AMD’s TPM Hacked: faulTPM Attack Defeats BitLocker and TPM-Based Security

a new paper Released by security researchers at the Technical University of Berlin, AMD’s firmware-based Trusted Platform Module (fTPM/TPM) has been completely compromised by a voltage fault injection attack, giving full access to encrypted data held within the fTPM. It became clear that access to Ultimately, attackers can completely compromise applications such as her BitLocker and encryption that rely solely on TPM-based security.

Researchers accomplished this feat using off-the-shelf components costing around $200 to attack AMD’s Platform Security Processor (PSP) found in Zen 2 and Zen 3 chips. The report did not identify whether Zen 4 CPUs were vulnerable, and the attack would require physical access to the machine for “several hours.” Researchers also Share attack code on GitHub A list of inexpensive hardware used in the attack.

This report is especially relevant now that Microsoft has added the TPM to the Windows 11 system requirements. The move was resisted due to its negative impact on game performance even when working correctly, and severe stuttering issues when not working. Yes, the TPM requirement can be easily circumvented. Still, Microsoft’s push for this feature has increased the number of applications that rely solely on his TPM 2.0 for security features, thus increasing the cross-section of applications vulnerable to the new faultTPM hack.

While the discrete TPM connects to the motherboard and communicates with the processor for security, the external bus between the CPU and TPM has proven to be hackable in several different ways. As such, a firmware TPM (fTPM) was created to embed functionality inside the chip, providing TPM 2.0-class security without exposing hackable interfaces to attackers.

The faultTPM attack focuses on attacking the fTPM, which to our knowledge has never been possible before. As you can see from the diagram above, on his Lenovo Ideapad 5 Pro system, which the researcher used to carry out the attack, this was no trivial task and would have taken hours of physical access to the machine. increase. However, for nation-states or top level espionage or corporate espionage, this is fairly easy to achieve.

Here you can see multiple connections to the power supply, the BIOS SPI chip, and the SVI2 bus (power management interface) that the researchers used on Lenovo subjects. These connections are used to perform voltage fault injection attacks against the PSP present in Zen 2 and Zen 3 CPUs, revealing chip-specific secrets that allow decryption of objects stored within the TPM. Get Here is a step-by-step attack method:

• Back up the BIOS flash image using an SPI flash programmer.
• Connect fault injection hardware and determine attack parameters (4.1)
• Compile and deploy a payload that extracts a key derivation secret (4.3)
• Launch a logic analyzer to capture the extracted key derivation secret via SPI.
• Initiates an attack cycle on the targeted machine until the payload is successfully executed
• Use amd-nv-tool to parse and decrypt NVRAM using BIOS ROM backup and payload output.
• Extract and decrypt the TPM object protected by this fTPM using amd ftpm unseal