Hardware TPM Hacked

BiggerIsBetter writes "Christopher Tarnovsky has pulled off the 'near impossible' TPM hardware hack. We all knew it was only a matter of time; this is why you shouldn't entrust your data to proprietary solutions. From the article: 'The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. ... The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."'"

surprise surprise

'near impossible'

Shouldn't that be 'near inevitable'?

Infineon said it knew this type of attack was possible when it was testing its chips.

Did they mention this in their marketing and when selling the TPM FUD to governments and companies?

"exceedingly difficult to replicate in a real-world environment."

Meaning only powerful criminal organizations, companies and governments can probably gather the
required resources and people with the expertise to pull it off? Out of 6.8 billion people, how
many have the resources to do this? 1000? 10,000? What about in 5 years?
At what point will they admit its flawed? Probably when TPM2 is fully patented and ready.

Re:surprise surprise

[Bacon+Bits]

You didn't even read the article, did you? This was a hardhack.

Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.

It also amuses me that TFS makes the point of blaming "proprietary" solutions. Exactly how would this attack have been prevented by using open source?

Re:surprise surprise

Don't you know? Open source makes everything happy, with no security issues whatsoever.

Re:surprise surprise

[crossmr]

I had a similar thought when I read that part of the summary:

How about you do something crazy and carry on to the actual article (I know.. I forgot where I was)

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.....Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

Two words: script kiddies.

You tell me how you're going to pack acid and rust remover into a downloadable tool and I'll worry.

Re:surprise surprise

[gomiam]

Mind you, this is a hardware attack requiring the judicious use of chemicals to expose the circuitry. I somehow doubt there will be a do-it-yourself kit available any time soon.

Re:surprise surprise

[sim82]

well, now that he knows which chemicals to use and which wires to tap, it should take considerably less than 6 months to do it again. Basically the security of this tpm seems to be mainly based on obscurity (in this case complicated hardware).

Re:surprise surprise

[mini+me]

The makers of the chip said that they knew of the problem. An open chip maker would also be aware of the problem, but they would make the problem known. This would allow people using the chip to determine of the pros outweigh the cons of the vulnerability .

Re:surprise surprise

[Jeremy+Erwin]

'near impossible'. Shouldn't that be 'near inevitable'?

No. Consider a strongbox. The best strongboxes, or safes are rated to withstand X minutes of attacking with Y Tools, with the idea being that within those X minutes, the security guards or the police will have responded and arrested the guy patiently drilling holes in the wall. Even though safes have been successfully manipulated, drilled, pried, lanced, or detonated, manufacturers still design strongboxes to thwart burglars, changing locks, adding glass discs, experimenting with new alloys, new shapes, and so on. Inevitably, some thieves will figure out a way to thwart these safeguards, and design begins anew.

It's not as if the burglars have won, and a burglary safes are a quaint anachronism.

The TPM should give administrators time to disable credentials in the case of a stolen laptop. But "secret forever" was and probably shall ever remain a pipe dream.

Re:surprise surprise

[camperdave]

You tell me how you're going to pack acid and rust remover into a downloadable tool and I'll worry.

Getting the cover off of the lock is the best way to find out how to pick it. Once you know how to pick it, you can do it even if the cover is on.

Re:surprise surprise

[chill]

No. This isn't a software hack. It requires physical modification of the chip itself, every time. The chips are sealed in epoxy, so you'd have to get thru that with acid EVERY TIME. You aren't going to automate it with improved knowledge. RTFA.

Re:surprise surprise

True - however, this assumes that OSS would create a "perfect" chip very rapidly. Because if not, then the public disclosure of exactly how they work would be as much an aid to people trying to find ways to hack it as a liability. In this case, Infineon knew that the hack was possible, but extremely difficult - for OSS to be a better solution, the making-it-easier of Tarnovsky knowing exactly how the chip works and being told about the nature of the problem would have to be balanced by the making-it-harder of the collaborative factor of OSS. Given how difficult it was for Tarnovsky and the resources Infineon would have put into it, while still deciding they could live with the vulnerability, I would guess that an OSS team would struggle to have a big making-it-harder-factor over proprietary.

OSS software competes with proprietary software, but proprietary software has lots of bugs because they know it can be fixed easily by a patch. Proprietary hardware manufacturers tend to put quite a bit more into it (e.g. the XBOX 360 security), which makes the bar for OSS to add value a lot higher. OSS graphics card anyone?

Re:surprise surprise

BOM.txt:

"Go to a DIY shop and buy the following:

-acid
-rust remover"

Re:surprise surprise

[riegel]

When I give food to the poor, they call me a saint. When I ask why the poor have no food, they call me a Communist.

When you do the giving thats great. When that giving is compelled then it aint so great.

Re:surprise surprise

[hclewk]

It. Can't. Be. Automated.

Re:surprise surprise

[blackraven14250]

You didn't answer the question. It was "Exactly how would this attack have been prevented". Nice sidestep, though.

Re:surprise surprise

[Opportunist]

What part of it can be automatized? As soon as that is a possibility, it becomes trivial to execute for anyone.

Cracking computer games with "professional" copy protection requires specialized knowledge as well, as well as a few key tools and the knowledge how to operate them. Yet it can be fully automatized once it has been done once and thus anyone can apply a crack. Cracking the protection of consoles requires a lot of knowledge and information, yet applying it requires a soldering iron and a chip (either bought or selfmade). How much of that TPM hack can be streamlined and dumbed down until all the potential attacker needs is a list of hardware to buy and some programs to run?

And suddenly those 1000 multiply.

Re:surprise surprise

[avxo]

Did you even bother to read the article and understand how this works, or are you just spewing stuff out? It cannot be automated! This is a hardware hack that would require physical access to the computer for a considerable length of time, and involves exposing the Infineon chip to acid, then to rust remover and then tapping parts of the exposed chip core. Even if an attack could do all this on-site and without being detected, they would still somehow have to solder the eavesdropping chip, close everything up so as not to arouse suspicion, leave undetected and wait for the victim to use his computer. The bottom line is this: Is this attack possible? Yes. Is this attack plausible? Remotely. Is this attack realistic? Not really.

Re:surprise surprise

[Just+Some+Guy]

Exactly how would this attack have been prevented by using open source?

It wouldn't. In fact, nothing can prevent that attack, because it's not theoretically possible to give someone a secret while keeping it from them.

Re:surprise surprise

[chill]

This is called "tamper resistance" and is a common technique used in physical security. People who use this stuff professionally know this is how it works and factor it accordingly. No one with any competence in the field assumes the perfect security of a system. ALL systems are vulnerable depending on the time, money and effort expended to compromise them. Tamper resistance has the sole purpose of driving those factors up.

See: Tamper Resistance

Most of the people who have information valuable enough to warrant this type of time-effort-money expenditure aren't relying solely on TPM for their security. Things like multi-factor authentication and independent encryption come into play as well.

Re:surprise surprise

[nabsltd]

It requires physical modification of the chip itself, every time. The chips are sealed in epoxy, so you'd have to get thru that with acid EVERY TIME. You aren't going to automate it with improved knowledge.

Today, it requires physical access. but it might be that there is something flawed with the hardware algorithms that can be exploited via software once the inner workings of those algorithms are known.

It's like any bad encryption...it might appear good at first, but then some small break allows a general solution that allows decryption of any message. CSS is the classic example. The first cracks were caused by getting keys from a software DVD player, but after that, the algorithm became understood and it became possible to design a brute-force decryption that took only a few seconds to verify.

Re:surprise surprise

[Gyorg_Lavode]

I've listened to his talks before, and this is what he does. He's incredibly good at bypassing chip security and reading out the data on the chips. The question though is do you have to do that every time, or did he find a bug in the code on the chip that could potentially be exploited externally. The article is a bit vague on that. All it really sais is he was able to tap the chip bus. It doesn't comment on the impact of him doing so other than it compromises the whole chip.

Re:surprise surprise

[vlm]

No. Consider a strongbox. The best strongboxes, or safes are rated to withstand X minutes of attacking with Y Tools, with the idea being that within those X minutes, the security guards or the police will have responded and arrested the guy patiently drilling holes in the wall. Even though safes have been successfully manipulated, drilled, pried, lanced, or detonated, manufacturers still design strongboxes to thwart burglars, changing locks, adding glass discs, experimenting with new alloys, new shapes, and so on. Inevitably, some thieves will figure out a way to thwart these safeguards, and design begins anew.

That design pattern only works, if, once out of a zillion tries, the safe opens and the contents are essentially replicated instantly to everyone on the internet.

Here is the slashdot car analogy. Its my car with my car door lock, and I'll do what I want with my precious unique angel of a car. One in a billion people cracks the lock, and suddenly the entire world has a perfect digital copy of my precious "unique" car. And they'll do whatever they please with their copy of "my" car. Ooops.

Re:surprise surprise

[Jeremy+Erwin]

Is this attack realistic? Not really.

Use it to break into a laptop and hope that the secrets obtained won't have expired in the meantime.

Re:surprise surprise

[IamTheRealMike]

Gah. This whole conversation is retarded.

1. The TPM is an open solution. The chips behavior is determined by open standards and there are multiple competing vendors of these chips.
2. The fact that you can mount sophisticated silicon attacks on a TPM is not a "flaw" because nobody knows how to make completely impenetrable chips. The TPM does what it was designed to do - provide a good level of security for very low cost. If you lose your laptop and it uses a TPM based product, chances are really great that the thieves won't get data out of it. That is not the same thing as "completely invulnerable to SEMs" and nobody ever claimed it was.

Re:surprise surprise

[plover]

The algorithms ARE known. It's just that dissolving the chip package in hydrofluoric acid and inserting logic probes into the chip itself is far easier than breaking those algorithms.

He used the attack to retrieve a specific key from a specific chip, not as a general algorithm or protocol attack on the TPM platform.

Re:surprise surprise

[Jeremy+Erwin]

Suppose that a bank employee carries around a laptop that allows him access to mortgage records. And this laptop is stolen, and the TPM key recovered, in time for other thieves to go and and edit records.

With the power to edit records safely in hand, the thieves sell your house, your car, your children out from under you... Even if the plot is foiled, the mistakes reversed, cleaning up from the fraud can take some time.

TPM is not DRM. I suppose it can be used that way, but conflating the two demonstrates naivete.

Re:surprise surprise

[zippthorne]

Automated does not mean that it must be done by a machine. That's precisely why I used "photocopied howto" rather than "computer program"

I couldn't reproduce the attack from the details in the article, but nothing in the article suggests to me that it could not be mechanically described for a subset of existing TMP chips similar enough to the one in the article.

Indeed, the steps you bolded are the very steps that I am most certain are "scriptable" in the sense of "Step one: fill beaker with acid. Step two: place chip inverted in acid for blah blah seconds. ..." The bit where I'm not sure of was the probe bits: is the chip uniform enough that the probe points would be the same for a number of them, how many chips could be attacked using the same probe points?

Please engage "reading comprehension" while you RTFA, before accusing people of not R'ing the F'in A. (although that is usually a good assumption.)

Re:surprise surprise

[DarkOx]

Right but outside the fire safes you get at home center most safes and strongboxes are designed such that they are difficult to remove from the site. They may be very heavy requiring equipment to move fastened from the inside etc etc. In the case of laptops and phones virtually any situation in which this sort of attack will be used is one where the units whereabouts are not know to the owner. Which makes it pretty hard to respond to. The big sell point on TPM was if your device goes missing its brick to whomever finds it; this sorta makes that untrue.

Yes you make your laptop useless to the typical thief but as far as corporate espionage, government records leaking etc etc; this makes TPM a pretty poor defense. Yes I realize its supposed to be one line of defense bu when things like the keys to your disk encryption are stored there those remaining lines are not much of a hurdle.

Re:surprise surprise

[emj]

As far as I know most TPM devices (if not the standard) says that hard hacks by accessing the chip can not be prevented by design. As I said I'm not sure if this is in documents from Trusted computing group but I know I've read it in info material. It's "impossible" to prevent hard hacks.

Re:surprise surprise

No, you fucking fail. You're just too much a pussy to admit it, so you're trying to cover up your arrogant bullshit with this garbage. Kill yourself.

Re:surprise surprise

TPM is an open hardware standard, that's why other vendors have chips as well. Also, it requires a lab and expensive precision equipment. Not to mention working with volatile chemicals and the chance you could fry everything. I don't think anyone out there has a 100% impenetrable piece of hardware unless it's made of vapor.

Re:surprise surprise

[moosesocks]

The TPM should give administrators time to disable credentials in the case of a stolen laptop. But "secret forever" was and probably shall ever remain a pipe dream.

Sure, it can be done. A One Time Pad offers theoretically perfect encryption, as long as you keep the pad separate from the message, and (as the name implies) only use the pad once.

Of course, there are many practical and logistical drawbacks to this approach, although if you want to keep something secret, OTP is definitely the way to go.

Re:surprise surprise

If you have information that is worth protecting with something even better than just a TPM (i.e. multifactor authentication and layered encryption with external keys), you know about these kinds of attacks. There's nothing conceptually new about the hack. This is how people find out about the inner workings of other chips too. The TPM in question even had countermeasures which were put in in anticipation of a hardware hack, as acknowledged by the hacker: "This chip is mean, man - it's like a ticking time bomb if you don't do something right." Documenting the hack certainly makes repeating it easier, but you still have to attack each single TPM individually, and if you make a mistake, the information you're looking for is physically destroyed. "Easier" is therefore clearly relative. It is still a very difficult attack which requires significant skill, not just money to throw at the problem.

The good news is that chips can be designed to make these attacks harder in many ways: For example, the designer can add "fuses" as the top layer which is destroyed before the attacker can attach probes to functional pathways of the chip. The chip can then react to the absence of the fuse information. But even this will not make an attack impossible, just "impossible".

Re:surprise surprise

You're essentially repeating what you quoted.

Re:surprise surprise

[GameboyRMH]

The problem is that people may rely on TPM to keep data on a stolen laptop safe. For example Microsoft's BitLocker encryption can store the key on the TPM module (it can even use the TPM module alone, so that no user input is required to boot). Once the key is retrieved from the TPM module the disk contents will be accessible (depending on the authentication mode).

http://en.wikipedia.org/wiki/BitLocker_Drive_Encryption#Overview

Re:surprise surprise

[dave562]

Here's the unanswered question in my mind. The original hack required serious physical manipulation of the chip. What about the chip design precludes developing a TPM compatible chip that disables the protections?

The only hardware hacking that I've ever been privy to involved the Oki 900 cellphone in the mid-90s. Obvious the Oki EPROM and the TPM chip are different beasts. Having said that, when hacking the Oki the EPROM was replaced with one that enhanced code in addition to the base code from the factory.

Given that the internals of the TPM chip have been pried open and can be observed in real time, how long until replacement chips are available that disable the protections, but make it appear that those protections are in place?

Re:surprise surprise

[ashridah]

That's not really the only recourse.
In a corporate environment, the system's still tied to the domain, so in the off-chance that the system connects to a network, it'll try to 'phone home' and can be remote-wiped.
But yeah, no-one's claiming that TPM is perfect, because no security system is perfect. It's just a step up from 'no protection at all' that requires an additional time/sophisitication level to break. That could be time enough to secure anything that could be exposed.

Of course, the sane approach is to not keep anything on the vulnerable system at all, and access it all via VPN/remote desktop, but that's hardly 100% practical (email caches, etc for efficiency). It's standing orders where I work though (as is bitlocker, even for desktop systems), as much as is practical, at any rate.

Re:surprise surprise

[Dare+nMc]

My first thought was similar, how is this OSS related when no bug has been released? However, with this hack, he now claims to have the entire code and architecture used in the proprietary chip. So this chip is no longer "closed" so if the security relies on being closed, then that security will soon be non-existent as it see the light of day. No advantage to open source, just any advantages of being closed, doesn't exist forever either. With that information he can at the very minimum now replace that chip with his own, that would pass the TPMS credentials test. But it will also open up scrutiny to a algorithm the company clearly went to great lengths to protect.

Re:surprise surprise

[GameboyRMH]

Why'd you go with BitLocker rather than TrueCrypt?

Re:surprise surprise

[Zerth]

It can be automated, just not solely in software. You could probably design a device the size of a breadbox that would perform the attack with minimal supervision by a human.

Pop off the case, seal the device onto the chip, press button, then wait. Somebody with a lot of time or a lot of money will do it.

Re:surprise surprise

[Zerth]

And after he does it a second time and realizes, for example, the first half of the keys are identical or the odd and even bits fulfill a certain function, then a brute force software solution becomes trivial.

Re:surprise surprise

It's based on public key cryptography, and every TPM chip contains a unique private key. You can't install a replacement chip without prying out the private key from an original TPM chip.

Re:surprise surprise

[Khyber]

I believe the acronym you're looking for is OSH in reference to hardware, not OSS.

Re:surprise surprise

I don't think that the "soaking the chip in acid" is such an easy task without major experience in chemical lab. You could destroy the chip.

So are the other parts. At the end he says he had to avoid traps in the chip's software, that it's like a time bomb. tis is what the journalist understood, but most probably means that if the chip detect you're trying to trick it it will lock up the system or even destroy the credential needed to decode the data in some unrecoverable way.

So i think that a naive "script kiddie" would have a very high chance of missing this and destroyng the chip, the data or both. You'll anyway leave clear evidence behind.

It is anyway good someone hacked this because it can counter certain marketing bullshit which is heard around about these tpm chips and similar solutions.

Re:surprise surprise

[Khyber]

He's using a far more sophisticated method than what we used to un-seize TPM protected motherboards in HP commercial notebooks. We did nothing more than power-jolting the chip (similar to how the PS3 hypervisor got bypassed.) He's actually hacking the hardware inside.

Re:surprise surprise

[Khyber]

"The chips are sealed in epoxy, so you'd have to get thru that with acid EVERY TIME. You aren't going to automate it with improved knowledge. RTFA."

You could use ultra or hyper-sonic frequencies to penetrate past the epoxy and sever internal connnections. Works nicely for disabling home security systems without needing to touch the box.

Re:surprise surprise

[osu-neko]

You didn't answer the question. It was "Exactly how would this attack have been prevented". Nice sidestep, though.

Not actually a sidestep -- the question is flawed. Open-source advocates would say an open solution is better, but they would never make the claim the question implies they do. Attacks like this are impossible to prevent, period. The difference that makes the open solution better is that an open solution lets everyone see how they can be accomplished, and evaluate the dangers appropriately. With a closed-solution, risk assessment is impossible. The same obscurity that supposedly buys you additional security prevents any attempt at accurate risk assessment. The end result is usually that the vendor discounts real risks, and open-source types assume the worst, and the argument simply cannot be settled because it's being conducted in the absence of any facts, which are hidden from all participants.

Re:surprise surprise

[osu-neko]

It can be automated, just not solely in software. You could probably design a device the size of a breadbox that would perform the attack with minimal supervision by a human.

Pop off the case, seal the device onto the chip, press button, then wait. Somebody with a lot of time or a lot of money will do it.

...and someday we'll find out that the NSA has had these breadboxes on their desks since 2006. ;)

Re:surprise surprise

Yes, but you're just talking about the algorithm. This guy didn't break the TPM algorithm. He 'tapped the phone' (according to the article) and picked up plaintext info as it was being decrypted (or encrypted.) An OTP would do nothing to protect against this particular style of vulnerability, because it's not a vulnerability in the encryption algo.

Re:surprise surprise

[kgo]

I don't know if this was his only reason, but TrueCrypt doesn't support TPM, and from the trash-talking in the FAQ, probably never will.

Re:surprise surprise

[quanticle]

Not to mention the most important layer of security - the physical layer. Sure, this guy might be able to get the X.509 certificate off the chip with acid and a few days of effort, but that implies that he's got the computer out of the building. If the attacker can't remove the computer from the building nor remove the motherboard from the computer, then this attack is meaningless.

Re:surprise surprise

[quanticle]

Well, given that TPM uses X.509 certificates, I'd say the chances of finding a vulnerability are rather less than the chances of finding a vulnerability in a poorly vetted algorithm like CSS.

Re:surprise surprise

[MrPhilby]

Concrete remover, simples

Re:surprise surprise

[quanticle]

Its not nearly as easy as you're making it sound. The chemicals used and steps required mean that there's an extraordinarily small margin of error, and constant observation is required to ensure that only the epoxy and outer layers of the chip are removed without damaging the core. The level of skill required means that this could not be easily programmed into a robot. In other words, a robot (or even an inexperienced human) has about the same chance at pulling off this hack as they do of cooking a meal fit for a five-star restaurant.

Re:surprise surprise

[dissy]

Yeah, but two words: "Script Kiddies"

For 2/3rds of the day, any script kiddies walking up and laying hands upon my computer, I can guarantee will get shot and disabled. And that other 3rd of the day I will be sleeping in the other room, so the script kiddie will have a short time for making it upstairs past my dog and into the next room over from me, before I awaken and shoot them.

Script kiddies and this exploit are not a concern :)
Professionals yes. Social engineering, sure. Script kiddies? No.

However, if one did not need physical access to pull off this attack, I would give you that you're correct.

None of this is to say there is NO threat. Just that the threat is limited to physical attackers.
And we all know, once someone has unlimited physical access to a computer, the security game is Over.

You do have proper physical security measures in place, don't you?

Re:surprise surprise

[Marxist+Hacker+42]

After reading the article, no script kiddie is going to be able to duplicate this feat.

But after reading the article the method used seemed to me to be a whole lot of overkill:
1. Dissolve the chip package with acid
2. Expose the core
3. Use a needle probe to wiretap the chip.

It seems to me it would be far easier to desolder the chip from the board, obtain a 2nd computer from the same production run, set bios password, then swap TPM chips and hard drives at the same time.

But that's also an expensive solution with a relatively high level of skill- no script kiddie is going to accomplish it.

I agree though- we seem really determined to refuse to learn the basic lesson- any hardware that is physically available, is hackable.

Makes me wonder why we're trying to build economies and governments based on secrecy to begin with.

Re:surprise surprise

And after he does it a second time and realizes, for example, the first half of the keys are identical or the odd and even bits fulfill a certain function, then a brute force software solution becomes trivial.

Good luck finding a hole in RSA.

Re:surprise surprise

> Exactly how would this attack have been prevented.

We wouldn't implement something as restrictive as TPM in the first place.

But they should have blamed it for being a DRM system, not for being proprietary.

Re:surprise surprise

Exactly how would this attack have been prevented by using open source?

Honestly, this is a semantic game.

The attack wouldn't have been prevented by open software/hardware, because the attack does not apply to open software/hardware.

Open encryption methods (where the keys are entirely under the control of the users) are not susceptible to this type of attack, because the keys are not stored in the hardware. The keys are stored (partially, at least) in a completely separate system (generally the mind of the user, a separate flash drive, or some combination thereof).

The entire basis of "trusted computing" is in removing key control from the user, and having companies pay licensing fees (tolls) in order to remotely control encryption key usage on a user's computer. This scenario does not apply to any open system, thus the attack is irrelevant and meaningless in the context of open systems.

Re:surprise surprise

Yeah good luck writing an easy to reproduce set of instructions for exposing the core of these chips without destroying them, and then to intercept signals traveling around the interior of the chip to extract the protected data.

I mean .. it's not like that requires massive amounts of skill, patience and specialized equipment or anything.

Re:surprise surprise

If you read the article, you'd find that the "specialized equipment" was "really sharp" needles, off-the-shelf acid and rust remover. And probably some specialized software to interpret the signals. Specialized software written by a single man in less than a year.

Re:surprise surprise

TPM is not DRM. I suppose it can be used that way, but conflating the two demonstrates naivete.

A TPM is DRM in all but name. The TPM was designed for one purpose originally - DRM. It's there... right in the original documents. The designers later thought it could be used for other things... but the original motivation was DRM.

DRM is the reason that the TPM is flawed. People are discussing the possibility of making hardware that cannot be cracked. The TPM demonstrates the basic flaw in the thinking of the IT people behind it. It's designed to keep secrets from the owner - not protect their security. DRM is based on the idea that the sender encrypts something, the receiver has the key to decrypt it... but is somehow prevented from using it except under controlled circumstances. It's folly.

If you want actual security, you have the answer. The same answer that's been in use for generations - the owner has a key, which he doesn't keep WITH THE SECRET. You don't hang your house key next to the lock and expect it to keep thieves out. However, this idea means the owner has the key - an anathema to the Trusted Computing mob, and a deal-breaker for TPM. So we have this half-assed lockdown attempt being passed off as security.

Re:surprise surprise

[jpmorgan]

Which isn't what happened. Nice straw man.

Re:surprise surprise

[darthflo]

[...] then swap TPM chips and hard drives at the same time.

If I'm not totally mistaken, that'd amount to quite precisely zilch. As far as I understand, the BIOS password (or fingerprint, retinal scan, ...) is stored within the TPM along with the decryption key. Swapping just the TPM will amount to nothing because you'd be missing the decryption key; swapping the hard drive would be useless anyways and swapping both alongside ought to get you to quite exactly where you started: Enter your password to have the data decrypted or don't and don't get to the stored data.
In some models, I imagine it'd be even more difficult -- the TPM might be tied to a BIOS chip or the other, so BIOS and TPM only work in conjunction.

In the end, by it's very definition, such a system will never achieve perfect security. As long as the system has knowledge of it's own decryption codes, man can take apart what man built. It'll get really difficult as soon as the TPM is moved onto CPU silicon, but if the technology to build it is available, the technology to take it apart will be there, too.

Re:surprise surprise

[Hurricane78]

What you mean is: Yur mind is unable to imagine how it could be automated.

But that might only be true for you.

Re:surprise surprise

[Hurricane78]

I have a more easy solution for “losing your laptop”: Encrypt your HDD. Done.
And that TPM becomes 100% secure, if you have the master key on an USB stick, and don’t lose that stick at the same time.

Re:surprise surprise

[Hurricane78]

ALL systems are vulnerable depending on the time, money and effort expended to compromise them.

There is one notable exception: XORing with true random data. As long as the key is secure, of course.

Re:surprise surprise

The NSA can get the private key from the chip manufacturer's database. It's only peons who have to work hard to find out the private key... even if they happen to legally, physically own the computer and the TPM chip. That's what is so fucked up about the whole TPM system.

Re:surprise surprise

[Anpheus]

As long as Infineon et al. are not using an old version of Debian to generate the certs, you're fine.

Re:surprise surprise

So just steal the computer and do all that shit in the comfort of your spy lab. The attack is perfectly realistic, look how much unprotected stuff gets leaked through lost laptops etc. The GP is still wrong though, you won't find your average x-box modder capable of doing this.

Re:surprise surprise

[RockDoctor]

Suppose that a bank employee carries around a laptop that allows him access to mortgage records.
[...]
With the power to edit records safely in hand, the thieves sell your house, your car, your children out from under you.

You have a mortgage on your children? What's the going price?

Re:surprise surprise

[Bert64]

In order to connect the system to a network, it would need to be booted and thus the key must already have been entered.
That's the problem, storing the key in the TPM system makes you vulnerable to attack since the thief now has the key and all the time in the world to extract it.

Re:surprise surprise

[FormOfActionBanana]

That sounds retarded. If you XOR with random data, you have made it unrecoverable unless you save that random data, and that is now the key.

Key security is what this article is about. The researcher violated the physical and software security to obtain the secret key. On hardware devices this key must always be stored somehow.

Re:surprise surprise

[ImprovOmega]

Okay...automating a hardware hack, I guess I'll take a stab at it...

In the year 2525 you find out about a hardware workaround for a security measure and download the plans for nanobots to implement it. You dump this into your replicator overnight and wait for the bots to be produced. You program in the address of your neighbors house and release the nanobots into the wild. They patiently manufacture dissolving chemicals and rust remover to break into the chip in question and unlock your neighbors secrets. Success! You now have access to 500 petabytes of holo-porn!

Re:surprise surprise

[Bacon+Bits]

It's a quote. I'd cite it in the .sig but /. truncates it.

http://en.wikipedia.org/wiki/H%C3%A9lder_C%C3%A2mara

Re:surprise surprise

[Philip_the_physicist]

Indeed. The "best" that he can hope for is to find a bug in the implementation or interface, but I don't think it is likely that he'll find one.

tpm?

Can the summary at least explain wtf tpm is?

Re:tpm?

[click2005]

http://en.wikipedia.org/wiki/Trusted_Platform_Module

Re:tpm?

[Xipe66]

http://en.wikipedia.org/wiki/Trusted_Platform_Module

Re:tpm?

[Lord+Ender]

To encrypt something, you must have a 20-character password minimum to get 128-bit key strength. Nobody likes typing 20 characters, so TPM was invented. TPM stores your key on a separate chip. This chip only coughs up the key if you enter a short password to authenticate yourself to the chip.

The chip uses rate-limiting boot-delays to prevent brute-forcing of the password.

So they only way to get the key is to break the chip apart and look at the hardware somehow. The chips are usually encased in epoxy to make this hard to do. It's never been done before. Now it has... but it's still hard work.

TPM chips come on all business laptops these days, though few businesses make use of them. And they're still better than telling your users to memorize 20 char passwords (which they would just write down).

Re:tpm?

[characterZer0]

Taking the chip apart is hard. Paying off somebody with access to the design documents is easy.

Re:tpm?

It's not a problem:

'ABCDEFGHIJKLMNOPQRST'

What's so hard?

It's the same difficulty as my luggage: '1234'

Re:tpm?

[Lord+Ender]

What do you expect access to "design documents" will help with?

Re:tpm?

The password has to be programmed into the chip somehow, knowing the pinouts and the internals will assist in determining how.

Re:tpm?

[Lord+Ender]

The hard part will always be taking the chip apart without destroying the data (or the ability to read the data).

Re:tpm?

[alvinrod]

20 character passwords aren't hard if you use a passphrase. They're just as easy to memorize (if not easier) and vastly more secure. The only reason I don't use them for everything is that some online services put a limit on maximum password length. It's not really any harder to type in 20 characters than it is to type in 8 if you're good at typing. I understand that people are lazy, but good security doesn't need to be a string of 20 random characters, numbers, and symbols that are difficult to remember.

Re:tpm?

[Lord+Ender]

The entropy of a 20-character passphrase is much less than the entropy of a 20-character random password, actually.

Re:tpm?

[xZgf6xHx2uhoAj9D]

Indeed. One can't be totally certain (calculating entropy exactly is undecidable in general), but the entropy rate of English is approximately 1 bit per letter (give or take half a bit, so says Claude Shannon).

Assuming your passphrase is English, it would have to be somewhere around 30 words long to give 128 bits of security? That's essentially the entire first paragraph of this comment, a pretty long passphrase!

Re:tpm?

[Rob+the+Bold]

What do you expect access to "design documents" will help with?

That way you know what kind of epoxy was used so to better disassemble it . . .

But seriously, like you said, "So they only way to get the key is to break the chip apart and look at the hardware somehow." Wouldn't the design documents be useful? Like schematics and EDA files, block diagrams, masks, engineering memos, or even the definition of the algorithm -- among other possible "design documents". Why wouldn't access to this information be helpful, given that physical access is? Gratuitous car analogy: You don't need to take my car apart if you have access to the plans.

Re:tpm?

[JohnnyBGod]

Why not just use a SHA-1 hash of some arbitrarily large password or phrase, or whatever? That should take care of both problems.

Re:tpm?

[JesseMcDonald]

If you're going to use a passphrase then you'll need much more than 20 characters to get 128 bits of entropy:

Considering that the entropy of written English is less than 1.1 bits per character, pass phrases can be relatively weak. NIST has estimated that the 23 character pass phrase "IamtheCapitanofthePina4" contains a 45 bit-strength.... Using this guideline, to achieve the 80 bit-strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric. (Wikipedia)

To get 128 bits of entropy would require about 20 words. I don't know about you, but to me it seems that 20 non-obvious words would be about as hard to remember as 20 random characters, while being much less convenient to type.

Re:tpm?

[FooAtWFU]

It's never been done before. Now it has... but it's still hard work.

Really? You don't think that the CIA, KGB, or the intelligence agencies of China | Iran | Israel | Elbonia have managed it, ever?

Re:tpm?

[monoi]

Gratuitous car analogy: You don't need to take my car apart if you have access to the plans.

Unless, say, the thing you actually need from the innards of your car is the private key of the ignition system. Which isn't in the plans. So no, access to the plans doesn't really help at all, in this specific situation.

Re:tpm?

[mcgrew]

And they're still better than telling your users to memorize 20 char passwords (which they would just write down).

This is one of thos "dont's" I just don't get. I keep passwords written down, and in my wallet with my money and other things that are as important or moreso than passwords. Plus I disguise them as other things, like phone numbers.

A post-it note on the monitor I agree is stupid, but in my wallet?

Re:tpm?

[atrus]

Well TPM is a relatively open standard. If you can find a fundamental flaw in the implementation, more power to you. That would be breaking TPM wide open, if accessible from the outside. This is akin to someone figuring out that all door locks from vendor X will open with a master key. Physically disassembling an IC, and taping one of its logic lines is specialized work (even in hardware engineering), as done in the TPM case. This attack is akin to someone cutting down your door with a chainsaw, cutting open your door lock, and making a duplicate key from looking at the pins.

Re:tpm?

It's a processor, with stacks and registers, albeit a very very proprietary and special purpose one.

However, once you know more about the physical design, and how it stores the password registers and processes password requests/security requests, It is conceivable that you could feed it a situation where it has no error handler, causing it to puke it's 20 char password into a visible register, or even as part of a crashdump.

Failing that, you might be able to get it to give you clues about the password as part of its "denied" message. (Via stack corruption and code injection)

Hell, you might even be able to disable the boot throttling intended to frustrate brute forcing with such a technique.

Many of these security features are essentially security through obscurity, by simply not documenting (er, releasing documents publicly) about the nitty gritty of "how" it goes about it's security processes.

This initial "Pry the lid off and look inside" approach can be used to gather intelligence about these nitty gritty details, which can then be used to concoct the infamous "Clever software hack" that you seem to be seeking.

Re:tpm?

[Ethanol-fueled]

Once in a while I'll forget my passwords or PIN numbers until I can get to a PIN pad or keyboard, where the muscle memory kicks in. Over time my passwords become stored as a series of movements, not characters.

Re:tpm?

[Lord+Ender]

It would have to be really really long. That itself is a problem.

Re:tpm?

[ArcCoyote]

Let me fix that for you: You meant it has never been PUBLICLY RELEASED before.

If one guy working alone can manage to do it, the intelligence agencies of several nations did it a long time ago. And don't kid yourself, a TPM chip is nothing compared to the kind of hardened devices said agencies trust with their data.

At the physical level, data has to be in the clear somewhere. If you have the tools and the skill, an intrusive hardware attack against a single device is much less complicated than, say, cracking good crypto or finding a vulnerability that works on every device of that type.

Re:tpm?

[Rob+the+Bold]

Unless, say, the thing you actually need from the innards of your car is the private key of the ignition system. Which isn't in the plans. So no, access to the plans doesn't really help at all, in this specific situation.

I see what you mean, but the documents can still be quite useful. It's certainly useful to be able to build your own unit, perhaps even without the retry delay. Also, the Wikipedia article on TPM says that ". . . each TPM chip has a unique and secret RSA key burned in as it is produced, it is capable of performing platform authentication." If the design documents provide insight to how the keys are generated and assigned, perhaps you can reduce the complexity of guessing them. I assume it's not just a simple series of keys (1000, 1004, 1008, . . ., e.g.) but it's probably not completely random, either. Knowing something of the degree and nature of "non-randomness" could make a tough problem orders of magnitude less tough. Recall that when breaking the Enigma, Allied cryptanalysts learned (through espionage) that the keys could never contain the same character in the same position as the previous day's key. This limitation of randomness made their work a little easier.

And maybe you find the best gift of all: a back door.

Re:tpm?

[MobyDisk]

Excellent points.

Do you know why a 20-character password is so hard? Because most systems limit passwords to 10 or 15 characters. Other than that, longer passwords are easier to remember.

Good, easy to remember, long passwords:
"This is my work computer and those IT jerks keep making me change my password"
"I hate this training system"
"My mother's maiden name is Johnson"

Most people can easily memorize their name, their address, the characters in their favorite sports movie, the last 5 coaches of their favorite sports team... those longer things are actually _easier_ to remember than a single word with no context.

Re:tpm?

[JohnnyBGod]

I'm sorry, could you elaborate? I'm not really seeing why it would.

Re:tpm?

[Lord+Ender]

Each letter in a password is selected from 96 possibilities. Each letter in a passphrase is much more predictable than 1/96, though. There are only so many English words... far fewer than the number of words which could be made with combinations of 96 characters.

Re:tpm?

[JohnnyBGod]

But if you are using the hash as a key, how is that relevant?

Re:tpm?

[Lord+Ender]

Because password-cracking software has the ability to compute hash values.

Re:tpm?

[osu-neko]

...and, confronted with the difficulty of remembering that many random words and their order, people would simply use common text like the preamble to the Constitution, lyrics from their favorite song, etc. Despite how unique we may fancy ourselves, our favorite paragraphs are probably significantly less unpredictable than six random characters.

Re:tpm?

[osu-neko]

Well, yes. Those who object to that are not thinking clearly about what kinds of attacks are possible on a password and what various security measures are meant to prevent. A 20 character password is supposed to slow down brute forcing the hash on the captured password file or the like. It's no more secure than a six character password on a "gun to the head" attack. If someone has physical access to my person, they have access to all my passwords, whether I wrote them down in a little black book I keep with me or not. If I failed to write them down, they need only wave a gun in my general direction and I'll happily write them down for them. Having them already written down simply saves a bit of time and unpleasantness...

Re:tpm?

[JohnnyBGod]

Of course it has. So? You'd be as safe as your password, for which there can be some minimum (saner) length and character type requirements, and you get to use a password that you don't have to write down anywhere. No need for fancy chips. I'd call that a win.

Re:tpm?

[Wingman+5]

By taking the last output, XORing it with a monotonic counter (a counter that just counts up) and encrypting again you get a new a key. Generating a RSA key is a little more complex but that is a very simple way of getting a "completely random" number every time while keeping the odds of repeating a number very low.

Re:tpm?

[DMUTPeregrine]

More correctly, it helps find what you want, but you still need the physical access to get the key.

Re:tpm?

[Lord+Ender]

It doesn't matter what hash is used. What matters is the number of combinations used to generate the key.

When you restrict yourself to combinations which form English words, you greatly reduce the number of possible combinations at a given length.

Re:tpm?

[JohnnyBGod]

When you restrict yourself to combinations which form English words...

Who said anything about this? ;)

Re:tpm?

[Lord+Ender]

That's what a "passphrase" is. If it's not a phrase, it's a password.

Re:tpm?

[JohnnyBGod]

Why not just use a SHA-1 hash of some arbitrarily large password or phrase, or whatever? That should take care of both problems.

Re:tpm?

[shentino]

Aha, there's a weakness right there.

Just like someone can use a gun to force you to give up the PIN on your card...

Besides, what good is having a 20 character password if a 5 or 7 character password can unlock it?

Re:tpm?

To encrypt something, you must have a 20-character password minimum to get 128-bit key strength.

For anyone wondering, this assumes that your password is generated using a cryptographically secure random generator which outputs in base95 (for the 95 printable ASCII characters).

If you're using base62 (alphanumeric characters, case sensitive) you need a randomly generated password of 22 characters.

If using base36 (case insensitive alphanumeric characters) you'd need at least 25 characters in your randomly generated password.

The critical thing is that your password must be generated using a secure random generator. Otherwise the entropy in your password will be weaker than expected due to patterns/biases people introduce when they keyboard mash their own "random" passwords. For instance, people generally include too many punctuation characters and numbers than you'd normally expect in a secure random password.

Re:tpm?

[Lord+Ender]

Because you STILL would only need to guess the PASSPHRASE. I explained this to you already.

Re:tpm?

[Lord+Ender]

You missed the point. A five character password can unlock a 128bit key. But the password can't be guessed at the rate of a trillion per second: the hardware limits it to only a few tries per minute.

Re:tpm?

[JohnnyBGod]

You know what? Forget it.

Bloke says the US is not ready for cyber war

[auric_dude]

Well that is the state of play according to TheInq http://www.theinquirer.net/inquirer/news/1591069/ex-army-bloke-us-ready-cyber-war

When will they learn

[santax]

That near impossible = possible = bad security. The arrogance to think they are soooo smart and (almost) no-one will be able to crack their design. Well it only takes 1 person. But I am guessing about every secret service in the world already knew how to do this attack.

Re:When will they learn

[jdunn14]

This paints faaaar too black and white a picture of security. Factoring the huge RSA key that you're using within the next few days is "next to impossible" (the first pair of large primes I try could be the ones) but that doesn't make it bad security. What you have to do is raise the bar high enough that your data/house/identity is adequately protected. Absolutes do not exist. That said, I'm not making a judgment on this particular hack or its difficulty, just that claiming that the ONLY good security is absolutely uncrackable security is incorrect.

Re:When will they learn

[crossmr]

No.. there is a difference between possible and theoretically possible.

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.

I don't really call any hack that requires "physical access" to be a genuine danger.

If someone has physical access to your box you've got greater worries.

Re:When will they learn

[santax]

I agree with you that absolutes don't seem to exist in the security-world but after reading the article I don't think this is about brute-forcing a key.

Re:When will they learn

[wvmarle]

Every password, every encryption key can be brute-forced, given enough time.

No software is flawless.

No hardware is flawless.

Even the strongest bank vault inside the strongest nuclear bunker under the largest mountain defended by an immense army can be breached.

So in your world there is only place for bad security.

Luckily for the rest of us there is also something like "good enough" security that is so secure that breaking it is so expensive/hard that it becomes practically impossible.

Re:When will they learn

That's just ignorance. No attack against security is impossible to achieve. Per your silly little argument, that means all security is bad security.

Security is risk management. If a 'near impossible' attack costs an attacker $1000 to perform, then it's perfectly safe for me to store data that's only worth $999 to the attacker under protection vulnerable to that attack.

This attack requires physical access to the chip, and skill in chemically eroding the case of the chip to expose the guts of the chip.

That doesn't equate to bad security.

Re:When will they learn

[noidentity]

I don't really call any hack that requires "physical access" to be a genuine danger. If someone has physical access to your box you've got greater worries.

Yes, but remember that TPM is about keeping you our of your own computer, so those who would like to do so are worried about this.

Re:When will they learn

Except that fundamentally, NOTHING is truly impossible.

So it is a matter of making things exceedingly difficult, such that the cost of an attack exceeds the potential value of the information obtained from executing the attack.

If you RTFA, the cost and technical complexity of this attack is pretty high, and is more than the benefit you'll gain from most targets implementing this method of security.

Targets that have information valuable enough to justify executing an attack like the one described are likely to have additional/more sophisticated countermeasures in place.

Re:When will they learn

[santax]

The best spies in the world had physical access to hardware which they were trusted to. But not to all the information on that computer. Now that goes for goverments, but if you telling me that your mobile, your laptop and your home-pc are always in your sights... and that no-one can open your locks undamaged. Well chapeau to you, but I wouldn't believe you. This is a hack. This is how the spy-business works.

Re:When will they learn

No security is 100%. Anything that you come up with to secure your computer can be cracked, and they know that, they even say it if you read the article and press releases by the company. This issue here is that Christopher Tarnovsky is one of the top hardware guys in the business, and it took him 6 months to figure the damn thing out. Even with all his notes, a map, and a compass most human beings would not be able to pull this hack off. The security offered by these chips is still pretty damn good.

Re:When will they learn

[crossmr]

but how many people that use this are actually going to be targeted by criminals that are capable of this and not have greater worries? Probably zero..
Look at the procedure the guy went through. He'd not only need access, he'd need some time to sit down and get comfy with it. A spy ripping a chip out of your box in your server room and field stripping it is going to get noticed.

Re:When will they learn

[Qzukk]

then it's perfectly safe for me to store data that's only worth $999 to the attacker under protection vulnerable to that attack.

I solved it by hanging a sign on my valuable data saying "This data is only worth $999". After all, it's not like an attacker knows whether it's my bank account information or my shopping list until after they've broken the security.

Re:When will they learn

[Jaysyn]

Why is this modded troll? Wake up mods!

Re:When will they learn

[santax]

Stranger things have happened. Assumption...

Re:When will they learn

[nedlohs]

Bullshit.

All security is breakable - given enough time and money. So all security is just a trade-off how much are you willing to spend and how much inconvenience can you take versus how serious an attack do you need to be secure against.

Is your house built with bank vault doors and walls and floor and ceiling? Does the door have a lock anyway?

Re:When will they learn

[rwiggers]

Do you REALLY consider any form of encryption as impossible to crack? I'd say all of them are a matter of time.

Re:When will they learn

[Sir_Lewk]

Generally speaking "given enough time" to bruteforce a key should mean something like "a few orders of magnitude more time than the universe is expected to last before heat death". Not "6 months". Of course, he didn't bruteforce a key here, he comprimised a hardware device. Comparing the "imperfect" security of one with the other is a tad disingenuous.

The real problem here is these devices have been pushed as some sort of magic security bullet, without the companies pushing them being honest about the actual amount of security provided.

Also, you cannot brute force OTPs, those are perfect. And software can be proven correct, provided enough time/money, and a detailed specification of exactly what the software is supposed to do.

Re:When will they learn

[nedlohs]

Except that almost the entire reason for a TPM chip it to secure against those with physical access. So you can't just declare that physical access invalidates it.

Re:When will they learn

[noidentity]

Obviously a mod who doesn't understand TPM. Or maybe he picked up on the (entirely appropriate) negative undertone of my message, directed at those who want to lock you out of your own computer.

Re:When will they learn

Because the large majority of TPM implementations are absolutely nothing to do with DRM or privacy concerns, and the GP is scaremongering with no basis?

Re:When will they learn

[geekmux]

...But I am guessing about every secret service in the world already knew how to do this attack.

What the hell would they need millions of dollars worth of human and electronic resources to crack TPM for when waterboarding supplies are less than ten bucks and you usually get an answer in less than 5 minutes?

Yeah, that may sound like a joke, but seriously, there are enough "old-school" tactics out there to gain access the old fashioned way. Not to mention the threat tactic of labeling you a "terrorist", and immediately qualify you for "throw-away-the-key" lockup.

Re:When will they learn

[blackraven14250]

It's not even remotely easy. One bad move with the acid, and game over. One bit of misplaced rust remover, game over. A wrong push with the needle (where you're dealing with micron-sized pathways) and game over, again. You need a whole lot of time to do this successfully, not just a 5-minute period.

Re:When will they learn

[Opportunist]

"Physical access" in the time of PDAs, smartphones and laptops? Hardly a challenge.

Also don't forget that security is often also a matter of trust. If something is trusted to be "secure", additional layers of security are often ignored because THIS cannot be the leak, so we needn't add more security. I wouldn't deem it impossible that sensitive data may be stored on a TPM protected device because it is "impossible" to break it open, something that would certainly not be permitted if the device was not trusted.

Re:When will they learn

[Opportunist]

What worked for me was a sign at the door:

"I spent 200 bucks on my stereo, but 2000 on my burglar alarm. My neighbor did it the other way around. Be smart!"

Re:When will they learn

[doublebackslash]

One Time Pad This has guaranteed security because you simply xor one character of plaintext with one character of key. Since someone trying to "crack" the key could come up with any message at all with a chosen key it is 100% secure. Nothing differentiates the right key from the wrong key. However, OTPs require the secure transmission of the OTP beforehand, so it does not see much real world use.

Re:When will they learn

[noidentity]

Do you REALLY consider any form of encryption as impossible to crack? I'd say all of them are a matter of time.

One time pad. If you're trying to guess the pad, you might as well just try to guess the message itself, without even bothering with the encrypted data.

Re:When will they learn

[nomadic]

That near impossible = possible = bad security.

No, you're completely and utterly wrong. There is no such thing as perfect security. The best you can get is "near impossible." So you're basically saying all security=bad security.

Re:When will they learn

Once you have stolen someone's laptop you don't really need to worry about them seeing you rip it apart, eh? The real worry here isn't criminals, its entities like governments that essentially have unlimited resources.

Re:When will they learn

[rochberg]

[...] remember that TPM is about keeping you our of your own computer[...]

Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first), 2) provide lightweight, secure and fast cryptographic operations (so you don't have to do something stupid like store a cryptographic key in plaintext on your HD), and 3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).

Yes, there are applications of TPMs for DRM, but that is a side effect and not a primary factor. Furthermore, in the case of general purpose computers (which does not include gaming platforms like the Xbox), the TPM best practices make it very clear that the TPM should only be activated with the user's explicit knowledge and consent. I.e., it is the owner of the hardware who decides if the TPM will be used, not the software vendors. Of course, hardware vendors are not obliged to follow the best practices, but that's not the fault of TCG.

Re:When will they learn

[noidentity]

Thanks; I stand corrected, and now consider my original message trollish.

Re:When will they learn

[Duradin]

Or whack the person with the (other) pad and read at your leisure.

There's a weak point in every scheme.

Re:When will they learn

[Demonantis]

I realize that I am being pedantic with this, but you are incorrect. If the encryption has perfect entropy then it is for lack of a better word flawless. Mind you it is challenging to implement in most cases and has other security concerns beyond the encryption. One-time pads do this because the values used for encryption are never repeated so the output has no consistencies to work from. I think it was only significantly implemented once between the US and Russia during the cold war. The important part of this article is how proprietary designs allowed a company to sell its product for safer then they actually knew it was. Encryption should have tool time ratings just like safes do.

Re:When will they learn

[Cassini2]

No, you were right the first time.

Originally, TPM intended to let you know that your computer is working in the "trusted manner." Usually, the "trusted manner" would be defined either by the corporate IT department; or by a generic secure profile from Microsoft if you are a typical home user; or by yourself if you are a skilled programmer/systems administrator.

The DRM people saw this technology and said: "This will be the best DRM ever."

The practical problem is that you can only trust one of:
a) your own configuration,
b) your corporate IT department,
c) the vendor of some big software system that needs protection (like AutoDesk for example),
d) your operating systems vendor (Microsoft),
e) Sony's DRM approved configuration,
f) Universal Music's DRM approved configuration,
... and so on, listing every major big DRM company in the market.
Fundamentally, you can only trust one vendor. One proprietary vendor will never trust another, and none of them will trust either you or your corporate IT department. Theoretically, the DRM vendors could form an alliance, through the likes of Macrovision. However, who would trust such an alliance? Even a neutral party, like the U.S. government, has been suggested and repeatedly vetoed as "the master of all trust."

Who do you want to trust? Who controls all the secrets on your computer?

Re:When will they learn

This is not what the TPM is about... you've clearly swallowed the FUD entirely. The TPM has the potential to help you boot into a known safe state. If that boot state is evil (pick your favorite evil vendor), then yes, you're screwed. Otherwise, the chip just isn't the boogey-man you clearly want it to be.

Re:When will they learn

[dave562]

The likely scenario is more along the lines of: US military raids al Qaeda safe house in Pakistan and recovers laptops. Laptops are protected by TPM chips. Owner of authentication mechanism (making the assumption it isn't a thumb print) refuses to divulge the information. Laptop is sent back to CIA station and the chip is physically cracked.

As others have mentioned, the chip is just one layer of defense. Odds are that the hard drive itself will be encrypted and that's a whole other nut to crack.

Re:When will they learn

A 100% secure method does not exist in real life.

Re:When will they learn

[Zerth]

Unless his associates ran trucks into both power lines while your generator was being serviced.

Then he just has to kill anybody who noticed the "safe shutdown" text message from the UPS controller was faked and comes looking with a flashlight.

Re:When will they learn

That large majority could be implemented perfectly well even if the owner of the computer was provided with the private key of the TPM chip. It's only DRM which requires that the computer be able to run software that cannot be modified by the rightful owner of the computer. Yet every TPM chip has a private key that is kept secret from the owner of the computer by physical security measures. The owner can turn the TPM chip off, but that's all the choice they are given. Why is that if not for the purpose of allowing DRM vendors to control the computer?

Re:When will they learn

[QuoteMstr]

You're both right: like every other technology since fire, TPM can be used for good or for ill. It's a tool. Tools are amoral.

Re:When will they learn

[gknoy]

That argument sounds remarkably similar to a claim that guns aren't designed to kill people, they just are designed to accurately propel projectiles at high velocities. The fact that the main intended use for such a device is to facilitate killing is secondary.

TPM, while having many technical niceties ("Oh, I don't have to remember my passphrase!"), has been seen for a long time as a tool to prevent people from using their computer in ways that they like. Sure, it can make sure you've not been rootkitted before booting Windows (or your iPad) ... but it can also ensure that you are only able to run the [cryptographically signed] Official OS for your hardware, rather than the latest version of Linux, BSD, or a hacked firmware on your XBox.

Similarly, microchipping everyone and tracking us all in realtime by your favourite means would [if possible] allow all sorts of GREAT things like preventing child abductions, lost Alzheimer's patients, and a super Twitter. It would also be a gigantic invasion of privacy, capable (and perhaps designed for) of mass monitoring of Anyone that the government might care to monitor. Or suppress. Best of all, it could be run by a corporate entity, contracted by the gov't, and therefore be much more opaque to the citizenry. Lots of potential bad stuff, marketed to us under the guise of Something Awesome. It might even have been originally intended as something innocent and awesome and non-repressive, but history shows that if we humans can abuse some power, we will. Witness patent trolls and DRM on DVDs.

Re:When will they learn

#1 and #2 can be done with the user controlling the keys. #3 can't and its very purpose is to keep you out of your computer.

Requiring consent doesn't much matter if it is coerced: If you can't access the internet without remote attestation that is not voluntary.

Re:When will they learn

[nedlohs]

The ease isn't the issue.

The claim of "I don't really call any hack that requires "physical access" to be a genuine danger" against a device that is designed to secure against physical access (that is after all why you need the acid...) is what I disagreed with.

Re:When will they learn

[Alsee]

That's like denying the purpose of teflon coated bullets is penetrating kevlar vests.
It would be ludicrous in the extreme for someone to say teflon coated bullets are for deer hunting.

The primary design criteria for TPMs is to secure computers against their owners. The TPM technical specification explicitly refers to the owner as an attacker and mandates "security" against "attacks" from the owner. The overriding design criteria throughout the specification is denying the owner access to his own master key, the Private Endorsement Key.

Let's go over you denial, point by point:

Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)

The mere knowledge of my key does not alter my computer's function. The mere fact that I know my key does not not diminish my computer's capability to "establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)".

The sole purpose of forbidding the owner to know his own master key is to attempt to secure the computer against the owner, to establish a "hardware root of trust" against the owner.

2) provide lightweight, secure and fast cryptographic operations

Lets break that into three pieces.

Lightweight.
Yes. And not merely lightweight, the design criteria is explicitly for TPMs to be dirt cheap so they can be included at negligible cost in all computers and other consumer electronics at negligible cost, included by default. And in accordance with that cost criteria they are deliberately designed to have minimalistic power and capabilities. Which directly leads into the next point:

fast cryptographic operations
Absolutely NOT! It is completely laughable when people try to justify TPMs as any sort of "cryptographic co-processor". The "lightweight" design constraints for these chips are such that a a single cryptographic operation is permitted to take a half second or more. Preforming cryptographic operations on a PC's main CPU will typically be a hundred times faster than using a Trust chip to do it.

secure
Yeah, "secure". As I said the specification explicitly mandates the chip be secure against the owner.

A normal bullet does not require a teflon coating, and normal security does not require securing the chip against the owner.

(so you don't have to do something stupid like store a cryptographic key in plaintext on your HD)

You're citing deer hunting.
When we're talking about "what teflon coated bullets are for", and you answer "deer hunting", I don't know whether you're insulting my intelligence or if you just don't get it, or what's going on. You are NOT going to find teflon on a bullet if it were actually intended and designed for deer hunting. You do not need teflon to hunt deer, and you don't need to secure a computer against the owner for "so you don't have to do something stupid like store a cryptographic key in plaintext on your HD". A normal pro-owner chip can do that. An owner can know his master key, and you can do that.

3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).

Again, the mere knowledge of my key does not diminish my computer's ability to give me remote attestation verifying the integrity of the OS and other pieces of software.

And again, the purpose of this chip, the design criteria and the design purpose and the primary function of TPM remote attestation is to verify the "integrity" of the computer against the owner.

ANTI-OWNER "security" is not security.

there are applications of TPMs for DRM, but that is a side effect and not a primary factor.

That's exactly backwards. The central design criteria of the TPM specification is that the owner if forbidden to know or co

Re:When will they learn

Who do you want to trust? Who controls all the secrets on your computer?

me.

Re:When will they learn

[Alsee]

You were right the first time. I'm a programmer and I've studied the 332 page TCPA Main TCG Architecture v1_1b.pdf design specification. It explicitly refers to the owner as an attacker and it specifically mandates the chip to be secure against the owner himself. And yes, in simple terms it is designed to provide insane DRM-type lockdown for computers.

One of the big TPM public relations lines is how it's all "opt-in" and "you're in control". As in opt-in handcuffs. As in new software that refuses to run unless you "opt-in" and "voluntarily" choose to put on handcuffs. As in files that you can't open unless you voluntarily "opt-in" to handcuffs. As in websites that you can't view unless you "opt-in". And best of all they've come up with something they call Trusted Network Connect (TNC). It enables your ISP to preform a "health check" to ensure your computer is patched and up to date and not infected with any viruses or anything. Of course, it can't preform that "health check" unless you have a Trust Chip in your computer. And of course it can't do that "health check" you "opt-in". And of course if you fail the TNC "health check", or if you decline to voluntarily "opt-in" to the TPM system, or if you don't have a TPM chip, or if you don't have the EXACT approved operating system, or if you're not running the EXACT mandated software, well in that case the ISP can't validate that your computer is not infected.... can't validate that your computer is not a threat to infecting other computers on their network... they can't validate that your computer is complying with whatever terms of service the ISP wants to make up for your computer.... if you can't or won't opt-in and pass the TNC "health check" then your network connection is denied.

No ISPs are using TNC today, and they aren't deploying it tomorrow, but yeah that is exactly what it is designed to do. In time, if this Trusted Computing crap is successfully deployed, then yeah eventually you may be denied internet access unless you voluntarily "opt-in" to Trusted handcuffs.

One of the primary functions of the TPM is to act as a spy inside your computer, logging your exact hardware and exactly what software you run and more, and sending that cryptographically certified spy report out over the internet. It's called Remote Attestation. That's how Trusted Network Connect works so that an ISP can check that you're not infected with a virus or something. The ISP asks the TPM for the spy report and they check that you're running an approved unmodified operating system and approved unmodified software.

Another chip function is called Sealed Storage. In simple terms that means SuperDRM files. Sealed storage means your files on your computer are encrypted, that you cannot read or modify your own data. The chip refuses to open Sealed files except with specific approved software - in other words the files can't only be opened with the specific unmodified approved DRM software.

Another fun point is that the TPM effectively destroys much of your data if you alter your "security settings". You "voluntarily" "opt-in" to some insane anti-owner "security settings", and then your data vanishes if you alter the security settings. See? You're in complete control! You can set any security settings you want, and you can change them at will, but NOTHING WORKS unless you send an internet Remote Attestation proving you've opted-in to Evil(tm) settings, and your files vanish if you change your security settings non-Evil(tm).

And this Slashdot story is about someone ripping open one of these chips to directly read it. Each chip has a unique master key locked inside (actually more than one, but that doesn't matter). It's basically your master key controlling all if the security on your computer. If you can read out this key then you gain full control of your computer. You can open the locked files, you can control the spy reports, you can run whatever software you want, you can use the master key to modify your security settings at will. With the master k

Re:When will they learn

[Alsee]

TPM can be used for good or for ill. It's a tool. Tools are amoral.

In a narrow sense that is literally true, objects themselves are amoral. However there is a hell of a lot more context here than merely saying object X exists. Human acts and intentions are not amoral. The act of designing a new tool can be done for purpose and with an intent. The statements made about that tool can be honest or dishonest, for a purpose and with an intent.

Lets take for granted that bullets are a neutral tool, and even further state that teflon coated bullets are neutral. However anyone claiming teflon coated bullets were designed and intended for deer hunting is obviously lying. You don't need teflon on a bullet to hunt deer. The act of designing and building teflon coated bullets was done with a purpose and intent. The purpose and intent in the acts of designing and building those bullets is to pierce kevlar and similar protective vests. And I will even declare that that in itself is morally neutral, as the further intent can be for killing cops or killing Nazi soldiers. My two points here are (1) the design of a tool itself can patently reveal that least some of the purpose and intent of the designer which may bear some moral significance and (2) it can bear some moral significance when someone to patently lie that teflon bullets were designed for deer hunting.

And if I may stretch this analogy beyond the breaking point, it can bear moral significance if someone were to act coercively to force people to buy teflon bullets, and it may bear moral significance when someone acts to prohibit people from buying and selling non-teflon bullets.

Now to drop the broken analogy, anyone claiming TPMs were not designed to DRM-lock computers against their owners, they are at best badly misinformed and at worst outright lying. Saying TPMs were designed for pro-owner computer security is as false as saying teflon bullets were designed for deer hunting. The TPM technical specification explicitly treats owners as the enemy - it explicitly refers to so-called "rogue owners" owners and mandates that the TPM be designed against the interests of the owner. The overriding design criteria of the TPM is to forbid the owner himself from knowing or using his own master TPM keys, it endlessly mandates all of the things the owner is forbidden to do. The overarching design criteria is to lock the chip (and associated computer) against the the owner.

The TPM is designed to be secure against the owner. This is teflon. You don't need teflon to hunt deer, and anyone trying to defend teflon bullets by referring to deer hunting is at best badly misinformed and at worst outright lying.

People can debate the positive or negative moral value of trying to turn computers into UberDRM machines massively locked down against the owner (I certainly have strong opinions on that), but it is ill informed or an outright lying for anyone to deny that that was the intent and purpose in the act of designing the chips, that it was the intent and purpose in manufacturing the chips, that it is the intent and purpose of certain corporations using coercive methods to deploy this plan, and tat it is the intent and purpose in prohibiting anyone from buying or selling compatible chips where the owner *is* in control or does know his own chip's master key.

Objects themselves are amoral, however it is excessively pedantic and linguistically awkward to divorce the object from the context of actions and intentions intimately related to that object.

A virus is inherently an amoral object. If virus that was designed to be distributed by hospital injections and safely provoke a human immunity, one can refer to that act of distribution as a good thing, or even casually refer to the virus itself as good. If a virus was designed for airborne distribution in perfume and to provoke lethal smallpox, one can refer to that act of distribution as a bad thing, or even casually refer to the virus itself as bad.

The TPM is a poison apple, and

Re:When will they learn

[Idiomatick]

"Every password, every encryption key can be brute-forced, given enough time. "

Not true, plenty of keys will take longer to crack (if you try brute)than it'll take for heat death to destroy the universe. Keys are selected in a manner that is sufficiently safe normally, IE 150yrs w/ current tech (Change the key every year). Sooo......

Re:When will they learn

[marcosdumay]

Not quite so. It is intented to do 3 things: 1) establish root trust for boot, so the OS knows it wans't compromissed by a rootkit or the user; 2) provide cryptographic operations, so encrypting every bus that the user can acess becomes viable; and 3) allow remote atestation of the software stack, so that partnes of TCG can protect their data against the user.

The TPM was created for DRM, and the TCG was created for agreeing on a way to make DRM viable. The fact that you can use it to provide a bit of security for yourself is merely accidental, and yes, I've read quite a lot of TCG docs.

If it was about security for you, they'd make all the keys available for you, to see and modify.

Re:When will they learn

[Kattspya]

Teflon coated bullets are not for penetrating armor vests or to be more precise the teflon is incidental. There are non-AP teflon coated bullets but I assume that all or almost all AP bullets have some lubricating coating.

Just google it.

Re:When will they learn

[SiliconEntity]

I'm a programmer and I've studied the 332 page TCPA Main TCG Architecture v1_1b.pdf design specification. It explicitly refers to the owner as an attacker and it specifically mandates the chip to be secure against the owner himself.

Pics or it didn't happen.

The closest I can find is pages 313-314: "The basic design point for the attack tree is that the TPM should be resistant to all software attacks and somewhat resistant to hardware attacks."

A prescription that the chip be "somewhat [!!!] resistant to hardware attacks" is a pretty thin basis for asserting Orwellian control and domination.

Re:When will they learn

[Alsee]

Ok, my bad. I know do TPMs and I don't know ammunition. It was a lousy analogy trying to make a valid point.

-

Re:When will they learn

[Kattspya]

Admitting an error graciously is an impressive quality. Especially when the nitpicker doesn't soften his words in some way.

Kudos!

Re:When will they learn

[petermgreen]

No it's essentially the electronic equivilent of rubber hose cryptography.

Security only buys you time.

[tjstork]

This one line changes things:

The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.

You can't have a piece of hardware make your data safe forever. It only needs to be safe for as long as you use it.

Re:Security only buys you time.

[Lord+Ender]

Wrong. Real encryption with real key management can be either impossible (OTP) or effectively-impossible (AES) for someone to get around, even if they have physical access to your machine.

TPM is an attempt to make key management easy, but it comes at the cost of making circumvention really hard (rather than effectively impossible).

Re:Security only buys you time.

[ColdWetDog]

TPM is an attempt to make key management easy, but it comes at the cost of making circumvention really hard (rather than effectively impossible).

Of course, there are even easier methods

Yeah, this is going to be a major problem...

[Admiralbumblebee]

FTA "Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle."

If the attacker has this much physical access to your system/data then you've lost LONG before the TPM chip failed.

Re:Yeah, this is going to be a major problem...

[yoyoq]

mod parent up

Re:Yeah, this is going to be a major problem...

[Jeng]

If the attacker has this much physical access to your system/data then you've lost LONG before the TPM chip failed.

Yes, such as if the computer was stolen. I don't know much about TPM, but I would hazard a guess that one of the selling points would be to keep information secure even if the computer it is in gets stolen.

Re:Yeah, this is going to be a major problem...

[rwiggers]

In that case it's known to the industry that only storing the keys with battery-backed RAM can minimize this kind of attack.
It's although an interesting breakthrough see someone achieve this without sophisticated lab equipment.

Re:Yeah, this is going to be a major problem...

Forget putting acid on the chip to get the passwords, just put acid on the owner til he gives you the password. Probably need a lot less acid that way.

Re:Yeah, this is going to be a major problem...

[Jeng]

LSD doesn't work that way, otherwise the CIA would still be using it.

Knowing that the password tastes like fuchsia does not help.

Re:Yeah, this is going to be a major problem...

I think he was thinking more of "Fight Club", not "The Manchurian Candidate".

Re:Yeah, this is going to be a major problem...

[Jeng]

Well I guess you can see where my head is at.

Re:Yeah, this is going to be a major problem...

[bill_mcgonigle]

If the attacker has this much physical access to your system/data then you've lost LONG before the TPM chip failed.

It's not about winning or losing, it's about how long it takes to play the game.

Re:Yeah, this is going to be a major problem...

[quanticle]

The purpose of TPM is like the purpose of the lock on a door. Its not to keep the intruder out, but rather to slow the intruder down so that he either gives up or gets caught. I don't see this as a hack at all, given that by the time any intruder manages to gain access to the chip, the theft of the laptop would have been noticed, and any credentials stored on the TPM would have been invalidated.

Re:Yeah, this is going to be a major problem...

[pod]

Except with TPM, the owner is untrusted, and thus a potential attacker. If you have a TPM computer, and YOU want to trust it, you have to get the key out of the hardware.

Am I getting old?

[jtownatpunk.net]

When I saw TPM, the first thing I thought of was the CP/M variant that came with the Epson QX-10.

Re:Am I getting old?

[jfengel]

Yes, it means you're getting old. On the plus side, your memory appears to be in great shape.

Re:Am I getting old?

[bughunter]

Yea, but unfortunately his short term memory is going.

He forgot the new cover sheet on his TPM report.

Re:Am I getting old?

[delirium28]

It seems your own memory is fading, for it is a TPS report, not a TPM report, that needs the new cover sheet.

Re:Am I getting old?

[Lumpy]

who are you? and where are my pants?

Re:Am I getting old?

[bughunter]

Aye. And verily, your pedantry obscures the allusion... and, concomitantly, its humor.

Re:Am I getting old?

[dpiven]

Yes, it means you're getting old. On the plus side, your memory appears to be in great shape.

On the minus side, you've only got 64K.

Re:Am I getting old?

[PReDiToR]

Doesn't matter much because that's only a tenth of what we'll ever need (in theory).

"high-skill"

[mdm-adph]

"But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users."

You're kidding me, right?

Re:"high-skill"

[PhilHibbs]

Not sure what you mean. But yes, this does require a high skill level - we don't know how many TMP chips this guy trashed before getting it to work on one, or what his success rate would be on the next one. If he gets a laptop full of Chinese secrets and is asked to crack the TPM chip, he might well fry it on the first attempt, and you don't get second attempts on this kind of thing. It's not the kind of exploit that can be scripted and downloaded by any kiddie.

Re:"high-skill"

[maxume]

He dissolved the outside of the chip without destroying the insides, and then he electrically accessed the chip with a needle.

So, no kidding.

Re:"high-skill"

[mdm-adph]

Oh -- I know it's beyond script kiddies, but still, saying that such an exploit isn't to be worried about because it requires "high-skill" -- what really dedicated, evil cracker _isn't_ "high-skill?"

Re:"high-skill"

[Lumpy]

He knows where to look and can measure depth. now all he needs to do is map out where to drill and how deep, insert probe into hole and voila!

refining the hack to increase reliability is very easy once you have more information.

Re:"high-skill"

[PhilHibbs]

Are all these chips laid out identically? That would be a bit silly.

Re:"high-skill"

Measure depth? Not so fast, grasshopper. What would be your reference, the surface of the epoxy shells? You probably need micrometer precision here. What are manufacturing tolerances on epoxy thickness of these things?

Re:"high-skill"

[jayspec462]

a laptop full of Chinese secrets

My God! It's full of Calgon!

Re:"high-skill"

[bloodhawk]

This is not cracker level high skill, This is deep understanding of intergrated circuit level high skill combined with high skill and precision of disolving out layers of the chip with Acid and then inner layers of mesh with rust remover all the while without damaging anything critical and then having the knowledge and skill to tap the necessary wire to monitor comms in the chip. This is well beyond the vast majority of high skilled crackers.

Re:"high-skill"

[dlgeek]

That would be pretty much required for any kind of mass production... Read up on lithography.

Re:"high-skill"

[darthflo]

Hm, if I'm not mistaken, each wafer will be exposed only once through a photomask for a couple (dozen) chips. Since all it takes would be a bunch of rearranged paths, developing a photomask for several unique chips shouldn't be much more than a couple of clicks and a bit of computation work. If each wafer has space for 30 chips, that simple step would have decimated the success chance of the drill method by 96%.
QA can be kept to a minimum and different flavours of the chip left unmarked because this really only would have to affect some of the internal wiring. All of the logic could stay the same and checking for problematically long signal paths or similar problems could be done in a simulation.

Difficult?

[Angst+Badger]

The requirement for physical access aside, it really doesn't matter how difficult the rest of the process is, since someone will eventually figure it out and implement software to do it automatically so any script kiddie can do it. Math -- crypto included -- is funny that way. Considering the amount of money companies invest in products like these, you'd think they'd figure that out sooner or later.

Re:Difficult?

[trampel]

I somehow doubt that somebody will implement software to open the device package and depassivate the chip to probe internal signals.

In essence, what he seems to have done is open the chip to extract the keys (or data that allowed computing the keys).

Re:Difficult?

Read the goddamn article. "Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle."
Good luck writing software that does this automatically.

Re:Difficult?

[Monkeedude1212]

This is a hardware hack (see title).

In order to hack it, you need to do some stuff with your hands, you need the physical device. You can't hand this to a script kiddie and he'll be breaking into the NSA in no time.

I don't think its Infineon's responsibility for this "vulnerability" at all. You'd need to be someone within the same field as Christopher Tarnovsky, and someone with roughly as much knowledge. If you don't know who he is, look him up. He is pretty much at the top of his field.

This is like how your house is vulnerable because the lock on the front door can be picked by a lockpicking expert or locksmith. Yet - no one is complaining.

Re:Difficult?

[jpmorgan]

And you'd think posters would try reading the article before sounding smarmy and dismissing the abilities of others. Funny that.

Given that the first step of the "attack" is physically dissolving the chip's outer packaging in an acid bath... I'm guessing this won't be showing up in script-kiddie toolchains any time soon.

Re:Difficult?

[rochberg]

[...] someone will eventually figure it out and implement software to do it automatically so any script kiddie can do it. Math -- crypto included -- is funny that way.

Did you read the article? The security of cryptography is based on the lack of an efficient algorithm to do things like factoring large numbers or computing discrete logarithms. This attack has nothing to do with any of that. It is about destroying the chip casing and eavesdropping on the circuitry of the hardware.

Re:Difficult?

[compro01]

This is like how your house is vulnerable because the lock on the front door can be picked by a lockpicking expert or locksmith. Yet - no one is complaining.

If you consider that someone could pick up your house and take it with them, then pick the lock at their leisure to get at the contents, sure.

Unrestricted physical access in a world of laptops is becoming easier and easier.

Re:Difficult?

[Monkeedude1212]

Exactly, but its not the manufacturers responsibility to ensure you secure your laptops. Simple as that.

Re:Difficult?

[dzfoo]

Why not? Try Python.

import acid

          -dZ.

Re:Difficult?

To be fair, this kind of attack usually results in the discovery of other avenues of attack (logical implementation flaws, side band leaks, ...), so this open heart operation of this particular TPM might foreshadow the availability of a less involved hack. This is how Mifare and other smart cards fell.

Re:Difficult?

>This is like how your house is vulnerable because the lock on the front door can be picked by a lockpicking expert or locksmith. Yet - no one is complaining.

This is more like how your house is vulnerable because somebody with a steam ram can come up to your house and knock your door down.

Unless you're one of those guys who live in a Castle with a Moat. Then you're safe from a steam ram...until they build a causeway.

Does anyone know if this leads to a soft-hack

[DarkOx]

So he did this by access the information in the chips protected storage. Now that he has done this does it let us get at the set of possible keys or anything that would allow a software solution to defeating these things?

Re:Does anyone know if this leads to a soft-hack

[jpmorgan]

Given that the first step in the hack is removing the chip and dissolving its outer casing in acid, I'm guessing this isn't likely to admit a purely software exploit.

In other words, RTFA.

Re:Does anyone know if this leads to a soft-hack

[SomeJoel]

Given that the first step in the hack is removing the chip and dissolving its outer casing in acid, I'm guessing this isn't likely to admit a purely software exploit.

In other words, RTFA.

What the GP was asking is that now that this has been broken once, does the data obtained from said break-in provide enough information to devise a software solution?

For instance, if the data obtained indicated that passwords always resolve to a relatively small subset of hashes, then brute force attacks would have a much faster time of it. But hey, way to play the RTFA card without understanding the question.

Re:Does anyone know if this leads to a soft-hack

[zelbinion]

Actually, most likely the keys stored inside the chip's non-volatile memory are probably encrypted, just to prevent that sort of attack.

I worked with similar technology in a previous job. When Tarnovsky said "This chip is mean, man - it's like a ticking time bomb if you don't do something right,"

My guess is he wasn’t kidding. These sorts of chips have all sorts of counter measures to make this sort of attack difficult. The algorithms built into the circuits on the chip are designed to make eavesdropping hard. You can send different commands to the chip, and ask it to decode different amounts of data, but it will intentionally insert randomness into the time and number of operations to do the work to prevent you from gleaning information about what is going on inside the chip. I’m sure there are circuits that do nothing other than generate spurious electrical impulses so that trying to sense what the chip is doing remotely won’t work. The only way to even attempt an attack like this is to do what Tarnovsky did, and strip off the packaging. Assuming you didn’t just destroy it, even then you aren’t home free. I’m sure there are other safe guards built into the chips. Oh, did the voltage drop just now across that one circuit? That’s probably an attack – the chip just deleted the keys you were trying to recover and is now useless. Did that operation take too long because someone hooked up their own custom circuit in an attempt to decode what was going on? Yeah, that’s out too bye bye secret keys Interrupt the power to the key storage area for a nanosecond while you try to connect your probe? I’m sorry, you’re done. Did you just read out the data out of the protected storage out of sequence? Well, not only is that data encrypted (and therefore useless), the chip detected it, and intentionally burned out a small inaccessible fuse buried inside the chip and bricked itself. You’re done. Did you just inject an internal command with your probe that wasn't expected? Yep, you just blew another fuse. Go home.

You have to connect your probes in exactly the right place, in exactly the right way, and not disturb the electrical properties of the circuit you tapped into to prevent the chip from knowing that you are there and triggering a counter-measure.

I don’t know which counter measures the TPM modules from Infineon implement, but if they are current with the sort of technology out there, this hack was really really super damn hard.

Sure, with enough time, money, skill, patience, and physical access to the machine, anything can eventually be broken. The idea of the TPM was to make it expensive enough to hack that the average thief won’t bother. If you are relying on a TPM only to protect secrets on a mobile device (which can be stolen and then hacked by a well funded company or government) you either deserve what you got, or you’ve made way too many well funded and motivated enemies.

Re:Does anyone know if this leads to a soft-hack

[mlts]

My question:

Would a mass produced chip that is on a lot of business PC motherboards, and which is stated to have little to no physical resistance to attack have all this? TPMs are not that expensive, so I'm sure they would not have near the physical anti-tamper technology that a CAC, a smart cartd, an IBM crypto PCI card, much less a 3U HP HSM would have.

Re:Does anyone know if this leads to a soft-hack

[jpmorgan]

And if you'd RTFA too, you'd know that wasn't the case.

Re:Does anyone know if this leads to a soft-hack

Interrupt the power to the key storage area for a nanosecond while you try to connect your probe? I'm sorry, you're done

Things like this are just going to end up causing expensive warranty claims that hardware manufacturers are not willing to accept.

Re:Does anyone know if this leads to a soft-hack

[zelbinion]

My question:

Would a mass produced chip that is on a lot of business PC motherboards, and which is stated to have little to no physical resistance to attack have all this? TPMs are not that expensive, so I'm sure they would not have near the physical anti-tamper technology that a CAC, a smart cartd, an IBM crypto PCI card, much less a 3U HP HSM would have.

CAC? no.
IBM crypto PCI card? no.
an HSM? certainly not. (no temp/vibration/motion/intrusion/EM field sensors in a TPM)

A smart card? Well... the same technology used in smart cards are also used in chip and pin credit and debit cards. If you are going build millions of chips and put them on little plastic cards that people will loose, bend, stuff in their wallets/purses/back-pockets, etc, they had better be pretty darn cheap. My guess is TPM chips and smart card chips have a lot in common, and smart card chips have a surprising amount of anti-tamper technology baked in. What is a few pennies for another chip on a motherboard that retails for $60-100? Unlike CPU's, TPM chips are really tiny with fewer layers, so they are much cheaper to produce. Many of the anti-tamper features involve detecting voltages being out of spec, detecting out of sequence commands through use of a few simple check flags, adding obfuscation circuit pathways, and the inclusion of volatile memory with an on-chip capacitor to create the functional equivalent of non-volatile memory that becomes fragile when you start messing with the chip. These aren't expensive features to implement.

My understanding is that gen 1 TPM chips were pretty weak in terms of anti-tamper tech. I can only hope they they've gotten better by now. I have no idea what sort of features where in the chip that Tarnovsky hacked.

Infinitely Improbable == Finitely Probable

[fuzznutz]

All you need is a good source of Brownian Motion.

Re:Infinitely Improbable == Finitely Probable

[Critical+Facilities]

Inventory: no tea

Dang it!

Re:Infinitely Improbable == Finitely Probable

[Physics+Dude]

No. Actually, that was Virtual Impossibility == Finite Improbability.

Maybe it's time to rethink "digital everything"...

[logicassasin]

Seriously... We're reading about how Chinese baddies are doing this and that to gain access to secrets and whatnot and it seems like every few weeks some previously unbreakable form of encryption has been compromised. Maybe it's time to greatly reduce our dependency on the digital world to secure trade and state secrets. I mean... Laptops and phones are lost/stolen all the time, why would anyone in their right mind trust transporting state secrets on a flippin' laptop??? We all know it happens and we all know it's just a matter of time before something horrible happens because some high ranking official has his laptop stolen while playing "toe tap" in the bathroom stalls of some random airport.

Obligatory XKCD

[Voyager529]

http://xkcd.com/538/

If the data is valuable enough to steal a computer and try to hack the TPM chip using acid and needles, then it's valuable enough to threaten the person with the password to divulge it.

Re:Obligatory XKCD

[John+Hasler]

> ...it's valuable enough to threaten the person with the password to divulge
> it.

That only works if you have both the computer and the person. Rubber hose cryptography is of little use if you have the laptop because a British cabinet member left it in a taxi.

Re:Obligatory XKCD

[jgtg32a]

A government employee? The password is 12345

Re:Obligatory XKCD

[Simetrical]

http://xkcd.com/538/

If the data is valuable enough to steal a computer and try to hack the TPM chip using acid and needles, then it's valuable enough to threaten the person with the password to divulge it.

Do you think China would be willing to steal a laptop with US state secrets on it? Definitely. Would they be willing to kidnap and torture the military officer or NSA employee who knows the password? Not a chance – that's an act of war.

(And no one but a foreign government would put this much effort into retrieving data from a computer. Anything short of state secrets is not worth the effort.)

Re:Obligatory XKCD

[Vhyrrimyr]

A government employee? The password is 12345

That's the same combination I have on my luggage...

Re:Obligatory XKCD

[dzfoo]

That's amazing! That's the same combination in my luggage!

      -dZ.

It does not matter how hard it was/is.

[Yaa+101]

It does not matter how hard it was/is.

This message of success will assure that many other outfits will have a try at it for various reasons.

It's the proverbial ghost out of the bottle.

Re:It does not matter how hard it was/is.

[nomadic]

It does not matter how hard it was/is.

Of course it does. It took 6 months, and required using acid to dissolve portions of the chip. How can you say that it "does not matter" how hard it is? Where is the real world danger here? There's no such thing as perfect security, and it makes no sense to say all-or-nothing.

Re:It does not matter how hard it was/is.

[emj]

Actually pouring acid on chips are standard procedure I've seen it done on video.. :-)

Re:It does not matter how hard it was/is.

[dzfoo]

No, you're thinking of cheese: pouring cheese on chips is standard procedure. Acid doesn't taste as good.

I'm not sure how cheese tastes on video, though.

      -dZ.

Re:It does not matter how hard it was/is.

[LordLucless]

There is no proverbial ghost out of the bottle. Perhaps you meant genie?

Re:It does not matter how hard it was/is.

[PReDiToR]

Over here in the UK we often pour acid on our chips, and like it!

Solution is quite obvious

[funkman]

Since using technique involves reverse engineering the chip, this is a clear violation of the DMCA. So just find your local attorney and prosecute.

Problem solved. Nothing to see here move along. Thanks for playing. :)

Re:Solution is quite obvious

What copyrighted work are we talking about, for which this is a technical measure that limits access? And can you show that REing the chip is primarily intended to circumvent the access control for that work? If this reveals a key that is ever used in the course of a user accessing their own works, then presumably the users will be authorizing themselves to do that, so all the prohibitions go out the window.

Re:Solution is quite obvious

[shentino]

A silly law isn't going to stop the terrorists, or the enemy. That's why we have the military.

Of course, silly laws don't stop the government either.

Step 1 - decap the chip without killing it

[sillivalley]

While decapping chips is done all the time in failure analysis labs, it isn't easy, and it's even harder if you're trying not to damage the chip (or yourself) in the process.

Decapping usually involves concentrated nitric and/or sulfuric acids. Temperature control is important. You want to carefully dissolve the plastic without destroying the lead frame and/or the bonding wires going from the lead frame to the die. You also want to complete this process without losing any fingers or your eyesight -- highly concentrated acids. Rinse carefully with deionized water and test to make sure the chip is still functional.

Now you can feed the chip to your electron beam probe, FIB mill, or just take pretty pictures.

Not the kind of thing you're going to do in your kitchen!

Re:Step 1 - decap the chip without killing it

[Physics+Dude]

Not the kind of thing you're going to do in your kitchen!

What!? You obviously have never seen my kitchen. ;)

Re:Step 1 - decap the chip without killing it

[lazyforker]

Not the kind of thing you're going to do in your kitchen!

You haven't seen my cooking.

Re:Step 1 - decap the chip without killing it

[marcosdumay]

You probably won't feed it into an electron beam probe, since you want to read the contents of flash memory. You'll probably need some (very hight impedance) contact probe.

Re:Maybe it's time to rethink "digital everything"

[ColdWetDog]

So, you want to go back to analog? Is that what you're saying?

Re:Maybe it's time to rethink "digital everything"

[mrjb]

Maybe it's time to greatly reduce our dependency on the digital world to secure trade and state secrets.

Make sure to hand in your geek card on the way out.

Unlimited physical access.

[Low+Ranked+Craig]

This required physical access to the device. If you have unlimited physical access to any device, digital or analog, you will eventually be able to crack it, assuming you have the available resources. The key is to keep the bad guys from getting access in the first place, which isn't always possible. Even the best security has numerous weak points, like the security guards that only make $40K a year, or people that leave their devices unattended in public places.

Probably best to store all critical information on punch cards and secure them in a burn safe guarded by people that are already multi-millionaires.

Re:Unlimited physical access.

Sheesh, $40k a year? I know a guy who has a current CCIE who moved from California to where I am, and he is making $8.00 an hour, and is happy about it, because he actually is getting income.

CHALLENGE TO TARNOVSKY

[SiliconEntity]

I've been reading about this hack for days, but something seems fishy. Some of the earlier reports had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM.

However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.

Re:CHALLENGE TO TARNOVSKY

[rochberg]

I've seen this article in a few places (see also here) and discussed it with some colleagues (one of whom was a consultant on the design of the TPM). We had the same suspicions regarding whether or not it was an Infineon TPM or a clone.

Regarding the key question, I don't think he has actually been able to extract the endorsement key. I believe the attack is just about extracting keys generated and stored on the TPM. For instance, the CW article refers to the "licensing keys." My impression is that these are keys used by the software to ensure the XBox 360 hasn't been modded. I don't believe you would use the endorsement key in this instance. Unfortunately, none of the articles are clear on this point.

Re:CHALLENGE TO TARNOVSKY

But the article makes it sound like he's getting the unencrypted data directly, bypassing the keys entirely....

Re:CHALLENGE TO TARNOVSKY

Chips can be seen on Wiki. They are/were legit TPM devices with the active mesh over their top surface.

All datas from the EEPROM were extracted so the EK is known.

Re:CHALLENGE TO TARNOVSKY

I've been reading about this hack for days, but something seems fishy. Some of the earlier reports had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM.

However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.

go to youtube and search "blackhat 2010" and there are 8 parts to his talk.

he has hacked the entire family by playing with the xbox and tpm! e-passports are dead!!!!!

Create a metal chip enclosure?

Obviously this works because it's possible to remove the (plastic/something) filling that the chip is made of and expose its circutry.

Would it be possible to cover the circutry with something that is extremely difficult to remove without also damaging the circutry? I would guess either something that requires any form of mechanical removal (obviously - glass?), or a less conductive metal alloy. If possible, even that a vital piece made of X is covered by material Y, and vital piece made of Y very very close to it is covered by material X, obviously the bottom layer connected and the top one isolated. Plastic/unconventional semiconductors anyone?

Thank you

Thank you, Tarnovsky. Thankovsky.

Re:Thank you

What do you think of when you hear the word "sulphur"? The benediction of our lady Margaret? Hydrosulphonic fluoridation of tetramedicine? Or maybe you think of something else entirely. But think again, because sulphur is one of the building blocks of life itself. Alpha, sulphur. Write that down.

This is good news

When the computer is trying to protect its owner's secrets, the key should be in the owner's head, not stored in a chip.

If the owner of the device knows the keys that will decrypt their data, then having physical access should get them everything they want. Defeating TPM shouldn't be a problem, because TPM shouldn't be relied on in the first place. If you're using TPM in this situation, then your system is mis-designed and you needed to fix that even before TPM was defeated.

That type of scenario aside, the most common use for TPM that people talk about, is where the owner knows what they're supposed to know, but the chip is supposed to still treat them as hostile and not let them access whatever they want. We're talking about DRM. That is not a legitimate case and The World Won't Miss You.

Re:This is good news

[Hatta]

When the computer is trying to protect its owner's secrets, the key should be in the owner's head, not stored in a chip.

Then attackers would just stick metal probes in your head after stripping it with acid.

hardware security

[pizzap]

Please also note that even if we assume somebody “cracked” the TPM chip (e.g. using an electron microscope, or NSA backdoor), that doesn’t mean this person can automatically get access to the encrypted disk contents. This is not the case, as the TPM is used only for ensuring trusted boot. After cracking the TPM, the attacker would still have to mount an Evil Maid attack in order to obtain the passphrase or key. Without TPM this attack is always possible.

(http://theinvisiblethings.blogspot.com/2009/10/evil-maid-goes-after-truecrypt.html)

The best part...

I wish I could remember which senator was screaming his head off to get these put in all computers as a mandate by the U.S. Federal Government. Just another example of how competent the fed. gov. is and should NOT be trusted to ever tell the populace what they must do!

Once you have physical access to the machine...

[ub3r+n3u7r4l1st]

ANY type of security will become crackable.

Re:Once you have physical access to the machine...

[Locke2005]

Exactly. What's to keep you from just replacing the TPM chip with another chip that emulates it while logging all important information? Surely that would be a lot easier than "capping" the chip itself! If you've got physical access to the device, you can swap out parts at will, and all bets are off. You don't need to cap every chip you want to spy on, you just need to cap one to reverse engineer how it works. There are Israeli companies that have made a good living doing exactly that for many years now.

Re:Once you have physical access to the machine...

[FauxReal]

Exactly. What's to keep you from just replacing the TPM chip with another chip that emulates it while logging all important information? Surely that would be a lot easier than "capping" the chip itself! If you've got physical access to the device, you can swap out parts at will, and all bets are off. You don't need to cap every chip you want to spy on, you just need to cap one to reverse engineer how it works. There are Israeli companies that have made a good living doing exactly that for many years now.

Wouldn't work because it uses Public Key Encryption... the chip has the private key stored inside of it and any encrypted data sent to your emulated chip would be lost. If your chip can somehow derive the private key and then decrypt the data, well I have one thing to say... SETEC ASTRONOMY

TPM scares me

I remember years ago when thinkpads introduced TPM chips there were engineers rattling off a long list of attacks the chips were not designed to protect against. Yes someone hacked it (with a needle?!??!?) but its like having your way with unencrypted and non-identity protected MS SMB protocols... You can demonstrate it and oooh an audience at Defcon but everyone who mattered already knew it could be done anyway.

My problem with the technology is not that it needs to have explosives built into the casing when people start sticking pins or put EM probes in the vacinity the IC instantly vaporizes. While that would certainly be cool its more of a basic question - what is the problem that TPM is trying to solve? Who does TPM protect what from?

Lets take the full disk encryption scenario for example. If you really care about your data you'll cheerfully input a novel passphrase each and every time the computer boots to gain access without question and make sure the memory is wiped and placed in a secure vault :) when the computer is not under your direct supervision.

Theres too much entropy in the key to make a brute force attack feasable so your just as safe as any other way of producing a master encryption key. If your computer is stolen just get another one and plop in a backup disk you've been keeping on the shelf and go on your merry way. The theif gets new hardware and none of your data.

How does a TPM make this scenario any better? It may make key management and rotation easier and more secure, it may protect components of the hardware from their owners..etc. But when you look at the basic equation if the TPM goes south or the computer dies then your data is now SOL because you can't access it. The management function of TPM is a tradeoff and IMHO not a good -- perhaps its necessary for general purpose use.

Use of TPM is better than morons using low entropy finger prints to log into their computers but at the end of the day in my view the technology seems to be answering the wrong question anyway.

Nope, wrong...

[tjstork]

Wrong. Real encryption with real key management can be either impossible (OTP) or effectively-impossible (AES) for someone to get around, even if they have physical access to your machin

You forget that humans are the weakest link. Torture the shit out of someone that knows the password, and you'll be home free.

Re:Nope, wrong...

[Lord+Ender]

Coercion is an out-of-scope problem for encryption, actually.

Re:Nope, wrong...

[emj]

Well pouring acid on some poor little chip is a kind of coercion..

Re:Nope, wrong...

[dzfoo]

I would imagine that protecting the chip's outter casing from acid is an out-of-scope problem for encryption, too.

        -dZ.

Re:Nope, wrong...

[shutdown+-p+now]

You forget that humans are the weakest link. Torture the shit out of someone that knows the password, and you'll be home free.

Ah, but we can stick the password into a TPM chip, so no human knows it!

Er... wait...

Re:Nope, wrong...

[DMUTPeregrine]

No, it's just an oft-ignored problem. Some cryptosystems require the use of multiple keys to decrypt the data, thus needing the capture and torture of multiple victims.

Translation:

[Theodore]

The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."

Which means there will be a GPU app for it in a week, a device on thinkgeek that also turns off every TV in a tactical area in 2 weeks, and a breakout board from sparkfun in 3 weeks.

Re:Translation:

[KarmaMB84]

An application that dissolves chip casings with acid, applies rust remover and then probes the chip with a needle?

reproduceable

[warchildx]

After details of the initial hard hack are made public, a circuit can be built to connect a circuit directly to the chip without having to disassemble the chip itself again. (this was already done initially). therefore, ***Buy/build this 10 minute circuit, clip pins 1 and 2 of transistor to chip pins x and z, and output to chip output pin y. now you are always trusted (bypass this chip essentially).

1) take christopher's (from article) data about pinouts of chip, and design circuit to bypass.
2) sell readykit or circuit plans on intertubes
3) every script kiddy/foreign government/etc can simply pop the keyboard off a laptop, hook up the circuit, and start hacking away at whatever drive encryption is in use.
4) Deja-vue *example: Read contents of chip without removing from motherboard* - (http://www.llamma.com/xbox/Repairs/Reading_Xbox_Hdd_key.htm)
5) Profit!

Re:reproduceable

[zelbinion]

This won't work.

The purpose of the TPM chip is store a secret key and encrypt/decrypt the data sent to it. In order for your "clip on" chip to work, it would need to know the key inside the TPM. The key inside EACH TPM is different, and the only (known) way to get at that key is the hardware hack that the article describes. If you don't have the key, you can't decrypt data that was already encrypted by the TPM, but you could in theory encrypt new data with a key that you know (because it is in your clip-on chip) and you can then also decrypt this newly encrypted data. However, you can't use it to decrypt data that you stole, because you don't have the key inside the TPM.

This is a different problem than the XBOX hack. There, MS was distributing the same data to everyone, and all XBOX's had to have the ability to decode it. Once the key was found to do this, all XBOX's could be moded. In this case, the key in each and every device is different. Knowing the key from one device and building a chip to bypass the TPM will only help you on that ONE machine, and any data encrypted on it. You can't replicate this to every machine, and the method for getting the key out of the TPM requires some serious hardware hacking, so you can't just drop a chip into the machine and bypass it.

The CPU that does the encryption/decryption is on the same die as the TPM, so the key never leaves the chip. That's why you have to hack the chip itself. If I remember correctly, this wasn't the case with the XBOX. The key was transmitted in the clear across the system bus, so it was a relatively simple matter to connect to the bus and read off the key.

Cracking a TPM is MUCH MUCH harder.

Security through risk

[Sockatume]

No matter how quick the method gets, having to work with hydrofluoric acid with the target machine means it's a risky procedure, as in "do you like having bones in your fingers?". It's not something you can reduce to a script and rattle out. It's not going to scale well to multiple machines, either.

That in itself is an argument against obscuring this exploit, of course. No script kiddies were going to suddenly run out and apply this opportunistically, so the risk of releasing it is low to nonexistent. Frankly if you're going to encase the component in epoxy, the possibility of an eavesdropping hack is implicit.

Re:Security through risk

[betterunixthanunix]

However, once the internal wiring of the chip is known, this attack will become much easier and require a lot less skill to pull off. Really, once people start to get experience pulling it off, it may come to the point where the time it takes to successfully perform the attack is small enough that the fact that the device is missing may go unnoticed until it is too late (and thus, authentication credentials may be compromised). I see organized crime rings pulling this off, particularly on systems belonging to banks or credit card companies.

Welcome to the Internet

[TyIzaeL]

It really only needs to be replicated once doesn't it?

When I see "TPM hacked" only one thing comes to me

[JudgeFurious]

Somebody fixed The Phantom Menace? I'd like to see that.

Wait a minute...

Why don't you have him just sign something with that public key signature rather than divulging the private key to the world?

Perhaps a signed copy of the Gutenberg Press release of Aesop's fables???

    The Eagle and the Arrow

An Eagle was soaring through the air when suddenly it heard
the whizz of an Arrow, and felt itself wounded to death. Slowly
it fluttered down to the earth, with its life-blood pouring out of
it. Looking down upon the Arrow with which it had been pierced,
it found that the shaft of the Arrow had been feathered with one
of its own plumes. "Alas!" it cried, as it died,

"We often give our enemies the means for our own destruction."

Re:Wait a minute...

[SiliconEntity]

Why don't you have him just sign something with that public key signature rather than divulging the private key to the world?

You're right, that's a better idea. He can sign something with the EK rather than publishing the private key. It accomplishes the same thing but maybe causes less disruption to the TPM world.

Re:Wait a minute...

Divulging even his public key would also cause the key pair to be immediately revoked by the Trusted Computing Group, would it not? That would certainly diminish the accomplishment, if only by changing the story from "TPM hacked" to "TPM hack effective for 24 hours only".

Attack is Out of Scope

[rochberg]

The attack is interesting, but it's actually beyond the scope of what the TPM was designed to do. The TPM is primarily intended to provide three services: 1) hardware root of trust at boot, 2) fast and secure cryptographic operations (including key storage), and 3) remote attestation. This attack focuses on the second service, as it is designed to extract the cryptographic keys that are supposed to be stored securely. Yes, the attack succeeds and it's interesting, but a lot of people are missing the big picture.

TPMs were never designed to withstand this type of attack. With regard to "secure storage," the goal was to do something better than just storing your keys on an insecure device like a HD. The reason that this notion of security is good enough is that the TPM was also designed to be inexpensive. Would anyone buy a new desktop if the price suddenly jumped up to $10,000 for a Pentium? So the hardware protection is just supposed to provide a reasonable amount of assurance for the average user. If you're looking at highly sensitive environments (e.g., military), you shouldn't be using a TPM. There are cryptographic co-processors out there that have more robust protections against these types of attacks, but they cost a lot more.

Re:Attack is Out of Scope

[owlstead]

Very simply, if 2) is true, then it is not out of scope. Saying that the SLE 66 CE processor was not build for high security is also rather misleading. It certainly was, and it should be able to withstand rather severe attacks. Don't forget that these kind of chips are also found in smart cards and such. An attack on these kind of chips may have pretty harsh consequences. Of course, most criminals don't care about these kind of methods. Simply retrieving a PIN code or password is much easier, e.g. by listening in on the keyboard.

Re:Attack is Out of Scope

A TPM is good at providing transparent protection so if a laptop is stolen, the fence who received the laptop from the street crackhead would format it. The data won't be retrievable. If someone is going to spend the money to decap a chip, they will have the resources to attach an IEEE1394 card or some other item that can read from a bus and pull the decryption key for the system volume from RAM when the machine is on.

What I do on a laptop is use a TPM chip + BitLocker in combination with TrueCrypt and a smart card (Aladdin eToken). I store client projects in individual TC containers, and unmount them when not needed. This way, should an attacker manage to get past the volume encryption, they still won't be able to get access to the TC volumes, especially if I still have the smart card in my possession.

"Hacking"?

[rickb928]

This is hacking like sawing your front door out from the frame is picking the lock. Yes, they got in.

Or, perhaps, like coming home from a trip, kicking in your front door in Cambridge, and having the neighbors watch in amusement. With any luck, none of them would call 911 and tell the police that someone is busting into the house next door. Likewise, you will be losing your PC or notebook, but you will have some time to change your network and online passwords etc, if you're paying attention and not bound and gagged in the cave next door. Your hard drive, however, is fair game. Truecrypt means never having to say 'what password'?

And you'll WISH they were the Cambridge police.

Of course, if they're serious, you're dead already.

Re:"Hacking"?

[pclminion]

This is hacking like sawing your front door out from the frame is picking the lock. Yes, they got in.

Your comparison of an indisputably awesome hard-hack such as this to mindlessly sawing through a door makes me... sad.

Re:"Hacking"?

[rickb928]

Mindlessly? Around here, they saw out the frame and take the door for themselves.

They also steal air conditioning units for the copper, but that's just base thievery.

And yes, an awesome hard-hack. Certainly an order of magnitude or two above my days of scraping epoxy from I-Openers.

mid-life crisis

[MillionthMonkey]

Statements like "this is why you shouldn't entrust your data to proprietary solutions" make me wonder what I've been doing with my life.

HEY TARNOVSKY

[TrisexualPuppy]

I have been researching on this hack for hours upon hours, and something just doesn't add up. Earlier reports were of him cracking the SLE 66 CL which is embedded in the TPM but is NOT the TPM itself. The chips he has been using are cheap ones from China. The issue at hand is that Infineon is a German company, just a little different from your run-of-the-mill Chinese company. When you sum these things up, you can't really surmise that he has in fact cracked the Infineon TPM. So what if he has hacked a similar chip? You can't just go around saying that you have cracked a top-of-the-line Infineon. Every chip is NOT created equally.

On the flip side, there is an easy way for him to prove me wrong. Every Infineon TPM comes with an Endorsement Key, basically an RSA secret key. The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component. Infineon TPMs come with X.509 certificates issued by Infineon. If Tarnovsky has truly hacked this one out, he should be able to extract and publish the private part of the Endorsement Key along with Infineon's certificate on that key. All that he has to do is show that he has these TWO pieces of data.

But is he up for it?

Re:HEY TARNOVSKY

[Khyber]

"On the flip side, there is an easy way for him to prove me wrong. Every Infineon TPM comes with an Endorsement Key, basically an RSA secret key. The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component."

Without that key how do those other pieces of hardware know they're in the proper system?

C'mon, there's a basic request/response mechanism that HAS to happen along the line somewhere for identification and verification.

Man can make it, man can break it. Period. This is the hacker motto.

Re:HEY TARNOVSKY

[imess]

Surprising similar to another comment here:
http://hardware.slashdot.org/comments.pl?sid=1543104&cid=31076056

Re:HEY TARNOVSKY

I have seen this post in a few places and discussed it with some colleagues. We had the same suspicions regarding whether or not it was a clone.

Re:HEY TARNOVSKY

[Alsee]

>The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component."

Without that key how do those other pieces of hardware know they're in the proper system? C'mon, there's a basic request/response mechanism that HAS to happen along the line somewhere for identification and verification.

Is called Public Key Crypto systems. In normal old-style crypto you have a secret key or password to encrypt something, and then you need the same secret key to decrypt it. This uses a different kind of crypto that creates special key-pairs. You use one key to encrypt or sign something, and you use a different key to decrypt it or validate a crypto-signature. This means that you can can make one of the keys completely public, only needing to keep the other half of the key-pair secret.

The Trusted Platform Module is specifically designed to secure the computer against the owner. The technical specification for the chip explicitly refers to the owner as the enemy, as a potential "attacker".

The way the chip works is that the manufacture generates these sorts of key-pairs, one half is the public half. The chip freely hands over that public half to the owner or anyone else. You can literally publish that public key on the front page of the New York Times. The other half of the key-pair is the private key, and the chip is explicitly forbidden to ever know or control the private key locked inside the chip. The way the chip works is very complicated with multiple layers of 3encryption, but I will will simplify it down as if it were a single layer. What happens is that the public key is given out to other people and they can encrypt stuff with that key, then they can send you the encrypted data and YOU can't read it or alter it because your private key is locked inside the chip. This encrypted data is then handed to the Trust chip which uses the secret private key to decrypt it, inside the chip, explicitly to deny you access or control over your own computer. The point of this is so that other people can send keys or files or other data to your computer while denying you the ability to see or alter any of it. It's like SuperDRM communication so other people can talk to your computer, specifically to be secure against you the owner. Note that one of typical secret messages they send into the chip is additional crypto keys, so that the chip can use those new keys to encrypt OUTGOING messages from your computer, specifically to prevent you from knowing what messages are being sent out of your computer, specifically to prevent you from altering the data being sent out of your computer, specifically to prevent you from controlling the data being sent out to other people.

The Trust chip also uses the secret key to encrypt files saved on your hard drive, so that you cannot read or modify your own files. The technical term for this is "Sealed" data. You cannot read or modify sealed files. The Trust chip refuses to decrypt Sealed files, except for specifically approved unmodified software. So these are like SuperDRM files and they cannot be read except by specifically approved SuperDRM software. Again the entire point is to secure the computer against the owner.

One of the primary functions of the chip is something called "Remote Attestation". The Trust chip acts as a spy, logging your hardware and precisely tracking the software you run on your computer and various data on your computer. The Trust chip uses the secret key to cryptographically sign this spy report so it can be sent out over the internet. Other people can then use the public half of the key to validate this spy report. And again the entire point of this is to secure the computer against the owner - to be able to send out secure SuperDRM spy reports from your computer while preventing you, the owner, from having any ability to modify or otherwise control these Trust spy reports. The point of the public key is for other people to be able to be able

Re:HEY TARNOVSKY

Similar but not the same. Are you trolling for karma or something? It's annoying.

Re:HEY TARNOVSKY

He cracked the SLB9635TT12 as seen on the Wiki page image.

I was listening and saw the presentation. It is most surely for real. Seems reporters got the CL part from the e-passports which means "contact-less" version of SLE66 family.

From what I gathered, the CL family is doomed too because it is still an SLE66 member.

I have no doubt he could tell us this EK you mention but this might violate the DMCA if he did.

I do not believe we are his target audience. It is more likely Infineon and M$.

Re:HEY TARNOVSKY

[BLKMGK]

You started off okay then WOW you took a hard right on the expressway offramp and into the bushes. TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports? :-O That's some might fine tinfoil you have there...

Re:HEY TARNOVSKY

[Alsee]

TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports? :-O That's some might fine tinfoil you have there...

How well do you understand the Remote Attestation system? If you have any doubts about what I said I will gladly explain it to you, and cite the documentation to back it up if you like. I just need some clue how much of it you already understand and how technical (or non-technical) you want the explanation to be. I am a programmer and I have studied the entire 332 page technical specification for the TPM chip, and studied all of the other technical info I've been able to find. I have have an extensive and very technical understanding of the chip and how it operates with software, and I have a less detailed picture of the Trusted Computing infrastructure they are building around the chip.

Yes, the TPM is capable of telling the owner whether anything has been tampered with. But saying that is like saying telephones are an in-home intercom. Yes, two phones on the same line in you home do act like an intercom, but that wildly misses the designed functionality of telephones.

Remote Attestation is designed to be able to securely report to ANYONE exactly what is BIOS/Bootloader/OperatingSystem/other-software is running your computer. And when I say "securely report" what is on your computer, I mean that this report is specifically designed to be secure against the owner. You can control whether your computer answers requests for this Remote Attestation report, but you the owner are unable to control or alter the contents of this report. The TPM will not permit you to alter the contents of the report, and the TPM cryptographically signs the report it sends. An unsigned Attestation is invalid, and any attempt to modify the TPM's signed attestation invalidates it.

So when I called it a "SuperDRM spy report" perhaps I was overly casual and colorful with the language, but it was essentially correct. The TPM is designed to keep a secure log of your system - and this log is specifically kept secure against "tampering" by the owner, and the contents of this log are specifically intended to be sent REMOTELY - meaning to other people over the internet a and again the TPM cyrptographically secures this report against "tampering" by the computer owner. It's all logged and secured in a "Super DRM secure against the owner" manner, and it's the chips "spy" log of what it has watched on your computer You can look at it to verify that your system files haven't been tampered with, but it also enables other people to check that your system hasn't been "tampered with", and that specifically includes verifying that YOU have not "tampered" with anything.

And after validating what BIOS you have and that you haven't tampered with it, and after validating what operating system you have and that you haven't tampered with that, and after validating exactly what program you are running and that you haven't tampered with that, the chip enables that validated program to securely add anything and everything it wants as additional information in that Remote Attestation.

It's easiest to illustrate it with a DRM example, because that is precisely what it is tailored to. Say you want to watch Hollywood movies on your computer. You connect over the internet to the MPAA's movie servers. They ask for a Remote Attestation. They examine that Attestation to verify that you have an approved BIOS and that you haven't tampered with it, and that you have an approved operating system and that you haven't tampered with it, and that you have an approved video card and approved video drivers and that you haven't tampered with them. (And of course all along the way "approved" means software that won't violate their DRM.) And then the verify what program you are running right now - they check that you are running their own DRM-enforcing video player. And of course Remote Attestation is validating that

Re:HEY TARNOVSKY

If that was all it was for, you would have no problem buying computers with the TPM private key included in a sealed paper envelope. You can't. There's no other way for the owner of the computer to determine the private key than to pry open the chip and use sophisticated electronics to read the key. Why is that, then, except to protect the system from the owner of the computer?

Re:HEY TARNOVSKY

[SiliconEntity]

If it all sounds TinfoilHat-ish, that's because the system really is that Orwellian.

Let me make a couple of arguments against this:

1. The TPM can also be used for non-Orwellian purposes. For example playing an online game and making sure nobody has cheat mods loaded. This could even be a P2P game if anybody was interested in that any more. Or how about online poker or blackjack. How do you know the dealer's not cheating? He could use a TPM protected system and other players could verify that his software is fair. Another example, imagine a P2P Ebay. The seller could run the auction and everybody could send in their maximum bid. But the seller uses TPM so bidders know he can't see what their max bids are, and cheat them. No third party, no commissions.

I know it's hard to believe, but there are actually many situations in life where it is to your advantage to be able to commit yourself not to break the rules. That is really what a contract is, if you think about it. Contracts are a way to get the other guy to believe you will keep your word (and vice versa). It is to your advantage to be able to commit yourself in this way.

Trusted Computing delivers the same capability in the realm of software and data. You can convince the other side that you will follow certain rules, the rules embodied in the software. Believe it or not, this can actually be to your advantage. And if it's not, you can tell the other guy to take off.

2. TCPA didn't have to do it like this. If all they wanted was DRM, they could have gone ahead and made a centralized system that works the way (almost) everybody thinks Trusted Computing and TPM works: "it will only run signed code". How many times have I heard that over the years. Hundreds. And it's wrong every time. But they could have done it like that, made a system that lets Big Business trust your computer because it controls it. They could have made it so you couldn't run a hacked movie player or logging video driver. This would have accomplished the DRM goals.

But they didn't. They came up with a general purpose system for Trusted Computing that provides just that: a way for people to trust EACH OTHER'S computing. Anyone can use it, for any purpose. Any code can run. It's just that you can't lie about what is running.

Ironically of course the one system that does provide all the horror of what everyone was afraid of is the iPhone, which also happens to be enormously more successful than TPM. For all the fear about it, TPM has never been used in any single application for DRM. All it has been used for is protecting your own crypto keys. But for years everyone has been "Oh teh Orwell" about TPM, while meanwhile Apple is fat and happy signing every iPhone app before it lets it go out.

Re:HEY TARNOVSKY

[SiliconEntity]

He cracked the SLB9635TT12 as seen on the Wiki page image.

Thanks, that is helpful, but where is this Wiki page? I looked at the BlackHat session links and right now there are just some slides that are very generic and don't mention any parts. The video and audio is not up yet.

I have no doubt he could tell us this EK you mention but this might violate the DMCA if he did.

I wouldn't think so, but even so he could instead sign a message with the EK and get the same effect, as suggested above.

Obligatory XKCD cartoon

[dzfoo]

Security: http://xkcd.com/538/

        -dZ.

Re:Obligatory XKCD cartoon

Please, don't feel obliged in future. We're sick of that comic.

Re:Obligatory XKCD cartoon

It really is like this, but only few people ever realize.

This is especially true for 'plausible deniability'. You typically won't need this feature when dealing with people that respect the laws and your civil rights. Anyone else would simply beat the shit out of you, until you confess whatever they want to here.

Xbox jailbreak?

[tomtomtom]

The article (briefly) mentions that the Xbox uses the vulnerable Infineon TPMs. I wonder if this hack will make it any easier to find the Xbox 360's CPU key and thus make it easier to jailbreak a fully patched console?

Re:Xbox jailbreak?

[KillShill]

Breaking out of jail implies that you, the owner of the device is doing something illegal and/or immoral.

Call it what it really is... removing the DRM.

Those chips belong to you and you have the right to access them, reprogram them, make them do what you want.

Thanks for confirming my suspicion

[l0l0_ph0r3v3r]

"There are Israeli companies that have made a good living doing exactly that for many years now." Thank you for confirming the existence of the Jew World Order.

Meh

I used to go by the name BoyHowdy when i was hacking DTV, I made a small circuit that used 3 hcttl chips to glitch the H cards that were killed on Black Sunday. I can say that this guy is for real, arrogant or not.

MODERATORS!!!!!!!

-=Mod=- -=Parent=- -=UP=-

mod parent up!!!

mod parent up

what the hell?

[RJBeery]

This looks like TriSexualPuppy and SiliconEntity enjoying a game of MadLibs...

http://hardware.slashdot.org/comments.pl?sid=1543104&cid=31076056

I have been researching on this hack for hours upon hours, and something just doesn't add up. Earlier reports were of him cracking the SLE 66 CL which is embedded in the TPM but is NOT the TPM itself. The chips he has been using are cheap ones from China. The issue at hand is that Infineon is a German company, just a little different from your run-of-the-mill Chinese company. When you sum these things up, you can't really surmise that he has in fact cracked the Infineon TPM. So what if he has hacked a similar chip? You can't just go around saying that you have cracked a top-of-the-line Infineon. Every chip is NOT created equally. On the flip side, there is an easy way for him to prove me wrong. Every Infineon TPM comes with an Endorsement Key, basically an RSA secret key. The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component. Infineon TPMs come with X.509 certificates issued by Infineon. If Tarnovsky has truly hacked this one out, he should be able to extract and publish the private part of the Endorsement Key along with Infineon's certificate on that key. All that he has to do is show that he has these TWO pieces of data. But is he up for it?

VS

http://hardware.slashdot.org/comments.pl?sid=1543104&cid=31077696

I've been reading about this hack for days, but something seems fishy. Some of the earlier reports [computerworld.com] had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM. However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.

$100 says that this is damage control from Infineon by challenging Tarnovsky to something that they know, for whatever reason, he is unable to accomplish?

Re:what the hell?

Notice also how SiliconEntity is playing down Alsee's well researched points about the Orwellian potential of TPM infrastructure. Ok, up to now TPM hasn't amounted to much, but it's getting to the point where the chip is on every computer currently in use, and rolling out TPM-based internet access is starting to become feasible. If they succeed in making "trusted" internet access a reality, you can say goodbye to the internet as we know it. No longer will it be the hardest medium on Earth for the police to control -- it will be the easiest.

Re:Maybe it's time to rethink "digital everything"

[Khashishi]

No, we need to switch over to using Johnny Mnemonics to carry our sensitive data.

Physical Access?

[CherniyVolk]

Even in my earliest days, physical access to a box meant, my box. So to speak.

I'm not surprised that this system has been cracked. With sufficient knowledge of a system, with reasonable tools and physical access to a system, that system is likely to be compromised, plain and simple. This is a hardware hack, and I'm always fascinated with hardware hacks, bare metal hacks seem really cool; but I don't think they are "near impossible".

I applaud his hardware hack, but in light of the expectation of "near impossible", I'll be moving on to the next article.

You only need TPM for the evil one of those

[jonaskoelker]

TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first), 2) provide lightweight, secure and fast cryptographic operations (so you don't have to do something stupid like store a cryptographic key in plaintext on your HD), and 3) allow remote attestation of a computer's software stack

(1) You can have a root of trust for your boot sector rather easily without a TPM: have the BIOS store a hash of the boot sector; have it warn the user when it changes (pre-boot), and have the boot sector update program tell the user the new hash so he can compare it against what the BIOS says whenever it changes.

(2) fast crypto just requires a hardware implementation of DES/AES/RSA/.... Secure private key storage if you are root---just encrypt your private key with a password and chmod go-r it. For non-root users, you lose: root can always read all of your files and kmem anyway.

(3) Remote attestation is fine, until youtube will only send you videos if you attest to run Windows XX which won't let you store the videos. At that point, your choice isn't just "secure or not", it's "youtube or freedom to control my own computer". Pile NYT, disney.com and a few other highly desirable (to some) websites, and the norm will become computers that their owners aren't in control of. At least that's something to fear.

Yes, there are applications of TPMs for DRM, but that is a side effect and not a primary factor.

Yeah, your legs might fall off. Don't worry, that's a side effect and not a primary factor.

No, sorry. I don't want no (steenkeeng) DRM. I'll trust that the secret keys I store on my machines are kept secret from not-me, and use that for remote attestation (via ssh).

Re:When I see "TPM hacked" only one thing comes to

[PReDiToR]

You're on Slashdot, so you probably already know this.

Others might not so I'll post this linky and mention that it IS available on several torrent sites (and so is part 2).

Show them to your kids before they get to see the crap one that Lucas messed up.

Time taken is no problem

Time taken is no problem. Safes in a bank must be cracked before the bank is opened else you are caught because the safe is still in the bank.

Laptops are rather more portable.

PS, since this guy is in the real world, surely their statement is bollocks.

And for quanticle, if the most important layer of security is the physical, then why do you need the less important TPM? Your laptop is secured well enough by having software encryption on it.

TPM, X360, E-PASSPORT are all hacked now

To clarify-

Youtube search for "blackhat 2010" and watch his 8 part videos they posted everything.

This chip covers:

Xbox360
TPM
E-PASSPORTS -------- this is the one everyone should care about.

Medical cards
Conditional access (think sat tv)

and the list goes on!

he didn't need to crack open any computers, he bought the parts on tape-n-reel from hkinventory.com

regards