Hardware TPM Hacked

BiggerIsBetter writes "Christopher Tarnovsky has pulled off the 'near impossible' TPM hardware hack. We all knew it was only a matter of time; this is why you shouldn't entrust your data to proprietary solutions. From the article: 'The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. ... The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."'"

Re:surprise surprise

[Bacon Bits]

You didn't even read the article, did you? This was a hardhack.

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.

It also amuses me that TFS makes the point of blaming "proprietary" solutions. Exactly how would this attack have been prevented by using open source?

Re:When will they learn

[noidentity]

Obviously a mod who doesn't understand TPM. Or maybe he picked up on the (entirely appropriate) negative undertone of my message, directed at those who want to lock you out of your own computer.

Re:surprise surprise

[riegel]

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a Communist.

When you do the giving thats great. When that giving is compelled then it aint so great.

Re:CHALLENGE TO TARNOVSKY

[rochberg]

I've seen this article in a few places (see also here [darkreading.com]) and discussed it with some colleagues (one of whom was a consultant on the design of the TPM). We had the same suspicions regarding whether or not it was an Infineon TPM or a clone.

Regarding the key question, I don't think he has actually been able to extract the endorsement key. I believe the attack is just about extracting keys generated and stored on the TPM. For instance, the CW article refers to the "licensing keys." My impression is that these are keys used by the software to ensure the XBox 360 hasn't been modded. I don't believe you would use the endorsement key in this instance. Unfortunately, none of the articles are clear on this point.

Re:surprise surprise

[DarkOx]

Right but outside the fire safes you get at home center most safes and strongboxes are designed such that they are difficult to remove from the site. They may be very heavy requiring equipment to move fastened from the inside etc etc. In the case of laptops and phones virtually any situation in which this sort of attack will be used is one where the units whereabouts are not know to the owner. Which makes it pretty hard to respond to. The big sell point on TPM was if your device goes missing its brick to whomever finds it; this sorta makes that untrue.

Yes you make your laptop useless to the typical thief but as far as corporate espionage, government records leaking etc etc; this makes TPM a pretty poor defense. Yes I realize its supposed to be one line of defense bu when things like the keys to your disk encryption are stored there those remaining lines are not much of a hurdle.

Re:When will they learn

[Cassini2]

No, you were right the first time.

Originally, TPM intended to let you know that your computer is working in the "trusted manner." Usually, the "trusted manner" would be defined either by the corporate IT department; or by a generic secure profile from Microsoft if you are a typical home user; or by yourself if you are a skilled programmer/systems administrator.

The DRM people saw this technology and said: "This will be the best DRM ever."

The practical problem is that you can only trust one of:
a) your own configuration,
b) your corporate IT department,
c) the vendor of some big software system that needs protection (like AutoDesk for example),
d) your operating systems vendor (Microsoft),
e) Sony's DRM approved configuration,
f) Universal Music's DRM approved configuration,
... and so on, listing every major big DRM company in the market.
Fundamentally, you can only trust one vendor. One proprietary vendor will never trust another, and none of them will trust either you or your corporate IT department. Theoretically, the DRM vendors could form an alliance, through the likes of Macrovision. However, who would trust such an alliance? Even a neutral party, like the U.S. government, has been suggested and repeatedly vetoed as "the master of all trust."

Who do you want to trust? Who controls all the secrets on your computer?

Re:Does anyone know if this leads to a soft-hack

[mlts]

My question:

Would a mass produced chip that is on a lot of business PC motherboards, and which is stated to have little to no physical resistance to attack have all this? TPMs are not that expensive, so I'm sure they would not have near the physical anti-tamper technology that a CAC, a smart cartd, an IBM crypto PCI card, much less a 3U HP HSM would have.

Re:When will they learn

[Alsee]

That's like denying the purpose of teflon coated bullets is penetrating kevlar vests.
It would be ludicrous in the extreme for someone to say teflon coated bullets are for deer hunting.

The primary design criteria for TPMs is to secure computers against their owners. The TPM technical specification explicitly refers to the owner as an attacker and mandates "security" against "attacks" from the owner. The overriding design criteria throughout the specification is denying the owner access to his own master key, the Private Endorsement Key.

Let's go over you denial, point by point:

Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)

The mere knowledge of my key does not alter my computer's function. The mere fact that I know my key does not not diminish my computer's capability to "establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)".

The sole purpose of forbidding the owner to know his own master key is to attempt to secure the computer against the owner, to establish a "hardware root of trust" against the owner.

2) provide lightweight, secure and fast cryptographic operations

Lets break that into three pieces.

Lightweight.
Yes. And not merely lightweight, the design criteria is explicitly for TPMs to be dirt cheap so they can be included at negligible cost in all computers and other consumer electronics at negligible cost, included by default. And in accordance with that cost criteria they are deliberately designed to have minimalistic power and capabilities. Which directly leads into the next point:

fast cryptographic operations
Absolutely NOT! It is completely laughable when people try to justify TPMs as any sort of "cryptographic co-processor". The "lightweight" design constraints for these chips are such that a a single cryptographic operation is permitted to take a half second or more. Preforming cryptographic operations on a PC's main CPU will typically be a hundred times faster than using a Trust chip to do it.

secure
Yeah, "secure". As I said the specification explicitly mandates the chip be secure against the owner.

A normal bullet does not require a teflon coating, and normal security does not require securing the chip against the owner.

(so you don't have to do something stupid like store a cryptographic key in plaintext on your HD)

You're citing deer hunting.
When we're talking about "what teflon coated bullets are for", and you answer "deer hunting", I don't know whether you're insulting my intelligence or if you just don't get it, or what's going on. You are NOT going to find teflon on a bullet if it were actually intended and designed for deer hunting. You do not need teflon to hunt deer, and you don't need to secure a computer against the owner for "so you don't have to do something stupid like store a cryptographic key in plaintext on your HD". A normal pro-owner chip can do that. An owner can know his master key, and you can do that.

3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).

Again, the mere knowledge of my key does not diminish my computer's ability to give me remote attestation verifying the integrity of the OS and other pieces of software.

And again, the purpose of this chip, the design criteria and the design purpose and the primary function of TPM remote attestation is to verify the "integrity" of the computer against the owner.

ANTI-OWNER "security" is not security.

there are applications of TPMs for DRM, but that is a side effect and not a primary factor.

That's exactly backwards. The central design criteria of the TPM specification is that the owner if forbidden to know or co