Posted on 10/08/2021 9:28:20 AM PDT by daniel1212
A team of academics has disclosed today two vulnerabilities known collectively as TPM-FAIL that could allow an attacker to retrieve cryptographic keys stored inside TPMs.
Thanks to efforts from the research team, both vulnerabilities have been fixed, which is a good thing since both issues can be weaponized in doable real-world attacks -- something that is very rare in the case of TPM vulnerabilities.
TPM stands for Trusted Platform Module...used to ensure hardware integrity during the boot-up process or to attest various cryptographic operations, such as handling digital certificates, ensuring HTTPS connections on servers, or verifying authentication-related processes.
However, as the hardware ecosystem evolved with modern smartphones and "smart" embedded devices, there was no room for a separate TPM chipset on all devices, and a 100% software-based solution was developed in the form of firmware-based TPMs -- also known as fTPMs.
Nowadays, it's hard to find a device that's not using a TPM, either in the form of a hardware-isolated chip, or a software-based solution...
The first vulnerability is CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).
Intel PTT is Intel's fTPM software-based TPM solution and is widely used on servers, desktops, and laptops, being supported on all Intel CPUs released since 2013, starting with the Haswell generation.
The second is CVE-2019-16863 and impacts the ST33 TPM chip made by STMicroelectronics.
This chip is incredibly popular and is used on a wide array of devices ranging from networking equipment to cloud servers,...
The actual attacks on these two TPM technologies is what security researcher call a "timing leakage."
An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip...
"The required skill to pull this kind of attack is, of course, more than the script-kiddie effort, but there are many people out there who use similar techniques to solve more advanced CTF challenges."
Without being a purveyor of fearful conspiracy theories, yet since industry has increasingly become an arm of liberal censorship and control, then wisdom warrants being somewhat wary of the MS requirement for TMP to be enabled for its upgrade to Windows 11.
Wikipedia informs,
"Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys."
But which also includes,
"TCG has faced resistance to the deployment of this technology in some areas, where some authors see possible uses not specifically related to Trusted Computing, which may raise privacy concerns. The concerns include the abuse of remote validation of software (where the manufacturer—and not the user who owns the computer system—decides what software is allowed to run) and possible ways to follow actions taken by the user being recorded in a database, in a manner that is completely undetectable to the user.[48]" (https://en.wikipedia.org/wiki/Trusted_Platform_Module#Reception)
Concerning this risk of abuse of remote validation is the warning of gaming fans (which I certainly am not but the warning applies to all control that can be implemented):
"Using TPM to enforce anti-cheating provisions is an interesting idea, but it could come with some significant downsides for user privacy and anonymity.... Each TPM has a burned-in RSA key that cannot be changed. Ban the RSA key, and you ban the entire machine."
"Microsoft’s TPM 2.0 requirement in Windows 11 ties your system to a single encryption key that can be read to identify that PC, specifically. It can theoretically be used as part of a DRM [or politically correct] authentication scheme to confirm you have the right to access content."
"While disabling Secure Boot will not wipe a PC, removing an existing TPM module will make a drive unreadable unless it is decrypted first. Additionally, this “workaround” is only possible on motherboards that support a separate TPM header/module. If the end-user’s TPM support is built directly into the UEFI, as is typical, you’d need a new physical UEFI chip (assuming it can be swapped) or an entirely new motherboard,"
"Forcing every computer to authenticate through a hardware module whose authentication key cannot be changed may stop cheaters, but it also provides a much more effective method of monitoring what people say and do online. China, for example, is now heavily restricting the amount of time children can game in part by requiring game developers to implement facial recognition software. It’s implemented a social credit spying system that monitors and grades what citizens do and say online." (https://www.extremetech.com/gaming/326740-riot-will-use-windows-11s-tpm-2-0-requirement-to-ban-cheaters-from-valorant_
ping
Thanks for the ping. Win11 folks will want to know about this — I’ll ping the list when I get a chance later today.
It sure is good that I don’t have a TPM to worry about! :-)
Yeah.
This is really a what if scenario that goes far beyond the ability to take control and encrypt the disks or put bots on the system.
Not worth too much concern.
And TPMs can be backed up to the ADDS. If you don't have THAT GPO in effect, do it today!!!
Forcing every computer to authenticate through a hardware module whose authentication key cannot be changed may stop cheaters, but it also provides a much more effective method of monitoring what people say and do online.
That goes without saying for ANY device connected to other networks, especially the Internet!
Privacy died. Just assume you're being monitored already. Don't want to risk that? Turn it off!
Actually, I'm wrong about this. I meant the BitLocker Recovery Key, which is derived from the TPM, not the TPMs key itself.
I ordered a Gigabyte GC-TPM2.0 SPI Module for my 6 year old Gigabyte Z97X-UD5H motherboard as one is not built in. The Intel i5 4690k cpu I have may not be supported but I won’t know till I install the TPM module.
I use Windows 7 Pro but I figure best to get the parts if I ever bump my head and install Windows 11 on the desktop pc.
Gigabyte GC-TPM2.0 SPI Module
https://www.ebay.com/itm/254701515296
How to Check If Your Computer Has a Trusted Platform Module (TPM) Chip
https://www.howtogeek.com/287737/how-to-check-if-your-computer-has-a-trusted-platform-module-tpm-chip/
Microsoft’s tool for determining device compatibility:
PC Health Check app
https://www.cnet.com/tech/computing/windows-11-compatibility-how-to-find-out-if-your-pc-can-handle-microsofts-upgrade/
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.