Researcher Chaotic Eclipse published YellowKey, a zero-day that unlocks BitLocker drives via USB files in Windows Recovery Environment, with behavior suggesting a backdoor.
Key Takeaways
YellowKey requires only copying files to a USB stick and rebooting into Windows Recovery Environment; no encryption keys or credentials needed.
Post-use, exploit files vanish from the USB stick automatically, a self-erasing behavior the researcher and testers describe as hallmarks of an intentional backdoor.
Affects Windows 11 and Windows Server 2022/2025 by default; does not affect Windows 10. BitLocker is enabled by default in Windows 11.
A TPM-and-PIN setup does not fully mitigate the risk; Eclipse claims an unpublished variant bypasses that configuration.
GreenPlasma, the companion exploit, manipulates CTFMon to place a crafted memory section object in Object Manager, enabling SYSTEM-level privilege escalation without a full PoC yet released.
Hacker News Comment Review
Commenters debate whether PIN protection mitigates YellowKey; the author explicitly disputes that claim, and the wdormann Mastodon thread (linked by commenters) notes PIN as a suggested mitigation with that caveat attached.
There is broad skepticism that BitLocker has ever been a robust security boundary; the Windows installer’s historical ability to unlock BitLocker drives at a system prompt is cited as evidence of long-standing design indifference.
The self-deleting exploit files and vendetta-driven full disclosure prompted comparisons to the 2014 TrueCrypt shutdown and speculation about whether Microsoft maintains deliberate backdoor access.
Notable Comments
@GTP: Raises the unresolved key question: does YellowKey require the target machine to already be unlocked/logged in when copying the USB files?
@Nition: Connects YellowKey’s backdoor profile to TrueCrypt’s abrupt 2014 recommendation to switch to BitLocker, suggesting a pattern worth revisiting.
