Walk into any café, airport lounge, or hotel lobby and you’ll see the modern workplace in action. Laptops open, meetings happening over video, documents being edited in real time. Work is no longer confined to the office.
This flexibility has delivered huge productivity benefits, but it has also increased one of the oldest but still underestimated threats in cybersecurity: physical access to a device.
Today, our laptops are at the center of everything we do, holding our most important work—from confidential documents and messages to credentials and sensitive data about our customers and employees. But that also makes them a prime target. Every day, thousands of laptops are lost or stolen — putting that data at risk.
At the same time, the value of these devices to attackers is increasing. Modern laptops are processing more sensitive information locally than ever before. The rapid adoption of AI-powered applications is accelerating this shift, as tools that analyze documents, images, and voice recordings expand the amount of sensitive data handled directly on endpoints.
A compromised laptop may also contain cached credentials, locally stored corporate data, or authenticated access to internal applications. Attackers can use this foothold to extract sensitive information or move deeper into enterprise networks. And even if data is notionally stored in the cloud, it typically needs to be cached locally for performance, so ends up on the device anyway.
Altogether, this means the laptop itself has become an increasingly attractive target for attackers.
Why Default BitLocker Configuration Isn’t Enough
If a device falls into the wrong hands, most organizations rely on BitLocker disk encryption which is widely deployed to ensure that data on lost or stolen laptops remain protected. However, it can be bypassed if an attacker has physical access to a device.
One example is a technique known as ‘TPM bus snooping’. This method allows attackers to intercept communications between the device’s Trusted Platform Module (TPM) and the CPU during the boot process.
The TPM is a specialized security chip responsible for several critical security functions. It securely stores cryptographic keys, supports authentication mechanisms, and enables secure boot processes. It also works closely with encryption technologies such as BitLocker to protect data stored on the device.
In its default configuration, the TPM releases the disk decryption key during system startup once the device verifies that the boot environment is trusted. This default TPM-only configuration of BitLocker is attractive for ease of deployment, meaning many devices automatically unlock the encrypted drive during boot without requiring additional authentication.
Researchers have demonstrated that an attacker with physical access to the device can intercept this communication during startup and recover the encryption key. In some cases, this can be done in less than a minute using hardware costing as little as $20.
These TPM bus attacks are increasingly well documented. What once required specialized labs is becoming more accessible as tools, research, and practical demonstrations spread across the security community.
Importantly, this isn’t a vulnerability that can simply be patched through software updates. The issue lies in how hardware components communicate during startup. Once an attacker has physical access to the device, they are operating outside many of the assumptions that software protections rely on.
For organizations, this creates an uncomfortable compliance question as to whether standard BitLocker can still be treated as a sufficient mitigating control when deciding if the loss of a device containing PII must be reported to national data protection authorities.
Why hardware security matters more than ever
As devices become more mobile – and more valuable targets – organizations need to rethink how they approach endpoint protection.
Traditional security strategies have focused heavily on software controls such as endpoint protection platforms, operating system hardening, and network monitoring. These layers remain essential, but they cannot fully protect a device if attackers can directly access the hardware. This is why we are seeing growing interest in hardware-rooted security – systems designed with protection built in from the silicon up.
HP TPM Guard, our new hardware-rooted security architectures take a different approach by introducing an encrypted communication channel between the certified TPM and CPU, preventing interception and probing attacks.
The TPM is cryptographically bound to the device itself, meaning it cannot simply be moved into another device and tricked into revealing encryption keys. This closes a long-standing industry security gap while avoiding additional complexity for IT teams.
Securing the future of work
Hybrid work has permanently changed how and where corporate devices are used. Laptops now move through environments that organizations cannot fully control, while simultaneously processing increasing volumes of sensitive data.
That reality means physical access attacks are no longer edge cases, they are a risk that organizations must actively plan for. Protecting modern endpoints increasingly requires a hardware-first security strategy, one where protection and verification capabilities are built directly into the device.
Because once a laptop leaves the office, it needs to be able to defend itself.
