TPM crytography cracked

Trusted Platform Module based cryptography protects your secrets as well as your government’s secrets.  Well, it used to. [Christopher Tarnovsky] figured out how to defeat the hardware by spying on its communications. This requires physical access so it’s not quite as bad as it sounds, but this does reach beyond TPM to many of the security chips made by Infineon.  This includes peripheral security chips for Xbox 360 and some chips used in cell phones and satellite TV.

[Christopher] revealed his hack during his presentation at Black Hat 2010. The method is wicked-hard, involving removal of the chip’s case and top layer, then tapping into a data bus to get at unencrypted data. The chip still has some tricks up its sleeve and includes firmware traps that keep a look out for this type of attack, shutting down if it’s detected. Infineon commented that they knew this was possible but regard it as a low threat due to the high skill level necessary for success.

[Thanks Greg]

Comments

  1. jkl says:

    This paper from 1996 describes several tricks to perform physical attacks on chips:

    http://www.cl.cam.ac.uk/~rja14/tamper.html

  2. joe says:

    doesn’t sound like it’s a big deal. The method to crack the TPM device was not covered under the threat model it was designed against, so it’s basically a known weakness that’s infeasible in real life.

  3. Cybergibbons says:

    Where’s the actual slides or paper though? I want the nitty gritty on the attack.

  4. Carl says:

    Since when is security through obscurity a good idea?

    This is the same security philosophy we’ve seen over and over already with the predator drones, the telephone networks of previous decades, the first cell phones, and with the recovery questions on Palin’s email account. I could go on and on with examples about how bad an idea this is.

  5. moron4hire says:

    Carl, it is not at all the same as security through obscurity. The physical remoteness of the internal workings of the device *is* a security feature. Saying this is security through obscurity is like saying that concrete bunkers are security through obscurity because they could potentially be burrowed under. No security system is 100% effective, it’s always a trade off between cost and how difficult it is to break.

  6. Val says:

    As if I needed another reason to use TrueCrypt over TPM encryption…

  7. Koplin says:

    TPM should take a page from

    Maxim
    http://www.maxim-ic.com/
    iButtons (the crypto java ones)
    They actually put a screen inside the can to detect this type of thing along with a battery good to about 10 years. If a probe breaks the very fine screen it blanks the memory. IE self destructs.

    I am sure there are other ways to create self erasing chips etc so why did they know about this “one in a million” exploits and STILL not apply a few extra moments consideration to the value of the data they would be protecting.

    Check out
    http://www.wonderhowto.com/how-to/video/how-to-hack-smart-cards-for-satellite-tvs-266696/

    shows how ;)

  8. D- says:

    Same old security problem. The need to stay one step ahead of the thieves. Chances are that Tarnovsky isn’t the only one who has done this to date, but now it’s known it’s possible, that many more will be attempting it. The more people spending time attempting it can mean the process will be stream lined. Reads like access to many of the protected computers, isn’t a problem. Those who stand to loose revenue, because of hacked security are those who will drive improvements in security, and are probably second to the government in doing do. Interesting stuff, though I don’t have an immediate direct concern in the issue.

  9. LarrySDonald says:

    Chip level there isn’t much but obscurity to rely on, supposing you want to advance a security model that doesn’t rely on simply keeping 140 bits or so in your brain (not that I don’t, but non-feasible for normals). But of course it won’t protect against anyone with a chip lab or the odd dude with an insulin syringe and lots of hardware knowledge. Goverments? Forget it. Now can we have the nagra 3 softemud? Pretty please?

  10. Ivan says:

    @jkl Good paper – saved. Thank you!

  11. noonevac says:

    he is the same person who cracked the chips in the dish network cards. guess he is still working on it.
    good to see that

  12. pretorious says:

    @jkl – Nice! Thanks.

  13. ejonesss says:

    1 step closer to making a hackintosh work without software hacking?

  14. Peter says:

    This guy is famous for probing chips. Not only does one need physical access to the chip, the chip is physically taken apart in the process. Very unlikely that this can be done surreptitiously and completely outside of the fault-model for the TPM.

    In most cases, if you had this sort of access to a TPM, then there are easier attacks against the hardware that would get you where you wanted to go.

    Wired did a great video of how he does his work. Can’t wait to see a video of his presentation.

    http://www.wired.com/politics/security/news/2008/05/tarnovsky?currentPage=all

  15. Alex says:

    I remember a site that detailed the process of getting secure code off of various locked microcontrollers. It involved methods similar to the ones Tarnovsky used. Anyone know the name of the site? I can’t seem to find it anymore.

  16. mark says:
  17. ManVsGirl says:

    [quote]Infineon commented that they knew this was possible but regard it as a low threat due to the high skill level necessary for success.[/quote]

    Quite ironic that Infineon does not think that hackers etc. has a set of high skills … think again Infineon. I`ll bet you Infineon, that if you think you can hack / crack it, then there will be someone else in the outside world that can do the same.

  18. Nick says:

    TPM also doesn’t protect against someone looking at your screen – it wasn’t meant to.

    Still interesting, but not much more than an intellectual exercise.

  19. cgmark says:

    Something else to consider is that while it gave him info on that specific chip it does not mean that he could take the information and use it to open another TPM chip from the same manufacturer. They often contain keys that are unique for each ic produced so TPM still remains viable.

    I saw a video once where they were producing security ic and when the dies were created there were a group of 32 connections left unconnected. In the final stage those 32 connections were connected by a machine in a manner that made the internal key unique to that single chip.

  20. blue carbuncle says:

    Meaning the attacks will be easily traceable to a small group of skilled individuals with even further individualized finished products (melt depth, bus connection) which is again further reduced by individuals that will find another much easier chink in the armor in a peripheral’s flaw? How will they ever find them lol?

  21. error404 says:

    Not a crack.

  22. markii says:

    Now this hacked my day :)

  23. F. says:

    Why is protective foil still covering the heatsink in that image? (Shiny, scratch-free heatsink ornaments? What has the hardware business come to…)

    @Mike Szczys: Your continuing efforts to spellcheck the posts are appreciated. However, you shouldn’t forget the title. ;)

  24. JustMe says:

    He has a very nice blog about CMOS chip reversing:
    http://www.flylogic.net/blog/

  25. Cynical says:

    “Made in China”

    Well there goes all your security out the window. Thing’s probably full of Chinese hacker backdoors.

  26. minxo says:

    This is just a side channel attack just like with DRM dongles..the crypto is secure..the isolation that protects keying failed..

  27. Oren Beck says:

    There’s a term called “Realistic Threat Evaluation” which seems to be missing here. TPM will decrease the mundane percentages of “Threat” compared to not using it. If someone is in a situation where their data being compromised warrants Flylogic’s level of destructive entry? Then they may consider using multiple layers of better total practices. Like simple prevention of any access to any devices holding risky data. Anything humans have developed “can and will” be compromised. All we can do is report excellent work like the TPM breach in a responsible fashion! As in – contact the no-longer “inviolate” device/system’s security officer to give them lead time for safe handling. Do that and you’re a Hero. If you skip the notification step, then publish/share an exploit that wreaks Havoc? Well, then you risk losing all claim to being of good ethics. And by extension that risks all legit Hackerdom being tarred as indefensible criminals.. Think it over damned carefully eh?

  28. greycode says:

    I have been doing crypto security for years. I know of only ONE perfect tried and true crypto system. One time pads. Even then, if you use them incorrectly, they will even be cracked. So no matter what you use, it comes down to following correct protocols.

    Pretty damn sure that if someone is able to come in, take your chip apart, that the actual breaking of this crypto system is the LEAST of your problems. Your physical security of your information is paramount, even to the security of your crypto hardware, or software.

    Might want to call Schlage, and someone to watch the place a little bit better. If you do this, then the hacking of the chip and the cracking of the crypto is going to be beyond the capabilities of most. This makes the hack/crack nice to know, but not realistically possible if you are paying attention. If your physical security is good, the only person going to get this done is James Bond, and Ian Fleming is not writing much these days.

  29. minxo says:

    @greycode: Hardware isolation specs and security bits don’t usually come with the chip unless you pay extra..just look at OMAP. Buyers don’t get any of the security specs.

    Even with current DRM dongles over half of them have OCD open on the chip.

  30. Fanlashtic says:

    ______ _______ __ _ ______
    | \ |_____| | \ | | ____
    |_____/ | | | \_| |_____|

    xD THATS FUCKING AMAZING!

  31. DanAdamKOF says:

    If this means cheap third party Xbox 360 controllers then this is awesome.

  32. googfan says:

    @fanlashtic

    ASCII fail

    XD

  33. Nitori says:

    TPM is too ambiguous and was going to be broken esp if it’s used as DRM.
    That makes a security platform too big a target to the point it should be considered insecure.
    Maybe people who need high security should use something like truecrypt along with something like an ibutton for the encryption keys that can be removed from the computer to be secured.

    That way if a laptop is stolen they can’t get the data if they don’t have the ibutton as well.

  34. flyer9384 says:

    I want to know is anybody can locate and deactivate a Chip implantat.
    I would be very thanksful for you help.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

Join 92,354 other followers