Hardware TPM Hacked

BiggerIsBetter writes "Christopher Tarnovsky has pulled off the 'near impossible' TPM hardware hack. We all knew it was only a matter of time; this is why you shouldn't entrust your data to proprietary solutions. From the article: 'The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. ... The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."'"

Re:tpm?

[Lord Ender]

To encrypt something, you must have a 20-character password minimum to get 128-bit key strength. Nobody likes typing 20 characters, so TPM was invented. TPM stores your key on a separate chip. This chip only coughs up the key if you enter a short password to authenticate yourself to the chip.

The chip uses rate-limiting boot-delays to prevent brute-forcing of the password.

So they only way to get the key is to break the chip apart and look at the hardware somehow. The chips are usually encased in epoxy to make this hard to do. It's never been done before. Now it has... but it's still hard work.

TPM chips come on all business laptops these days, though few businesses make use of them. And they're still better than telling your users to memorize 20 char passwords (which they would just write down).

Re:surprise surprise

[hclewk]

It. Can't. Be. Automated.

Security through risk

[Sockatume]

No matter how quick the method gets, having to work with hydrofluoric acid [wikipedia.org] with the target machine means it's a risky procedure, as in "do you like having bones in your fingers?". It's not something you can reduce to a script and rattle out. It's not going to scale well to multiple machines, either.

That in itself is an argument against obscuring this exploit, of course. No script kiddies were going to suddenly run out and apply this opportunistically, so the risk of releasing it is low to nonexistent. Frankly if you're going to encase the component in epoxy, the possibility of an eavesdropping hack is implicit.

Re:tpm?

[JesseMcDonald]

If you're going to use a passphrase then you'll need much more than 20 characters to get 128 bits of entropy:

Considering that the entropy of written English is less than 1.1 bits per character, pass phrases can be relatively weak. NIST has estimated that the 23 character pass phrase "IamtheCapitanofthePina4" contains a 45 bit-strength.... Using this guideline, to achieve the 80 bit-strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric. (Wikipedia [wikipedia.org])

To get 128 bits of entropy would require about 20 words. I don't know about you, but to me it seems that 20 non-obvious words would be about as hard to remember as 20 random characters, while being much less convenient to type.

Re:surprise surprise

[plover]

The algorithms ARE known. It's just that dissolving the chip package in hydrofluoric acid and inserting logic probes into the chip itself is far easier than breaking those algorithms.

He used the attack to retrieve a specific key from a specific chip, not as a general algorithm or protocol attack on the TPM platform.

Meh

[Anonymous Coward]

I used to go by the name BoyHowdy when i was hacking DTV, I made a small circuit that used 3 hcttl chips to glitch the H cards that were killed on Black Sunday. I can say that this guy is for real, arrogant or not.

Re:When I see "TPM hacked" only one thing comes to

[PReDiToR]

You're on Slashdot, so you probably already know this.

Others might not so I'll post this linky [wikipedia.org] and mention that it IS available on several torrent sites (and so is part 2).

Show them to your kids before they get to see the crap one that Lucas messed up.

Re:HEY TARNOVSKY

[Alsee]

TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports? :-O That's some might fine tinfoil you have there...

How well do you understand the Remote Attestation system? If you have any doubts about what I said I will gladly explain it to you, and cite the documentation to back it up if you like. I just need some clue how much of it you already understand and how technical (or non-technical) you want the explanation to be. I am a programmer and I have studied the entire 332 page technical specification for the TPM chip, and studied all of the other technical info I've been able to find. I have have an extensive and very technical understanding of the chip and how it operates with software, and I have a less detailed picture of the Trusted Computing infrastructure they are building around the chip.

Yes, the TPM is capable of telling the owner whether anything has been tampered with. But saying that is like saying telephones are an in-home intercom. Yes, two phones on the same line in you home do act like an intercom, but that wildly misses the designed functionality of telephones.

Remote Attestation is designed to be able to securely report to ANYONE exactly what is BIOS/Bootloader/OperatingSystem/other-software is running your computer. And when I say "securely report" what is on your computer, I mean that this report is specifically designed to be secure against the owner. You can control whether your computer answers requests for this Remote Attestation report, but you the owner are unable to control or alter the contents of this report. The TPM will not permit you to alter the contents of the report, and the TPM cryptographically signs the report it sends. An unsigned Attestation is invalid, and any attempt to modify the TPM's signed attestation invalidates it.

So when I called it a "SuperDRM spy report" perhaps I was overly casual and colorful with the language, but it was essentially correct. The TPM is designed to keep a secure log of your system - and this log is specifically kept secure against "tampering" by the owner, and the contents of this log are specifically intended to be sent REMOTELY - meaning to other people over the internet a and again the TPM cyrptographically secures this report against "tampering" by the computer owner. It's all logged and secured in a "Super DRM secure against the owner" manner, and it's the chips "spy" log of what it has watched on your computer You can look at it to verify that your system files haven't been tampered with, but it also enables other people to check that your system hasn't been "tampered with", and that specifically includes verifying that YOU have not "tampered" with anything.

And after validating what BIOS you have and that you haven't tampered with it, and after validating what operating system you have and that you haven't tampered with that, and after validating exactly what program you are running and that you haven't tampered with that, the chip enables that validated program to securely add anything and everything it wants as additional information in that Remote Attestation.

It's easiest to illustrate it with a DRM example, because that is precisely what it is tailored to. Say you want to watch Hollywood movies on your computer. You connect over the internet to the MPAA's movie servers. They ask for a Remote Attestation. They examine that Attestation to verify that you have an approved BIOS and that you haven't tampered with it, and that you have an approved operating system and that you haven't tampered with it, and that you have an approved video card and approved video drivers and that you haven't tampered with them. (And of course all along the way "approved" means software that won't violate their DRM.) And then the verify what program you are running right now - they check that you are running their own DRM-enforcing video player. And of course Remote Attestation is validating that