AMD’s TPM Hacked: faulTPM Attack Defeats BitLocker and TPM-Based Security
a new paper Released by security researchers at the Technical University of Berlin, AMD’s firmware-based Trusted Platform Module (fTPM/TPM) has been completely compromised by a voltage fault injection attack, giving full access to encrypted data held within the fTPM. It became clear that access to Ultimately, attackers can completely compromise applications such as her BitLocker and encryption that rely solely on TPM-based security.
Researchers accomplished this feat using off-the-shelf components costing around $200 to attack AMD’s Platform Security Processor (PSP) found in Zen 2 and Zen 3 chips. The report did not identify whether Zen 4 CPUs were vulnerable, and the attack would require physical access to the machine for “several hours.” Researchers also Share attack code on GitHub A list of inexpensive hardware used in the attack.
This report is especially relevant now that Microsoft has added the TPM to the Windows 11 system requirements. The move was resisted due to its negative impact on game performance even when working correctly, and severe stuttering issues when not working. Yes, the TPM requirement can be easily circumvented. Still, Microsoft’s push for this feature has increased the number of applications that rely solely on his TPM 2.0 for security features, thus increasing the cross-section of applications vulnerable to the new faultTPM hack.
While the discrete TPM connects to the motherboard and communicates with the processor for security, the external bus between the CPU and TPM has proven to be hackable in several different ways. As such, a firmware TPM (fTPM) was created to embed functionality inside the chip, providing TPM 2.0-class security without exposing hackable interfaces to attackers.
The faultTPM attack focuses on attacking the fTPM, which to our knowledge has never been possible before. As you can see from the diagram above, on his Lenovo Ideapad 5 Pro system, which the researcher used to carry out the attack, this was no trivial task and would have taken hours of physical access to the machine. increase. However, for nation-states or top level espionage or corporate espionage, this is fairly easy to achieve.
Here you can see multiple connections to the power supply, the BIOS SPI chip, and the SVI2 bus (power management interface) that the researchers used on Lenovo subjects. These connections are used to perform voltage fault injection attacks against the PSP present in Zen 2 and Zen 3 CPUs, revealing chip-specific secrets that allow decryption of objects stored within the TPM. Get Here is a step-by-step attack method:
- Back up the BIOS flash image using an SPI flash programmer.
- Connect fault injection hardware and determine attack parameters (4.1)
- Compile and deploy a payload that extracts a key derivation secret (4.3)
- Launch a logic analyzer to capture the extracted key derivation secret via SPI.
- Initiates an attack cycle on the targeted machine until the payload is successfully executed
- Use amd-nv-tool to parse and decrypt NVRAM using BIOS ROM backup and payload output.
- Extract and decrypt the TPM object protected by this fTPM using amd ftpm unseal
The researchers were able to gain full access to the TPM and the data sealed inside and compromise BitLocker full disk encryption (FDE) on the device. As you can imagine, this gives you full access and control over your device and all the data it contains in a relatively short period of time.
By default, BitLocker uses a TPM-only mechanism to store keys, but users can manually enable PIN settings and assign PIN codes that work in conjunction with TPM-based mechanisms. However, these PIN codes are not enabled by default and are vulnerable to brute force attacks. His simple numeric PIN is relatively easy to crack, while a more rigorous text-based passphrase is harder to crack.
As mentioned earlier, this attack also exposes applications that use only TPM-based security, but applications with multiple security layers are more secure.
Researchers claim that mitigating this attack vector is not easy due to voltage fault injection, so the earliest interception point for AMD to fix the issue is likely in its next-generation CPU microarchitecture. It is considered. According to researchers, Intel’s Converged Security and Manageability Engine (CSME) prevents this type of attack.
I have not seen any formal communication from AMD regarding this issue, so it appears that this release is not part of an industry-standard Coordinated Disclosure. We reached out to AMD to find out more about this attack and if they have mitigation plans. Update as needed.