AMD fTPM hacked

[porina]

 

Summary

AMD's fTPM module in Zen 2 and Zen 3 CPUs has been hacked and data from it can be extracted, allowing an attacker access to anything solely relying on it for protection. This attack does require physical access to the device, so basically you can't rely on it in case you laptop gets stolen for example.

 

Quotes

Quote

A new paper released by security researchers at the Technical University of Berlin reveals that AMD's firmware-based Trusted Platform Module (fTPM / TPM) can be fully compromised via a voltage fault injection attack, thus allowing full access to the cryptographic data held inside the fTPM. Ultimately this allows an attacker to fully compromise any application or encryption, like BitLocker, that relies solely upon TPM-based security. 

 

My thoughts

With Microsoft's move to require TPM for Windows 11 to increase security, this is going to be a small setback. It will still work as long as you retain physical control of the affected device, but you can't rely on it if an attacker gets prolonged physical access, such as if your laptop gets stolen. For most people this probably wont change anything significant. If you have data that can't get leaked, additional measures such as strong encryption independent of the TPM could still be required.

 

Sources

https://www.tomshardware.com/news/amd-tpm-hacked-faultpm

https://arxiv.org/abs/2304.14717

 

[leadeater]

18 minutes ago, porina said:

thus allowing full access to the cryptographic data held inside the fTPM

Ouch, like mega ouch.

 

Also did they bother to notify AMD before disclosing?

[RollinLower]

6 minutes ago, leadeater said:

Ouch, like mega ouch.

 

Also did they bother to notify AMD before disclosing?

would be a dick move if they didn't. 

 

still though, seeing the setup i recon the regular run of the mill laptop-thief isn't gonna be able to replicate this.

[RONOTHAN##]

24 minutes ago, porina said:

It will still work as long as you retain physical control of the affected device, but you can't rely on it if an attacker gets prolonged physical access, such as if your laptop gets stolen.

Isn't this the entire point of the TPM though? It was designed to help protect against attacks when the attacker has physical access, like when a laptop gets stolen or say a console for checking patient records at a hospital, AFAIK it does next to nothing for remote attacks when you do retain physical control over the device. 

 

To me it seems like the only people who this doesn't affect are the people who didn't need a TPM in the first place. This is massive. 

[Quackers101]

nothing is safe, even the backdoor inside your PC going to the FBI. just kidding was just eating some tinfoil hats (but tell me when it happens).

[OhYou_]

Lol I've known about this for a few years. 
on these you can also just modify the uefi and you do not affect secureboot, the TPM, or bitlocker. 

You could technically create malware that you load into the uefi and flash it on. there is nothing stopping you and it will not be detected by the user or anything . 
For Intel since about 4th gen, it is not possible. 

[Agall]

44 minutes ago, RONOTHAN## said:

Isn't this the entire point of the TPM though? It was designed to help protect against attacks when the attacker has physical access, like when a laptop gets stolen or say a console for checking patient records at a hospital, AFAIK it does next to nothing for remote attacks when you do retain physical control over the device. 

 

To me it seems like the only people who this doesn't affect are the people who didn't need a TPM in the first place. This is massive. 

*HIPAA compliance screeching noises*

[HenrySalayne]

1 hour ago, porina said:

Ultimately this allows an attacker to fully compromise any application or encryption, like BitLocker, that relies solely upon TPM-based security. 

When I read the first post I was like "What? Bitlocker uses two keys. Why would the user key be stored in the fTPM?".

Turns out you can use Bitlocker without a user key. So ... don't do that and use a user key for encryption. The term "solely" might be a little bit exaggerated.

 

[Brooksie359]

3 hours ago, RollinLower said:

would be a dick move if they didn't. 

 

still though, seeing the setup i recon the regular run of the mill laptop-thief isn't gonna be able to replicate this.

Honestly whenever I see these papers who talk about vulnerabilities that require physical access I always think that if they get physical access to the device it's likely going to be an issue no matter what regardless of an attack vector like this. Also I doubt your average person would even bother to abuse this as it seems like it isn't super easy to use. 

[StDragon]

Zen 4 won't be an issue as it has Pluton to mitigate (once utilized)

[Salv8 (sam)]

9 hours ago, RONOTHAN## said:

It was designed to help protect against attacks when the attacker has physical access,

if the key to the lock is stored with said lock it doesn't matter how hard people make it to get to said key, with enough time, patience and will, it will be cracked.

[Arika]

maybe i don't understand it. but what exactly does this hack allow attackers to get access to if they already have access to you device? I used to use bitlocker and i don't actually ever remember needing to put in a password to open any folders.

[BetteBalterZen]

8 minutes ago, Arika S said:

maybe i don't understand it. but what exactly does this hack allow attackers to get access to if they already have access to you device? I used to use bitlocker and i don't actually ever remember needing to put in a password to open any folders.

If the laptop is logged off and they want access to data, they can now decrypt everything and pull data off the drives, without wiping the drives.

 

And Bitlocker locks the drive when wrong password is input too many times at logon or if a hardware change is made. So if you just login to Windows normally and do not change hardware, you will never have to (Bitlocker) unluck your drive. 

[LAwLz]

8 hours ago, Brooksie359 said:

Honestly whenever I see these papers who talk about vulnerabilities that require physical access I always think that if they get physical access to the device it's likely going to be an issue no matter what regardless of an attack vector like this.

2 hours ago, Salv8 (sam) said:

if the key to the lock is stored with said lock it doesn't matter how hard people make it to get to said key, with enough time, patience and will, it will be cracked.

This is a very bad mentality to have and is very wrong as well.

Physical access does not, and should not, be seen as being defeated. Proper security implementations will be resistant to attacks even if someone gets a hold of your device. The iPhone is a great example of really well-implemented security that is resistant to attacks even if someone has the device. There have been some cracks in the defense shows in the past, but those have been fixed.

 

 

 

8 hours ago, Brooksie359 said:

Also I doubt your average person would even bother to abuse this as it seems like it isn't super easy to use. 

11 hours ago, RollinLower said:

still though, seeing the setup i recon the regular run of the mill laptop-thief isn't gonna be able to replicate this.

For the average person, I don't think this is a big deal. I don't like that someone has to rely on the ignorance of a thief for protection but chances are a thief will just wipe the device anyway and resell it or whatnot. But this is very bad news because this is an important security function that is relied on in high-stakes situations. Governmental systems (servers as well as end devices like laptops) and infrastructure are two places that are targets for large organizations (international spies for example) which might now have a way to bypass some defenses.

 

It's a very serious situation.

 

Also, don't underestimate how quickly some things become easier and faster to do. I don't remember the exact details, but the equipment required to sniff old cellular signals used to be said to be too expensive and complicated so encryption wasn't needed (or the encryption was weak but deemed good enough). Then like 2 years later you could buy kits that did it, with short instructions for exactly how to do it for like 100 dollars.

For all we know, in a few years, you might be able to buy an "AMD fTPM hacking kit" for like 100 dollars on eBay that comes with easy-to-follow step-by-step instructions.

[Arika]

2 minutes ago, BetteBalterZen said:

If the laptop is logged off and they want access to data, they can now decrypt everything and pull data off the drives, without wiping the drives.

 

And Bitlocker locks the drive when wrong password is input too many times at logon or if a hardware change is made. So if you just login to Windows normally and do not change hardware, you will never have to (Bitlocker) unluck your drive. 

ooooh, ouch.

 

wonder if this is something that can be fixed via a microcode/firmware update, or if it's technically a hardware vulnerability in the "f"TPM.

[BetteBalterZen]

Just now, Arika S said:

ooooh, ouch.

 

wonder if this is something that can be fixed via a microcode/firmware update, or if it's technically a hardware vulnerability in the "f"TPM.

Yeah I wonder too. 

[leadeater]

49 minutes ago, BetteBalterZen said:

Yeah I wonder too. 

Damn hope so. That's part of why i want to know when/if AMD was told about this.

[BetteBalterZen]

1 minute ago, leadeater said:

Damn hope so. That's part of why i want to know when/if AMD was told about this.

Yeah true

[jagdtigger]

13 hours ago, RollinLower said:

still though, seeing the setup i recon the regular run of the mill laptop-thief isn't gonna be able to replicate this.

It wont take long to condense it down into a single usb connected/powered board..... (is it just me or this resembles what mod chips are doing with the xb360?)

[Sauron]

14 hours ago, porina said:

It will still work as long as you retain physical control of the affected device

If you have physical control of the device attack vectors are significantly reduced anyway; the whole point of hardware encryption is supposed to be protecting from physical attacks.

[Doobeedoo]

Hm well, still though, anything can become vulnerable really.

Remember lately the whole iPhone complete data breach just from knowing a freaking pin being able to reset and do anything, like how does this come to pass.

[Godlygamer23]

10 hours ago, BetteBalterZen said:

If the laptop is logged off and they want access to data, they can now decrypt everything and pull data off the drives, without wiping the drives.

 

And Bitlocker locks the drive when wrong password is input too many times at logon or if a hardware change is made. So if you just login to Windows normally and do not change hardware, you will never have to (Bitlocker) unluck your drive. 

If it's external, and you shut it off or disconnect it, you will need to input your password unless you specify an auto-unlock. 

[BetteBalterZen]

Just now, Godlygamer23 said:

If it's external, and you shut it off or disconnect it, you will need to input your password unless you specify an auto-unlock. 

Oh okay, fair enough

[tim0901]

I mean, to be clear, this has already been possible for years with standalone TPM modules using a similar method to this. The source code for that is also available on github, and the process can be done with a cheap $40 FPGA.

 

Is it bad that fTPM is hacked? Yeah. But also no. Because realistically, anyone who considers this sort of an attack as a serious threat won't have been trusting TPM already.

[StDragon]

18 hours ago, leadeater said:

Damn hope so. That's part of why i want to know when/if AMD was told about this.

AMD has known about this bad-nasty since the Nov 2021 ACM CSS.

One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization (link to PDF)

Robert Buhren (Technische Universität Berlin); Hans-Niklas Jacob (Technische Universität Berlin); Thilo Krachenfels (Technische Universität Berlin); Jean-Pierre Seifert (Technische Universität Berlin)