Announcement AMD TPM exploit discovered

[aigomorla]

AMD TPM Exploit: faulTPM Attack Defeats BitLocker and TPM-Based Security (Updated)

Zen 2 and Zen 3 are vulnerable to voltage glitching.

www.tomshardware.com

Found on Zen2 and Zen3.
Unknown yet on Zen4.

Costs about $200 to attack AMD PSP (Platform Security Processor)

Method of attack:
Backup the BIOS flash image using an SPI flash programmer
Connect the fault injection hardware and determine the attack parameters (4.1)
Compile & deploy the payload extracting the key derivation secret (4.3)
Start the logic analyzer to capture the extracted key derivation secrets via SPI
Start the attack cycle on the target machine until the payload was executed successfully
Parse & decrypt the NVRAM using the BIOS ROM backup and payload output with amd-nv-tool
Extract and decrypt TPM objects protected by this fTPM with amd ftpm unseal


Things aren't looking good for AMD this year.

 

[Saylick]

Some caveats:

The report does not specify if Zen 4 CPUs are vulnerable, and the attack does require physical access to the machine for 'several hours.'

 

[aigomorla]

Sigh its getting harder and harder to encrypt and hide my porn... :\
Days of shoving them in hidden folders are long long gone.

 

[moinmoin]

Lesson: Don't rely on TPM to store the passphrase for you, enter it yourself every time.

 

[DrMrLordX]

Lol it requires physical access to the machine. It's an interesting hack but honestly it's not a severe threat.

 

[aigomorla]

Lol it requires physical access to the machine. It's an interesting hack but honestly it's not a severe threat.

Well i would assume one would need to have possession of the actual machine for you to get stuff on a bitlocker TPM file.\
I wonder if you can do this on a Intel System as well, because im sure TPM is also connected to the motherboard.
So i would assume half the hack would work.

 

[WelshBloke]

Well i would assume one would need to have possession of the actual machine for you to get stuff on a bitlocker TPM file.

If you have physical access you have access as a rule of thumb.

 

[Abwx]

Lol it requires physical access to the machine. It's an interesting hack but honestly it's not a severe threat.

The real threat exposed here is that one can steal your hardware...

 

[bba-tcg]

The real threat exposed here is that one can steal your hardware...

Which really should come as no surprise to anyone.

 

[coercitiv]

Sigh, who needs voltage glitching when the entire TPM 2.0 system is vulnerable?

Billions of PCs and other devices vulnerable to newly discovered TPM 2.0 flaws​

These new TPM 2.0 flaws are buffer overflow vulnerabilities discovered by Francisco Falcon and Ivan Arce from Quarkslab who are warning that they could impact billions of devices.

The vulnerabilities in question (tracked as CVE 2023-1017 (opens in new tab) and CVE-2023-1018 (opens in new tab)) could be exploited by an attacker to escalate privileges and steal sensitive data from vulnerable devices. This would completely negate the added security that TPM 2.0 chips were designed to add to Windows 11 in the first place.

To make matters worse, the CERT Coordination Center at Carnegie Mellon University published an alert (opens in new tab) in which it warned that an exploit leveraging these vulnerabilities would be essentially “undetectable” by the devices themselves as well as the best antivirus software.

It's almost as if the second Microsoft made TPM a Win 11 requirement, researchers remembered they should crack that as well

 

[mikeymikec]

The real threat exposed here is that one can steal your hardware...

I defeat that threat by having a Haswell rig. Burglars will look at it and think it's not worth the time

 

[A///]

if you need physical access can't you automate this to happen in a dropped device outside gates?

Sigh, who needs voltage glitching when the entire TPM 2.0 system is vulnerable?

Billions of PCs and other devices vulnerable to newly discovered TPM 2.0 flaws​

It's almost as if the second Microsoft made TPM a Win 11 requirement, researchers remembered they should crack that as well

and yet ms has a world class research center it's like there's two heads to them.

 

[KompuKare]

I guess the real question is: does this only get them the private key of that particular machine's TPM, or the private master key of all TPMs?

Huge difference.

Since they have already got the hardware, they would now be able to get any at any secrets secured by the TPM alone. Your average thief will still reformat the drive or if the BIOS is TPM locked maybe replace the chip. Or just strip the machine for parts. If this is easy enough, I guess a fence might be able to use it to reset the machine - if the average shady looking phone repair place can do this.

Any really sensitive data should have 2F and a remove wipe facility, but then you always hear about - for example - the British MoD losing laptops with secret data on the...

 

[dark zero]

Well i would assume one would need to have possession of the actual machine for you to get stuff on a bitlocker TPM file.\
I wonder if you can do this on a Intel System as well, because im sure TPM is also connected to the motherboard.
So i would assume half the hack would work.

If that happens, TPM would be the fault and not AMD or Intel... and that is bad news for that tech AND Microsoft since it enforces to use it.
Oh boy, so TPM is not as secure as many tought.

 

[aigomorla]

You know the NSA is going DOE... we got caught again with spectre/meltdown trying to be big brother.

 

[itsmydamnation]

I guess the real question is: does this only get them the private key of that particular machine's TPM, or the private master key of all TPMs?

Huge difference.

Since they have already got the hardware, they would now be able to get any at any secrets secured by the TPM alone. Your average thief will still reformat the drive or if the BIOS is TPM locked maybe replace the chip. Or just strip the machine for parts. If this is easy enough, I guess a fence might be able to use it to reset the machine - if the average shady looking phone repair place can do this.

Any really sensitive data should have 2F and a remove wipe facility, but then you always hear about - for example - the British MoD losing laptops with secret data on the...

That's not the way public key encryption works....

 

[DrMrLordX]

if you need physical access can't you automate this to happen in a dropped device outside gates?

. . . maybe? I haven't read up on the exploit enough to know exactly how it works, but it was stated that it takes ~$200 worth of hardware and several hours of access to the hardware to crack the TPM.

 

[aigomorla]

The problem i see is that bitlocker is no longer secure.
So if someone has physical access to the site, you can no longer be worried free of your data not getting compromised, because of bitlocker.

Its not a inject hack, or an automated hack.
It requires physical touch be done.
But again, when your aiming to steal info on a bit locked drive, isn't that whole point?

 

[moinmoin]

The problem i see is that bitlocker is no longer secure.

At least without setting a PIN/password. Which one should do anyway.

 

[JoeRambo]

The problem i see is that bitlocker is no longer secure.
So if someone has physical access to the site, you can no longer be worried free of your data not getting compromised, because of bitlocker.

Yup, currently bitlocker protected stuff is supposedly safe. Not anymore after all these AMD disclosures.
Typical enterprise level security stuff is done with bitlocker encryption + boot PIN. PIN is not part of encryption, but rather validated with what is kept in TPM storage to proceed with decryption using data from TPM. If TPM "vault" is broken, PIN is irrelevant sadly.

It's quite different to make someone run some exploit that uses privilege escalation, and completely failing to protect data on stolen laptop. What's worse is retro-activity of this vulnerability, so if some secret stuff was stolen on AMDs laptops, it's time to sweat!

 

[moinmoin]

PIN is not part of encryption, but rather validated with what is kept in TPM storage to proceed with decryption using data from TPM.

Wait what?

 

[JoeRambo]

Wait what?

TPM provides two way promise -> only OS that saved disk encryption keys will get said key back and proceed to decrypt it to continue to boot into encrypted volumes. And 2nd promise is that if any "tamper" happens, it goes into recovery mode, used to be as simple as changing boot order.

The TPM PIN is protection in pre-boot environment, with some secure-card like security options that stops bruteforce, but once you enter the PIN, you get your key back and proceed to provide to OS in that two way promise auth.

Guess what happens when TPM is hacked and keys extracted?

 

[moinmoin]

TPM provides two way promise -> only OS that saved disk encryption keys will get said key back and proceed to decrypt it to continue to boot into encrypted volumes. And 2nd promise is that if any "tamper" happens, it goes into recovery mode, used to be as simple as changing boot order.

The TPM PIN is protection in pre-boot environment, with some secure-card like security options that stops bruteforce, but once you enter the PIN, you get your key back and proceed to provide to OS in that two way promise auth.

Guess what happens when TPM is hacked and keys extracted?

And Bitlocker's PIN/password uses that TPM scheme instead increasing the security by using it to increase the passphrase complexity (like done under Linux when using LUKS with TPM)? If so Bitlocker using TPM was always destined to fall along with TPM.

 

[dark zero]

If that so, even Intel chips are vulnerable due TPM.
So yeah, this is a BIG screwup from the ones who enforces TPM when it shows that is not secure.

 

[JoeRambo]

If that so, even Intel chips are vulnerable due TPM.
So yeah, this is a BIG screwup from the ones who enforces TPM when it shows that is not secure.

Need to demonstrate an exploit against Intel's TPM, before it is vulnerable?

The completely safe option is to use separate security device like USB key that stores key for decryption of storage and present it each time ( and not loose it together with device).
Or use something like smart card with TPM and PIN that provides said key to OS when pin is entered?
Or place said smart card with PIN on AMDs SoC and secure it against brute force of PIN ?