same seriousness they give to network defences. Too often, the answer is no. A stolen laptop encrypted with a PIN-free TPM is, as this research shows, not nearly as protected as its owner probably assumes.
The success rate of these attacks also varies by hardware generation and configuration, so not every machine is equally vulnerable. But with a zero-day affecting firmware across multiple vendors still sitting in the shadows, the full picture will not be clear until responsible disclosure runs its course.