Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hardware TPM Hacked

Posted by Soulskill on from the matter-of-time dept.

BiggerIsBetter writes "Christopher Tarnovsky has pulled off the 'near impossible' TPM hardware hack. We all knew it was only a matter of time; this is why you shouldn't entrust your data to proprietary solutions. From the article: 'The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon. Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users. ... The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment."'"

15 of 327 comments (clear)

  1. surprise surprise by Anonymous Coward · · Score: 5, Insightful

    'near impossible'

    Shouldn't that be 'near inevitable'?

    Infineon said it knew this type of attack was possible when it was testing its chips.

    Did they mention this in their marketing and when selling the TPM FUD to governments and companies?

    "exceedingly difficult to replicate in a real-world environment."

    Meaning only powerful criminal organizations, companies and governments can probably gather the
    required resources and people with the expertise to pull it off? Out of 6.8 billion people, how
    many have the resources to do this? 1000? 10,000? What about in 5 years?
    At what point will they admit its flawed? Probably when TPM2 is fully patented and ready.

    1. Re:surprise surprise by Bacon+Bits · · Score: 4, Interesting

      You didn't even read the article, did you? This was a hardhack.

      Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.

      Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

      The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.

      It also amuses me that TFS makes the point of blaming "proprietary" solutions. Exactly how would this attack have been prevented by using open source?

      --
      The road to tyranny has always been paved with claims of necessity.
    2. Re:surprise surprise by crossmr · · Score: 4, Funny

      I had a similar thought when I read that part of the summary:

      How about you do something crazy and carry on to the actual article (I know.. I forgot where I was)

      The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.....Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.

      Two words: script kiddies.

      You tell me how you're going to pack acid and rust remover into a downloadable tool and I'll worry.

    3. Re:surprise surprise by hclewk · · Score: 4, Informative

      It. Can't. Be. Automated.

    4. Re:surprise surprise by Gyorg_Lavode · · Score: 4, Insightful

      I've listened to his talks before, and this is what he does. He's incredibly good at bypassing chip security and reading out the data on the chips. The question though is do you have to do that every time, or did he find a bug in the code on the chip that could potentially be exploited externally. The article is a bit vague on that. All it really sais is he was able to tap the chip bus. It doesn't comment on the impact of him doing so other than it compromises the whole chip.

      --
      I do security
    5. Re:surprise surprise by IamTheRealMike · · Score: 4, Insightful

      Gah. This whole conversation is retarded.

      1. The TPM is an open solution. The chips behavior is determined by open standards and there are multiple competing vendors of these chips.
      2. The fact that you can mount sophisticated silicon attacks on a TPM is not a "flaw" because nobody knows how to make completely impenetrable chips. The TPM does what it was designed to do - provide a good level of security for very low cost. If you lose your laptop and it uses a TPM based product, chances are really great that the thieves won't get data out of it. That is not the same thing as "completely invulnerable to SEMs" and nobody ever claimed it was.
  2. Re:tpm? by Lord+Ender · · Score: 4, Informative

    To encrypt something, you must have a 20-character password minimum to get 128-bit key strength. Nobody likes typing 20 characters, so TPM was invented. TPM stores your key on a separate chip. This chip only coughs up the key if you enter a short password to authenticate yourself to the chip.

    The chip uses rate-limiting boot-delays to prevent brute-forcing of the password.

    So they only way to get the key is to break the chip apart and look at the hardware somehow. The chips are usually encased in epoxy to make this hard to do. It's never been done before. Now it has... but it's still hard work.

    TPM chips come on all business laptops these days, though few businesses make use of them. And they're still better than telling your users to memorize 20 char passwords (which they would just write down).

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  3. Yeah, this is going to be a major problem... by Admiralbumblebee · · Score: 4, Insightful

    FTA "Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle."

    If the attacker has this much physical access to your system/data then you've lost LONG before the TPM chip failed.

  4. Re:"high-skill" by PhilHibbs · · Score: 4, Insightful

    Not sure what you mean. But yes, this does require a high skill level - we don't know how many TMP chips this guy trashed before getting it to work on one, or what his success rate would be on the next one. If he gets a laptop full of Chinese secrets and is asked to crack the TPM chip, he might well fry it on the first attempt, and you don't get second attempts on this kind of thing. It's not the kind of exploit that can be scripted and downloaded by any kiddie.

  5. Re:When will they learn by noidentity · · Score: 5, Insightful

    I don't really call any hack that requires "physical access" to be a genuine danger. If someone has physical access to your box you've got greater worries.

    Yes, but remember that TPM is about keeping you our of your own computer, so those who would like to do so are worried about this.

  6. Step 1 - decap the chip without killing it by sillivalley · · Score: 4, Insightful

    While decapping chips is done all the time in failure analysis labs, it isn't easy, and it's even harder if you're trying not to damage the chip (or yourself) in the process.

    Decapping usually involves concentrated nitric and/or sulfuric acids. Temperature control is important. You want to carefully dissolve the plastic without destroying the lead frame and/or the bonding wires going from the lead frame to the die. You also want to complete this process without losing any fingers or your eyesight -- highly concentrated acids. Rinse carefully with deionized water and test to make sure the chip is still functional.

    Now you can feed the chip to your electron beam probe, FIB mill, or just take pretty pictures.

    Not the kind of thing you're going to do in your kitchen!

  7. CHALLENGE TO TARNOVSKY by SiliconEntity · · Score: 4, Insightful

    I've been reading about this hack for days, but something seems fishy. Some of the earlier reports had him hacking the SLE 66 CL processor chip which is embedded in the TPM, not the TPM itself. This article also describes him as having to work with many copies of the chip to discover its secrets, but it has the chips being inexpensive ones from China. Problem is that Infineon is a German company and I don't think you can get Infineon TPMs cheaply from China. Putting this together, it's not clear to me that he has truly hacked an Infineon TPM. He may have hacked a similar chip and he assumes that the same attack would work on TPM.

    However, there is a way for him to easily prove that he has done what he said. Every Infineon TPM comes with an RSA secret key embedded in it, called the Endorsement Key or EK. This key is designed to be kept secret and never revealed off-chip, not to the computer owner or anyone. And Infineon TPMs also come with an X.509 certificate on the public part of the EK (PUBEK), issued by Infineon. If Tarnovsky has really hacked an Infineon TPM and is able to extract keys, he should be able to extract and publish the private part of the EK (PRIVEK), along with the certificate by Infineon on that key. The mere publication of these two pieces of data (PRIVEK and Infineon-signed X.509 cert on PUBEK) will prove that his claim is true.

  8. Re:Does anyone know if this leads to a soft-hack by zelbinion · · Score: 4, Insightful

    Actually, most likely the keys stored inside the chip's non-volatile memory are probably encrypted, just to prevent that sort of attack.

    I worked with similar technology in a previous job. When Tarnovsky said "This chip is mean, man - it's like a ticking time bomb if you don't do something right,"

    My guess is he wasn’t kidding. These sorts of chips have all sorts of counter measures to make this sort of attack difficult. The algorithms built into the circuits on the chip are designed to make eavesdropping hard. You can send different commands to the chip, and ask it to decode different amounts of data, but it will intentionally insert randomness into the time and number of operations to do the work to prevent you from gleaning information about what is going on inside the chip. I’m sure there are circuits that do nothing other than generate spurious electrical impulses so that trying to sense what the chip is doing remotely won’t work. The only way to even attempt an attack like this is to do what Tarnovsky did, and strip off the packaging. Assuming you didn’t just destroy it, even then you aren’t home free. I’m sure there are other safe guards built into the chips. Oh, did the voltage drop just now across that one circuit? That’s probably an attack – the chip just deleted the keys you were trying to recover and is now useless. Did that operation take too long because someone hooked up their own custom circuit in an attempt to decode what was going on? Yeah, that’s out too bye bye secret keys Interrupt the power to the key storage area for a nanosecond while you try to connect your probe? I’m sorry, you’re done. Did you just read out the data out of the protected storage out of sequence? Well, not only is that data encrypted (and therefore useless), the chip detected it, and intentionally burned out a small inaccessible fuse buried inside the chip and bricked itself. You’re done. Did you just inject an internal command with your probe that wasn't expected? Yep, you just blew another fuse. Go home.

    You have to connect your probes in exactly the right place, in exactly the right way, and not disturb the electrical properties of the circuit you tapped into to prevent the chip from knowing that you are there and triggering a counter-measure.

    I don’t know which counter measures the TPM modules from Infineon implement, but if they are current with the sort of technology out there, this hack was really really super damn hard.

    Sure, with enough time, money, skill, patience, and physical access to the machine, anything can eventually be broken. The idea of the TPM was to make it expensive enough to hack that the average thief won’t bother. If you are relying on a TPM only to protect secrets on a mobile device (which can be stolen and then hacked by a well funded company or government) you either deserve what you got, or you’ve made way too many well funded and motivated enemies.

  9. Re:When will they learn by rochberg · · Score: 4, Insightful

    [...] remember that TPM is about keeping you our of your own computer[...]

    Um, no. TPMs are designed for three things: 1) establish a hardware root of trust for boot (i.e., make sure that you're actually booting your OS and not a rootkit first), 2) provide lightweight, secure and fast cryptographic operations (so you don't have to do something stupid like store a cryptographic key in plaintext on your HD), and 3) allow remote attestation of a computer's software stack (i.e., verifying the integrity of the OS and other pieces of software...very useful for distributed systems).

    Yes, there are applications of TPMs for DRM, but that is a side effect and not a primary factor. Furthermore, in the case of general purpose computers (which does not include gaming platforms like the Xbox), the TPM best practices make it very clear that the TPM should only be activated with the user's explicit knowledge and consent. I.e., it is the owner of the hardware who decides if the TPM will be used, not the software vendors. Of course, hardware vendors are not obliged to follow the best practices, but that's not the fault of TCG.

  10. Re:HEY TARNOVSKY by Alsee · · Score: 4, Informative

    TPM is designed to detect changes to specific protected operating system files so that the owner knows that they haven't been tampered with. SuperDRM spy reports? :-O That's some might fine tinfoil you have there...

    How well do you understand the Remote Attestation system? If you have any doubts about what I said I will gladly explain it to you, and cite the documentation to back it up if you like. I just need some clue how much of it you already understand and how technical (or non-technical) you want the explanation to be. I am a programmer and I have studied the entire 332 page technical specification for the TPM chip, and studied all of the other technical info I've been able to find. I have have an extensive and very technical understanding of the chip and how it operates with software, and I have a less detailed picture of the Trusted Computing infrastructure they are building around the chip.

    Yes, the TPM is capable of telling the owner whether anything has been tampered with. But saying that is like saying telephones are an in-home intercom. Yes, two phones on the same line in you home do act like an intercom, but that wildly misses the designed functionality of telephones.

    Remote Attestation is designed to be able to securely report to ANYONE exactly what is BIOS/Bootloader/OperatingSystem/other-software is running your computer. And when I say "securely report" what is on your computer, I mean that this report is specifically designed to be secure against the owner. You can control whether your computer answers requests for this Remote Attestation report, but you the owner are unable to control or alter the contents of this report. The TPM will not permit you to alter the contents of the report, and the TPM cryptographically signs the report it sends. An unsigned Attestation is invalid, and any attempt to modify the TPM's signed attestation invalidates it.

    So when I called it a "SuperDRM spy report" perhaps I was overly casual and colorful with the language, but it was essentially correct. The TPM is designed to keep a secure log of your system - and this log is specifically kept secure against "tampering" by the owner, and the contents of this log are specifically intended to be sent REMOTELY - meaning to other people over the internet a and again the TPM cyrptographically secures this report against "tampering" by the computer owner. It's all logged and secured in a "Super DRM secure against the owner" manner, and it's the chips "spy" log of what it has watched on your computer You can look at it to verify that your system files haven't been tampered with, but it also enables other people to check that your system hasn't been "tampered with", and that specifically includes verifying that YOU have not "tampered" with anything.

    And after validating what BIOS you have and that you haven't tampered with it, and after validating what operating system you have and that you haven't tampered with that, and after validating exactly what program you are running and that you haven't tampered with that, the chip enables that validated program to securely add anything and everything it wants as additional information in that Remote Attestation.

    It's easiest to illustrate it with a DRM example, because that is precisely what it is tailored to. Say you want to watch Hollywood movies on your computer. You connect over the internet to the MPAA's movie servers. They ask for a Remote Attestation. They examine that Attestation to verify that you have an approved BIOS and that you haven't tampered with it, and that you have an approved operating system and that you haven't tampered with it, and that you have an approved video card and approved video drivers and that you haven't tampered with them. (And of course all along the way "approved" means software that won't violate their DRM.) And then the verify what program you are running right now - they check that you are running their own DRM-enforcing video player. And of course Remote Attestation is validating that

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.