Slashdot Mirror
Hardware TPM Hacked
BiggerIsBetter writes "Christopher Tarnovsky has pulled off the 'near impossible' TPM hardware hack. We all knew it was only a matter of time; this is why you shouldn't entrust your data to proprietary solutions. From the article: 'The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. ... The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."'"
'near impossible'
Shouldn't that be 'near inevitable'?
Infineon said it knew this type of attack was possible when it was testing its chips.
Did they mention this in their marketing and when selling the TPM FUD to governments and companies?
"exceedingly difficult to replicate in a real-world environment."
Meaning only powerful criminal organizations, companies and governments can probably gather the
required resources and people with the expertise to pull it off? Out of 6.8 billion people, how
many have the resources to do this? 1000? 10,000? What about in 5 years?
At what point will they admit its flawed? Probably when TPM2 is fully patented and ready.
To encrypt something, you must have a 20-character password minimum to get 128-bit key strength. Nobody likes typing 20 characters, so TPM was invented. TPM stores your key on a separate chip. This chip only coughs up the key if you enter a short password to authenticate yourself to the chip.
The chip uses rate-limiting boot-delays to prevent brute-forcing of the password.
So they only way to get the key is to break the chip apart and look at the hardware somehow. The chips are usually encased in epoxy to make this hard to do. It's never been done before. Now it has... but it's still hard work.
TPM chips come on all business laptops these days, though few businesses make use of them. And they're still better than telling your users to memorize 20 char passwords (which they would just write down).
A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
FTA "Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle."
If the attacker has this much physical access to your system/data then you've lost LONG before the TPM chip failed.
Yes, it means you're getting old. On the plus side, your memory appears to be in great shape.
Not sure what you mean. But yes, this does require a high skill level - we don't know how many TMP chips this guy trashed before getting it to work on one, or what his success rate would be on the next one. If he gets a laptop full of Chinese secrets and is asked to crack the TPM chip, he might well fry it on the first attempt, and you don't get second attempts on this kind of thing. It's not the kind of exploit that can be scripted and downloaded by any kiddie.
In essence, what he seems to have done is open the chip to extract the keys (or data that allowed computing the keys).
Yes, but remember that TPM is about keeping you our of your own computer, so those who would like to do so are worried about this.
Since using technique involves reverse engineering the chip, this is a clear violation of the DMCA. So just find your local attorney and prosecute.
Problem solved. Nothing to see here move along. Thanks for playing. :)
While decapping chips is done all the time in failure analysis labs, it isn't easy, and it's even harder if you're trying not to damage the chip (or yourself) in the process.
Decapping usually involves concentrated nitric and/or sulfuric acids. Temperature control is important. You want to carefully dissolve the plastic without destroying the lead frame and/or the bonding wires going from the lead frame to the die. You also want to complete this process without losing any fingers or your eyesight -- highly concentrated acids. Rinse carefully with deionized water and test to make sure the chip is still functional.
Now you can feed the chip to your electron beam probe, FIB mill, or just take pretty pictures.
Not the kind of thing you're going to do in your kitchen!
And you'd think posters would try reading the article before sounding smarmy and dismissing the abilities of others. Funny that.
Given that the first step of the "attack" is physically dissolving the chip's outer packaging in an acid bath... I'm guessing this won't be showing up in script-kiddie toolchains any time soon.
I've been reading about this hack for days, but something seems fishy. Some of the earlier reports had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM.
However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.
Given that the first step in the hack is removing the chip and dissolving its outer casing in acid, I'm guessing this isn't likely to admit a purely software exploit.
In other words, RTFA.
What the GP was asking is that now that this has been broken once, does the data obtained from said break-in provide enough information to devise a software solution?
For instance, if the data obtained indicated that passwords always resolve to a relatively small subset of hashes, then brute force attacks would have a much faster time of it. But hey, way to play the RTFA card without understanding the question.
<Complete your profile by adding a signature!>
Obviously a mod who doesn't understand TPM. Or maybe he picked up on the (entirely appropriate) negative undertone of my message, directed at those who want to lock you out of your own computer.
Actually, most likely the keys stored inside the chip's non-volatile memory are probably encrypted, just to prevent that sort of attack.
I worked with similar technology in a previous job. When Tarnovsky said "This chip is mean, man - it's like a ticking time bomb if you don't do something right,"
My guess is he wasn’t kidding. These sorts of chips have all sorts of counter measures to make this sort of attack difficult. The algorithms built into the circuits on the chip are designed to make eavesdropping hard. You can send different commands to the chip, and ask it to decode different amounts of data, but it will intentionally insert randomness into the time and number of operations to do the work to prevent you from gleaning information about what is going on inside the chip. I’m sure there are circuits that do nothing other than generate spurious electrical impulses so that trying to sense what the chip is doing remotely won’t work. The only way to even attempt an attack like this is to do what Tarnovsky did, and strip off the packaging. Assuming you didn’t just destroy it, even then you aren’t home free. I’m sure there are other safe guards built into the chips. Oh, did the voltage drop just now across that one circuit? That’s probably an attack – the chip just deleted the keys you were trying to recover and is now useless. Did that operation take too long because someone hooked up their own custom circuit in an attempt to decode what was going on? Yeah, that’s out too bye bye secret keys Interrupt the power to the key storage area for a nanosecond while you try to connect your probe? I’m sorry, you’re done. Did you just read out the data out of the protected storage out of sequence? Well, not only is that data encrypted (and therefore useless), the chip detected it, and intentionally burned out a small inaccessible fuse buried inside the chip and bricked itself. You’re done. Did you just inject an internal command with your probe that wasn't expected? Yep, you just blew another fuse. Go home.
You have to connect your probes in exactly the right place, in exactly the right way, and not disturb the electrical properties of the circuit you tapped into to prevent the chip from knowing that you are there and triggering a counter-measure.
I don’t know which counter measures the TPM modules from Infineon implement, but if they are current with the sort of technology out there, this hack was really really super damn hard.
Sure, with enough time, money, skill, patience, and physical access to the machine, anything can eventually be broken. The idea of the TPM was to make it expensive enough to hack that the average thief won’t bother. If you are relying on a TPM only to protect secrets on a mobile device (which can be stolen and then hacked by a well funded company or government) you either deserve what you got, or you’ve made way too many well funded and motivated enemies.
No matter how quick the method gets, having to work with hydrofluoric acid with the target machine means it's a risky procedure, as in "do you like having bones in your fingers?". It's not something you can reduce to a script and rattle out. It's not going to scale well to multiple machines, either.
That in itself is an argument against obscuring this exploit, of course. No script kiddies were going to suddenly run out and apply this opportunistically, so the risk of releasing it is low to nonexistent. Frankly if you're going to encase the component in epoxy, the possibility of an eavesdropping hack is implicit.
No kidding!!! What do you say at this point?
If you're going to use a passphrase then you'll need much more than 20 characters to get 128 bits of entropy:
Considering that the entropy of written English is less than 1.1 bits per character, pass phrases can be relatively weak. NIST has estimated that the 23 character pass phrase "IamtheCapitanofthePina4" contains a 45 bit-strength.... Using this guideline, to achieve the 80 bit-strength recommended for high security (non-military) by NIST, a passphrase would need to be 58 characters long, assuming a composition that includes uppercase and alphanumeric. (Wikipedia)
To get 128 bits of entropy would require about 20 words. I don't know about you, but to me it seems that 20 non-obvious words would be about as hard to remember as 20 random characters, while being much less convenient to type.
"The state is that great fiction by which everyone tries to live at the expense of everyone else." - Bastiat
[...] remember that TPM is about keeping you our of your own computer[...]
Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first), 2) provide lightweight, secure and fast cryptographic operations (so you don't have to do something stupid like store a cryptographic key in plaintext on your HD), and 3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).
Yes, there are applications of TPMs for DRM, but that is a side effect and not a primary factor. Furthermore, in the case of general purpose computers (which does not include gaming platforms like the Xbox), the TPM best practices make it very clear that the TPM should only be activated with the user's explicit knowledge and consent. I.e., it is the owner of the hardware who decides if the TPM will be used, not the software vendors. Of course, hardware vendors are not obliged to follow the best practices, but that's not the fault of TCG.
Somebody fixed The Phantom Menace? I'd like to see that.
Appended to the end of comments you post. 120 chars.
http://xkcd.com/538/
If the data is valuable enough to steal a computer and try to hack the TPM chip using acid and needles, then it's valuable enough to threaten the person with the password to divulge it.
Do you think China would be willing to steal a laptop with US state secrets on it? Definitely. Would they be willing to kidnap and torture the military officer or NSA employee who knows the password? Not a chance – that's an act of war.
(And no one but a foreign government would put this much effort into retrieving data from a computer. Anything short of state secrets is not worth the effort.)
MediaWiki developer, Total War Center sysadmin
Why don't you have him just sign something with that public key signature rather than divulging the private key to the world?
Perhaps a signed copy of the Gutenberg Press release of Aesop's fables???
The Eagle and the Arrow
An Eagle was soaring through the air when suddenly it heard
the whizz of an Arrow, and felt itself wounded to death. Slowly
it fluttered down to the earth, with its life-blood pouring out of
it. Looking down upon the Arrow with which it had been pierced,
it found that the shaft of the Arrow had been feathered with one
of its own plumes. "Alas!" it cried, as it died,
"We often give our enemies the means for our own destruction."
I have been researching on this hack for hours upon hours, and something just doesn't add up. Earlier reports were of him cracking the SLE 66 CL which is embedded in the TPM but is NOT the TPM itself. The chips he has been using are cheap ones from China. The issue at hand is that Infineon is a German company, just a little different from your run-of-the-mill Chinese company. When you sum these things up, you can't really surmise that he has in fact cracked the Infineon TPM. So what if he has hacked a similar chip? You can't just go around saying that you have cracked a top-of-the-line Infineon. Every chip is NOT created equally.
On the flip side, there is an easy way for him to prove me wrong. Every Infineon TPM comes with an Endorsement Key, basically an RSA secret key. The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component. Infineon TPMs come with X.509 certificates issued by Infineon. If Tarnovsky has truly hacked this one out, he should be able to extract and publish the private part of the Endorsement Key along with Infineon's certificate on that key. All that he has to do is show that he has these TWO pieces of data.
But is he up for it?
Security: http://xkcd.com/538/
-dZ.
Carol vs. Ghost
No, you were right the first time.
Originally, TPM intended to let you know that your computer is working in the "trusted manner." Usually, the "trusted manner" would be defined either by the corporate IT department; or by a generic secure profile from Microsoft if you are a typical home user; or by yourself if you are a skilled programmer/systems administrator.
The DRM people saw this technology and said: "This will be the best DRM ever."
The practical problem is that you can only trust one of:
... and so on, listing every major big DRM company in the market.
a) your own configuration,
b) your corporate IT department,
c) the vendor of some big software system that needs protection (like AutoDesk for example),
d) your operating systems vendor (Microsoft),
e) Sony's DRM approved configuration,
f) Universal Music's DRM approved configuration,
Fundamentally, you can only trust one vendor. One proprietary vendor will never trust another, and none of them will trust either you or your corporate IT department. Theoretically, the DRM vendors could form an alliance, through the likes of Macrovision. However, who would trust such an alliance? Even a neutral party, like the U.S. government, has been suggested and repeatedly vetoed as "the master of all trust."
Who do you want to trust? Who controls all the secrets on your computer?
http://hardware.slashdot.org/comments.pl?sid=1543104&cid=31076056
I have been researching on this hack for hours upon hours, and something just doesn't add up. Earlier reports were of him cracking the SLE 66 CL which is embedded in the TPM but is NOT the TPM itself. The chips he has been using are cheap ones from China. The issue at hand is that Infineon is a German company, just a little different from your run-of-the-mill Chinese company. When you sum these things up, you can't really surmise that he has in fact cracked the Infineon TPM. So what if he has hacked a similar chip? You can't just go around saying that you have cracked a top-of-the-line Infineon. Every chip is NOT created equally. On the flip side, there is an easy way for him to prove me wrong. Every Infineon TPM comes with an Endorsement Key, basically an RSA secret key. The purpose of this key is that it should be kept secret and never realized off the chip, not to software, not to any other board component. Infineon TPMs come with X.509 certificates issued by Infineon. If Tarnovsky has truly hacked this one out, he should be able to extract and publish the private part of the Endorsement Key along with Infineon's certificate on that key. All that he has to do is show that he has these TWO pieces of data. But is he up for it?
VS
http://hardware.slashdot.org/comments.pl?sid=1543104&cid=31077696
I've been reading about this hack for days, but something seems fishy. Some of the earlier reports [computerworld.com] had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM. However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.
$100 says that this is damage control from Infineon by challenging Tarnovsky to something that they know, for whatever reason, he is unable to accomplish?
My question:
Would a mass produced chip that is on a lot of business PC motherboards, and which is stated to have little to no physical resistance to attack have all this? TPMs are not that expensive, so I'm sure they would not have near the physical anti-tamper technology that a CAC, a smart cartd, an IBM crypto PCI card, much less a 3U HP HSM would have.
That's like denying the purpose of teflon coated bullets is penetrating kevlar vests.
It would be ludicrous in the extreme for someone to say teflon coated bullets are for deer hunting.
The primary design criteria for TPMs is to secure computers against their owners. The TPM technical specification explicitly refers to the owner as an attacker and mandates "security" against "attacks" from the owner. The overriding design criteria throughout the specification is denying the owner access to his own master key, the Private Endorsement Key.
Let's go over you denial, point by point:
Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)
The mere knowledge of my key does not alter my computer's function. The mere fact that I know my key does not not diminish my computer's capability to "establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first)".
The sole purpose of forbidding the owner to know his own master key is to attempt to secure the computer against the owner, to establish a "hardware root of trust" against the owner.
2) provide lightweight, secure and fast cryptographic operations
Lets break that into three pieces.
Lightweight.
Yes. And not merely lightweight, the design criteria is explicitly for TPMs to be dirt cheap so they can be included at negligible cost in all computers and other consumer electronics at negligible cost, included by default. And in accordance with that cost criteria they are deliberately designed to have minimalistic power and capabilities. Which directly leads into the next point:
fast cryptographic operations
Absolutely NOT! It is completely laughable when people try to justify TPMs as any sort of "cryptographic co-processor". The "lightweight" design constraints for these chips are such that a a single cryptographic operation is permitted to take a half second or more. Preforming cryptographic operations on a PC's main CPU will typically be a hundred times faster than using a Trust chip to do it.
secure
Yeah, "secure". As I said the specification explicitly mandates the chip be secure against the owner.
A normal bullet does not require a teflon coating, and normal security does not require securing the chip against the owner.
(so you don't have to do something stupid like store a cryptographic key in plaintext on your HD)
You're citing deer hunting.
When we're talking about "what teflon coated bullets are for", and you answer "deer hunting", I don't know whether you're insulting my intelligence or if you just don't get it, or what's going on. You are NOT going to find teflon on a bullet if it were actually intended and designed for deer hunting. You do not need teflon to hunt deer, and you don't need to secure a computer against the owner for "so you don't have to do something stupid like store a cryptographic key in plaintext on your HD". A normal pro-owner chip can do that. An owner can know his master key, and you can do that.
3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).
Again, the mere knowledge of my key does not diminish my computer's ability to give me remote attestation verifying the integrity of the OS and other pieces of software.
And again, the purpose of this chip, the design criteria and the design purpose and the primary function of TPM remote attestation is to verify the "integrity" of the computer against the owner.
ANTI-OWNER "security" is not security.
there are applications of TPMs for DRM, but that is a side effect and not a primary factor.
That's exactly backwards. The central design criteria of the TPM specification is that the owner if forbidden to know or co
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
You're on Slashdot, so you probably already know this.
Others might not so I'll post this linky and mention that it IS available on several torrent sites (and so is part 2).
Show them to your kids before they get to see the crap one that Lucas messed up.
Do not meddle in the affairs of geeks for they are subtle and quick to anger