Researchers Detail Two New Attacks on TPM Chips

TPM (Trusted Platform Module) is a computer chip (microcontroller) that can securely store artifacts used to authenticate the platform (your PC or laptop). These artifacts can include passwords, certificates, or encryption keys. A TPM can also be used to store platform measurements that help ensure that the platform remains trustworthy. Authentication (ensuring that the platform can prove that it is what it claims to be) and attestation (a process helping to prove that a platform is trustworthy and has not been breached) are necessary steps to ensure safer computing in all environments.

Trusted modules can be used in computing devices other than PCs, such as mobile phones or network equipment.

Some PC owners may need to apply motherboard firmware updates in the near future to address two attacks on TPM chips detailed earlier this month by four researchers from the National Security Research Institute of South Korea.

Both attacks target computers that come equipped with a Trusted Platform Module (TPM). TPMs are dedicated microcontrollers (chips, cryptoprocessors) and they are usually deployed on high-value computers, such as those used in enterprise or government networks, but they are also used on personal computers as well.

The role of a TPM chip is to ensure hardware authenticity. A TPM uses RSA encryption keys to authenticate the hardware components involved in a computer’s boot-up process, but also its normal functioning.

The way a TPM works and how the TPM authenticates components part of the boot-up chain is dictated by the TPM 2.0 specification released in 2013.

TPM flaws allow attackers to hide tampered boot components

Two weeks ago, four South Korean researchers detailed two attacks on TPM chips that can allow an attacker to tamper with the boot-up process. The attacks are possible thanks to power interrupts.

Modern computers do not feed power to all their components all the time and at the same time. They use special APIs to send power to a component only when it needs it to perform an operation, putting it in a suspended (sleep) state between use states.

TPM chips support ACPI (Advanced Configuration and Power Interface), one of the tools operating systems use to control and optimize power consumption in peripherals.

Researchers discovered two issues affecting the way TPMs enter and recover from these suspended power states, which allow an attacker to reset TPMs and then create a fake boot-up chain of trust for a targeted device.

The first TPM attack

The first attack works against computers which use a TPM chip that uses a static root of trust for measurement (SRTM) system for the boot-up routine.

Researchers say this vulnerability is actually a design flaw in the TPM 2.0 specification itself. As nobody spotted the faulty logic until now, the flawed specification was implemented inside TPM components embedded with computers sold by the vast majority of PC vendors.

The attack scenario involves an attacker abusing power interrupts and TPM state restores to obtain valid hashes for components involved in the boot-up process, which the attacker then feeds back to the same SRTM-configured TPM, tricking it into thinking its running on non-tampered components.

During their experiments, researchers said they managed to tamper with TPMs embedded within computers sold by Intel, Dell, Gigabyte, and ASUS.

The second TPM attack

The second TPM attack that the South Korean researchers devised affects TPM chips that use a dynamic root of trust for measurement (DRTM) system for the boot-up routine.

The good news is that this second attack is not as prevalent and wide-reaching as the first. Researchers said this only affects computers running on Intel’s Trusted execution Technology (TXT) for the boot-up routine.

The actual flaw resides in Trusted Boot (or tboot), an open-source library used by the Intel TXT technology.

Lookout for firmware updates

Users interested in rummaging through past or future firmware changelogs for the appropriate fixes can track the two vulnerabilities by their CVE numbers. The SRTM vulnerability has received the CVE-2018-6622 identifier, while the DRTM (tboot) flaw can be tracked under CVE-2017-16837.

The TPM attacks described in this article require physical access to a device, but this doesn’t make them less dangerous.