TPM Crytography Cracked

Trusted Platform Module based cryptography protects your secrets as well as your government’s secrets.  Well, it used to. [Christopher Tarnovsky] figured out how to defeat the hardware by spying on its communications. This requires physical access so it’s not quite as bad as it sounds, but this does reach beyond TPM to many of the security chips made by Infineon.  This includes peripheral security chips for Xbox 360 and some chips used in cell phones and satellite TV.

[Christopher] revealed his hack during his presentation at Black Hat 2010. The method is wicked-hard, involving removal of the chip’s case and top layer, then tapping into a data bus to get at unencrypted data. The chip still has some tricks up its sleeve and includes firmware traps that keep a look out for this type of attack, shutting down if it’s detected. Infineon commented that they knew this was possible but regard it as a low threat due to the high skill level necessary for success.

[Thanks Greg]

36 thoughts on “TPM Crytography Cracked

  1. doesn’t sound like it’s a big deal. The method to crack the TPM device was not covered under the threat model it was designed against, so it’s basically a known weakness that’s infeasible in real life.

  2. Since when is security through obscurity a good idea?

    This is the same security philosophy we’ve seen over and over already with the predator drones, the telephone networks of previous decades, the first cell phones, and with the recovery questions on Palin’s email account. I could go on and on with examples about how bad an idea this is.

  3. Carl, it is not at all the same as security through obscurity. The physical remoteness of the internal workings of the device *is* a security feature. Saying this is security through obscurity is like saying that concrete bunkers are security through obscurity because they could potentially be burrowed under. No security system is 100% effective, it’s always a trade off between cost and how difficult it is to break.

  4. TPM should take a page from

    iButtons (the crypto java ones)
    They actually put a screen inside the can to detect this type of thing along with a battery good to about 10 years. If a probe breaks the very fine screen it blanks the memory. IE self destructs.

    I am sure there are other ways to create self erasing chips etc so why did they know about this “one in a million” exploits and STILL not apply a few extra moments consideration to the value of the data they would be protecting.

    Check out

    shows how ;)

  5. Same old security problem. The need to stay one step ahead of the thieves. Chances are that Tarnovsky isn’t the only one who has done this to date, but now it’s known it’s possible, that many more will be attempting it. The more people spending time attempting it can mean the process will be stream lined. Reads like access to many of the protected computers, isn’t a problem. Those who stand to loose revenue, because of hacked security are those who will drive improvements in security, and are probably second to the government in doing do. Interesting stuff, though I don’t have an immediate direct concern in the issue.

  6. Chip level there isn’t much but obscurity to rely on, supposing you want to advance a security model that doesn’t rely on simply keeping 140 bits or so in your brain (not that I don’t, but non-feasible for normals). But of course it won’t protect against anyone with a chip lab or the odd dude with an insulin syringe and lots of hardware knowledge. Goverments? Forget it. Now can we have the nagra 3 softemud? Pretty please?

  7. This guy is famous for probing chips. Not only does one need physical access to the chip, the chip is physically taken apart in the process. Very unlikely that this can be done surreptitiously and completely outside of the fault-model for the TPM.

    In most cases, if you had this sort of access to a TPM, then there are easier attacks against the hardware that would get you where you wanted to go.

    Wired did a great video of how he does his work. Can’t wait to see a video of his presentation.

  8. I remember a site that detailed the process of getting secure code off of various locked microcontrollers. It involved methods similar to the ones Tarnovsky used. Anyone know the name of the site? I can’t seem to find it anymore.

  9. [quote]Infineon commented that they knew this was possible but regard it as a low threat due to the high skill level necessary for success.[/quote]

    Quite ironic that Infineon does not think that hackers etc. has a set of high skills … think again Infineon. I`ll bet you Infineon, that if you think you can hack / crack it, then there will be someone else in the outside world that can do the same.

  10. Something else to consider is that while it gave him info on that specific chip it does not mean that he could take the information and use it to open another TPM chip from the same manufacturer. They often contain keys that are unique for each ic produced so TPM still remains viable.

    I saw a video once where they were producing security ic and when the dies were created there were a group of 32 connections left unconnected. In the final stage those 32 connections were connected by a machine in a manner that made the internal key unique to that single chip.

  11. Meaning the attacks will be easily traceable to a small group of skilled individuals with even further individualized finished products (melt depth, bus connection) which is again further reduced by individuals that will find another much easier chink in the armor in a peripheral’s flaw? How will they ever find them lol?

  12. Why is protective foil still covering the heatsink in that image? (Shiny, scratch-free heatsink ornaments? What has the hardware business come to…)

    @Mike Szczys: Your continuing efforts to spellcheck the posts are appreciated. However, you shouldn’t forget the title. ;)

  13. There’s a term called “Realistic Threat Evaluation” which seems to be missing here. TPM will decrease the mundane percentages of “Threat” compared to not using it. If someone is in a situation where their data being compromised warrants Flylogic’s level of destructive entry? Then they may consider using multiple layers of better total practices. Like simple prevention of any access to any devices holding risky data. Anything humans have developed “can and will” be compromised. All we can do is report excellent work like the TPM breach in a responsible fashion! As in – contact the no-longer “inviolate” device/system’s security officer to give them lead time for safe handling. Do that and you’re a Hero. If you skip the notification step, then publish/share an exploit that wreaks Havoc? Well, then you risk losing all claim to being of good ethics. And by extension that risks all legit Hackerdom being tarred as indefensible criminals.. Think it over damned carefully eh?

  14. I have been doing crypto security for years. I know of only ONE perfect tried and true crypto system. One time pads. Even then, if you use them incorrectly, they will even be cracked. So no matter what you use, it comes down to following correct protocols.

    Pretty damn sure that if someone is able to come in, take your chip apart, that the actual breaking of this crypto system is the LEAST of your problems. Your physical security of your information is paramount, even to the security of your crypto hardware, or software.

    Might want to call Schlage, and someone to watch the place a little bit better. If you do this, then the hacking of the chip and the cracking of the crypto is going to be beyond the capabilities of most. This makes the hack/crack nice to know, but not realistically possible if you are paying attention. If your physical security is good, the only person going to get this done is James Bond, and Ian Fleming is not writing much these days.

  15. @greycode: Hardware isolation specs and security bits don’t usually come with the chip unless you pay extra..just look at OMAP. Buyers don’t get any of the security specs.

    Even with current DRM dongles over half of them have OCD open on the chip.

  16. TPM is too ambiguous and was going to be broken esp if it’s used as DRM.
    That makes a security platform too big a target to the point it should be considered insecure.
    Maybe people who need high security should use something like truecrypt along with something like an ibutton for the encryption keys that can be removed from the computer to be secured.

    That way if a laptop is stolen they can’t get the data if they don’t have the ibutton as well.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.