AMD fTPM hacked

[leadeater]

7 minutes ago, StDragon said:

AMD has known about this bad-nasty since the Nov 2021 ACM CSS.

One Glitch to Rule Them All: Fault Injection Attacks Against AMD’s Secure Encrypted Virtualization (link to PDF)

Robert Buhren (Technische Universität Berlin); Hans-Niklas Jacob (Technische Universität Berlin); Thilo Krachenfels (Technische Universität Berlin); Jean-Pierre Seifert (Technische Universität Berlin)

So this is news now why? Hmmm

[StDragon]

5 minutes ago, leadeater said:

So this is news now why? Hmmm

Because at the time fTPM exploitation wasn't known, only theorized. Well, now it's a fact; hence news-worthy.

[StDragon]

Hate to say it, but this could hurt AMD in the Gov IT segment.

 

Meanwhile, Intel has its own problems with a new side-channel attack. So there's love to go all around. But AMD takes the trophy-of-fail for this one (for now).

[starsmine]

3 minutes ago, StDragon said:

Hate to say it, but this could hurt AMD in the Gov IT segment.

 

Meanwhile, Intel has its own problems with a new side-channel attack. So there's love to go all around. But AMD takes the trophy-of-fail for this one (for now).

They fixed it in zen 4 I thought. 

[leadeater]

19 minutes ago, StDragon said:

Hate to say it, but this could hurt AMD in the Gov IT segment.

 

Meanwhile, Intel has its own problems with a new side-channel attack. So there's love to go all around. But AMD takes the trophy-of-fail for this one (for now).

Maybe, maybe not. Intel's had multiple of their own fTPM security flaws so as long as this one can be patched by AMD I don't see it having much effect. Funnily enough the more issues you find and fix the more secure it probably is, within reason of not being total garbage starting point heh.

[YoungBlade]

There's an old saying: Physical access is root access.

 

I don't trust anything if someone gains physical access to my hardware. Even if the security holds, I still have to act as if it's compromised, because there's always a chance that it is.

 

My reaction to "someone stole my computer" would always be - "I need to change all of my passwords, I need to notify my bank and credit card company, I need to reset everything." So while this is bad, it doesn't actually change anything for what I would have to do if my computer were stolen.

[StDragon]

2 hours ago, leadeater said:

Maybe, maybe not. Intel's had multiple of their own fTPM security flaws so as long as this one can be patched by AMD I don't see it having much effect. Funnily enough the more issues you find and fix the more secure it probably is, within reason of not being total garbage starting point heh.

I'm not so sure this exploit can be patched with a firmware (AGESA) update for the PSP on-die.

However, I have an idea that should work to mitigate against this attack. It would be to use a door or plunger switch (bottom of case) so that if opened or the case lifted, it closes the circuit to a cable wired up to the CLRTC (Clear Real Time Clock, aka CMOS) jumper pins. That way, if someone were to take my PC, the CMOS settings would be cleared and the fTPM would fail to attest Bitlocker. So without the recovery code, they can't access my data.

It's a somewhat ghetto work-around, but it's a DIY project that many on this forum should be able to handle.

[williamcll]

Problem is most laptops will never update their BIOS/Firmware so this would stick around for years.

[LAwLz]

3 hours ago, leadeater said:

Intel's had multiple of their own fTPM security flaws

Are you sure about that? I did some quick Googling and couldn't find much. 

 

 

3 hours ago, YoungBlade said:

There's an old saying: Physical access is root access.

That's a very dumb and outdated saying. It's simply not true in 99.9 of cases if things are configured properly. Exploits like these are rare, hence why they are newsworthy.

The issue is that most people don't have things set up properly, especially not the average Windows user. 

 

 

2 hours ago, williamcll said:

Problem is most laptops will never update their BIOS/Firmware so this would stick around for years.

On the bright side, it seems like people update their UEFIs a lot more often on laptops than on desktops, because programs from Dell and the likes will do it for them. 

But that assumes this can be fixed with a software upgrade. 

[leadeater]

26 minutes ago, LAwLz said:

Are you sure about that? I did some quick Googling and couldn't find much. 

Ah yea, there's been plenty. I don't know how you managed to Google and not find any since it's literally the first page of Google when you do of various articles about them.

 

Example "TPM-FAIL"/CVE-2019-0090

 

You do remember all the fuss about Intel IME and CSME while ago, yea all of those partly or completely involved fTPM being or also being compromised. It got so bad vendors like Dell offered special IME breaking firmware that still allowed the computer to boot.

 

Intel has had many problems with IME, CSME, SPS etc. Most are patched or resolved in later generations and aren't really an active concern right now. But that comes back to my point that while finding these things is bad now once they get fixed you at least know that's fixed and that isn't an attack vector anymore. You can't know the unknown but the more you know about the better, kind of. I'm sure you get the point.

[jagdtigger]

23 minutes ago, leadeater said:

vendors like Dell offered special IME breaking firmware

TBH it shouldve been that way from the get-go. Ok its needed to bootstrap the main cores but after that it should go into an inactive non-recovarable state. Its baffling how anyone thought having a hidden CPU inside the CPU with access to everything without any sort of oversight is a good idea......

[leadeater]

18 minutes ago, jagdtigger said:

Its baffling how anyone thought having a hidden CPU inside the CPU with access to everything without any sort of oversight is a good idea......

It doesn't actually have access to everything, it's given a privileged memory area. The problem was being able to break out of that and read anything.

[jagdtigger]

22 minutes ago, leadeater said:

It doesn't actually have access to everything, it's given a privileged memory area. The problem was being able to break out of that and read anything.

AFAIK the only thing limiting its access is SW so technically it has full access limited by a weak barrier.

[LAwLz]

4 hours ago, leadeater said:

Ah yea, there's been plenty. I don't know how you managed to Google and not find any since it's literally the first page of Google when you do of various articles about them.

 

Example "TPM-FAIL"/CVE-2019-0090

 

You do remember all the fuss about Intel IME and CSME while ago, yea all of those partly or completely involved fTPM being or also being compromised. It got so bad vendors like Dell offered special IME breaking firmware that still allowed the computer to boot.

 

Intel has had many problems with IME, CSME, SPS etc. Most are patched or resolved in later generations and aren't really an active concern right now. But that comes back to my point that while finding these things is bad now once they get fixed you at least know that's fixed and that isn't an attack vector anymore. You can't know the unknown but the more you know about the better, kind of. I'm sure you get the point.

I knew about vulnerabilities in the IME, but not in Intel's fTPM. Intel's fTPM and their IME are two separate things though, and one one can compromise the other, it is not the same thing as the fTPM being vulnerable directly.

That's why I asked. It seems like at least CVE-2019-0090 was a vulnerability in the fTPM though that I wasn't aware of. 

 

When I searched on Google I found quite a few articles about attacks on TPMs, but not specifically their fTPMs. In practice it makes little difference but I was curious.

 

All the results I got on Google's first page when I searched for "Intel ftpm vulnerability" were things that were only indirectly related (like IME vulnerabilities) or not related to Intel specifically (like CVE-2023-1017 which is a vulnerability in the TPM spec itself).

[leadeater]

3 hours ago, LAwLz said:

I knew about vulnerabilities in the IME, but not in Intel's fTPM. Intel's fTPM and their IME are two separate things though

No that's quiet questionable, they seem to be very linked both in functions and Intel names for security features like Intel TXT which states is in Intel chipsets and CPUs. Intel's fTPM is implemented in the CSME/SPS/TXE (whatever they are calling it today heh) and in the CPU (TEE) so when the vulnerabilities include and I'll paraphrase here "read and/or modify anything" within the "Management Engine, System and OS" that most likely includes fTPM since those are linked.

 

Edit: Reading up on Intel's fTPM is a circular minefield honestly. You get pointed to IME (and all it's names) which runs in the PCH and then also the CPU and the technology names that cover both are equally talked about and referenced when looking at Intel's fTPM. It is actually quite hard to really know how separated that in CPU security processor is from the platform PCH security processor. Thus I consider it unwise to assume Intel's fTPM is unaffected by IME vulnerabilities (or at least many of them) /Edit

 

Quote

Main Trusted Boot (tboot) distributions before November 2017 are affected by a dynamic root of trust for measurement (DRTM) attack CVE-2017-16837, which affects computers running on Intel's Trusted eXecution Technology (TXT) for the boot-up routine.[69]

https://en.wikipedia.org/wiki/Trusted_Platform_Module#Attacks

 

Quote

Several weaknesses have been found in the ME. On May 1, 2017, Intel confirmed a Remote Elevation of Privilege bug (SA-00075) in its Management Technology.[37] Every Intel platform with provisioned Intel Standard Manageability, Active Management Technology, or Small Business Technology, from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME.[38][39] Several ways to disable the ME without authorization that could allow ME's functions to be sabotaged have been found.[40][41][42] Additional major security flaws in the ME affecting a very large number of computers incorporating ME, Trusted Execution Engine (TXE), and Server Platform Services (SPS) firmware, from Skylake in 2015 to Coffee Lake in 2017, were confirmed by Intel on 20 November 2017 (SA-00086).[43][44] Unlike SA-00075, this bug is even present if AMT is absent, not provisioned or if the ME was "disabled" by any of the known unofficial methods.[45] In July 2018 another set of vulnerabilities was disclosed (SA-00112).[46] In September 2018, yet another vulnerability was published (SA-00125).[47]

 

Quote

In May 2017, Intel confirmed that many computers with AMT have had an unpatched critical privilege escalation vulnerability (CVE-2017-5689).[39][52][37][53][54] The vulnerability, which was nicknamed "Silent Bob is Silent" by the researchers who had reported it to Intel,[55] affects numerous laptops, desktops and servers sold by Dell, Fujitsu, Hewlett-Packard (later Hewlett Packard Enterprise and HP Inc.), Intel, Lenovo, and possibly others.[55][56][57][58][59][60][61] Those researchers claimed that the bug affects systems made in 2010 or later.[62] Other reports claimed the bug also affects systems made as long ago as 2008.[63][39] The vulnerability was described as giving remote attackers:

"full control of affected machines, including the ability to read and modify everything. It can be used to install persistent malware (possibly in firmware), and read and modify any data."

— Tatu Ylönen, ssh.com[55]

 

Quote

Some months after the previous bugs, and subsequent warnings from the EFF,[4] security firm Positive Technologies claimed to have developed a working exploit.[73] On 20 November, 2017 Intel confirmed that a number of serious flaws had been found in the Management Engine (mainstream), Trusted Execution Engine (tablet/mobile), and Server Platform Services (high end server) firmware, and released a "critical firmware update".[74][75] Essentially every Intel-based computer for the last several years, including most desktops and servers, were found to be vulnerable to having their security compromised, although all the potential routes of exploitation were not entirely known.[75] It is not possible to patch the problems from the operating system, and a firmware (UEFI, BIOS) update to the motherboard is required, which was anticipated to take quite some time for the many individual manufacturers to accomplish, if it ever would be for many systems.[43]

 

https://wiki.alquds.edu/?query=Intel_Management_Engine#Security_vulnerabilities

 

Be extremely careful assuming the fTPM functions aren't compromised if not fully spelled out when you see vulnerabilities disclosed for the wider IME/SPS/CSME etc. The safest assumption is yes fTPM is likely compromised or can be through these.

 

It's honestly not that big of a deal anymore, Intel's firmware is now much more secure and tested and at least trusted again. It got REAL rough there for them during that time, real rough.

 

Edit 2:

CVE-2021-0146

https://www.cpomagazine.com/cyber-security/high-severity-security-flaw-in-intel-cpus-allows-attackers-to-access-encryption-keys-and-bypass-tpm-bitlocker-and-drm/

 

[YoungBlade]

6 hours ago, LAwLz said:

That's a very dumb and outdated saying. It's simply not true in 99.9 of cases if things are configured properly. Exploits like these are rare, hence why they are newsworthy.

The issue is that most people don't have things set up properly, especially not the average Windows user.

Except that, as you said, most people don't lock down their system in a way that assumes it will be physically compromised, so it's actually completely true in the vast majority of cases.

 

And again, you have to act like it's true regardless of what security measures you take. If your computer is stolen, it's foolish to say "I've got BitLocker set up, so I can assume my data is safe." You need to act as if everything has been compromised.

[Brando212]

11 hours ago, YoungBlade said:

There's an old saying: Physical access is root access.

 

I don't trust anything if someone gains physical access to my hardware. Even if the security holds, I still have to act as if it's compromised, because there's always a chance that it is.

 

My reaction to "someone stole my computer" would always be - "I need to change all of my passwords, I need to notify my bank and credit card company, I need to reset everything." So while this is bad, it doesn't actually change anything for what I would have to do if my computer were stolen.

exactly. if a nefarious party gets physical access to something then you can pretty much throw all "security" out the window. the right parties can and will find a way.

[Radium_Angel]

@Brando212

https://xkcd.com/538/

 

[LAwLz]

4 hours ago, leadeater said:

No that's quiet questionable, they seem to be very linked both in functions and Intel names for security features like Intel TXT which states is in Intel chipsets and CPUs. Intel's fTPM is implemented in the CSME/SPS/TXE (whatever they are calling it today heh) and in the CPU (TEE) so when the vulnerabilities include and I'll paraphrase here "read and/or modify anything" within the "Management Engine, System and OS" that most likely includes fTPM since those are linked.

 

Edit: Reading up on Intel's fTPM is a circular minefield honestly. You get pointed to IME (and all it's names) which runs in the PCH and then also the CPU and the technology names that cover both are equally talked about and referenced when looking at Intel's fTPM. It is actually quite hard to really know how separated that in CPU security processor is from the platform PCH security processor. Thus I consider it unwise to assume Intel's fTPM is unaffected by IME vulnerabilities (or at least many of them) /Edit

 

https://en.wikipedia.org/wiki/Trusted_Platform_Module#Attacks

 

 

 

 

https://wiki.alquds.edu/?query=Intel_Management_Engine#Security_vulnerabilities

 

Be extremely careful assuming the fTPM functions aren't compromised if not fully spelled out when you see vulnerabilities disclosed for the wider IME/SPS/CSME etc. The safest assumption is yes fTPM is likely compromised or can be through these.

 

It's honestly not that big of a deal anymore, Intel's firmware is now much more secure and tested and at least trusted again. It got REAL rough there for them during that time, real rough.

 

Edit 2:

CVE-2021-0146

https://www.cpomagazine.com/cyber-security/high-severity-security-flaw-in-intel-cpus-allows-attackers-to-access-encryption-keys-and-bypass-tpm-bitlocker-and-drm/

 

All of those links just seem to confirm what I said.

The fTMP and IME are two separate things. Attacks on the IME can compromise the fTPM since the IME has access to everything, but that does not mean they are the same thing.

 

Privilege escalation exploits in the Windows kernel can cause information from your browser to be compromised, but that does not mean the kernel and the browser are the same things.

Exploits against the IME are far more serious than exploits against the fTPM, and Intel has had a lot of vulnerabilities in its IME. But it's still not the same thing as the fTPM itself.

I never intended to even remotely suggest that an exploit in the IME wouldn't compromise the fTPM, because it most likely does. But they should be treated as separate things because they are. It's just that one can control the other just like your OS kernel can control your browser.

[LAwLz]

3 hours ago, YoungBlade said:

Except that, as you said, most people don't lock down their system in a way that assumes it will be physically compromised, so it's actually completely true in the vast majority of cases.

 

And again, you have to act like it's true regardless of what security measures you take. If your computer is stolen, it's foolish to say "I've got BitLocker set up, so I can assume my data is safe." You need to act as if everything has been compromised.

I would argue that that's true for Windows users, but if we are talking about non-Windows users I think the inverse is true. Most non-Windows users have proper security in place that will protect them even if their hardware ends up in the wrong hands.

 

 

  

1 hour ago, Brando212 said:

exactly. if a nefarious party gets physical access to something then you can pretty much throw all "security" out the window. the right parties can and will find a way.

No, you shouldn't.

If you have proper security in place then you do not have to throw everything out the window. We already have evidence that even state actors such as the FBI and NSA do not in fact have ways around proper security. The iPhone is a great example of a very widely used device that is pretty much impenetrable regardless of what goes up against it. Veracrypt is another example of a very well-tested piece of software that has stood up against attacks from entire countries.

There are a ton of services that entirely rely on the fact that with proper security implementations, even physical access isn't enough to get your data. Pretty much all colocation-hosted services rely on that.

[YoungBlade]

3 minutes ago, LAwLz said:

I would argue that that's true for Windows users, but if we are talking about non-Windows users I think the inverse is true. Most non-Windows users have proper security in place that will protect them even if their hardware ends up in the wrong hands.

Even if that's true - which I doubt - they would be foolish to assume that such protections are all they need. Again, if your computer is stolen, you need to act as if everything has been compromised. A Mac or Linux, user who trusts that their computer's security will keep their data safe no matter what, so they don't bother to change passwords or contact their financial institutions to get new cards, is a fool. I hope they're right, but I won't be even the tiniest bit surprised if it turns out that their data got hacked into anyway.

[LAwLz]

30 minutes ago, YoungBlade said:

Even if that's true - which I doubt - they would be foolish to assume that such protections are all they need.

What protection are you talking about specifically and who said anything about it being the only protection they need? I feel like you are about to make a strawman argument here and I'd prefer if you didn't.

 

30 minutes ago, YoungBlade said:

Again, if your computer is stolen, you need to act as if everything has been compromised.

No you don't. It depends on the situation. 

 

31 minutes ago, YoungBlade said:

A Mac or Linux, user who trusts that their computer's security will keep their data safe no matter what, so they don't bother to change passwords or contact their financial institutions to get new cards, is a fool.

No they aren't, and stop being so extreme. 

The world isn't black and white. 

 

32 minutes ago, YoungBlade said:

I hope they're right, but I won't be even the tiniest bit surprised if it turns out that their data got hacked into anyway.

Depending on the situation I would be very surprised.

[YoungBlade]

30 minutes ago, LAwLz said:

What protection are you talking about specifically and who said anything about it being the only protection they need? I feel like you are about to make a strawman argument here and I'd prefer if you didn't.

Encryption using TPM. That's what this thread is about. Were you referring to something else?

[PocketNerd]

On 5/2/2023 at 12:30 PM, HenrySalayne said:

When I read the first post I was like "What? Bitlocker uses two keys. Why would the user key be stored in the fTPM?".

Turns out you can use Bitlocker without a user key. So ... don't do that and use a user key for encryption. The term "solely" might be a little bit exaggerated.

 

Fun fact: If you sign in with a Microsoft account during the out-of-box-experience (aka. Initial setup) then bitlocker gets enabled without your knowledge or consent and without keys being stored anywhere the M$ docs say they’d be.

 

 But if you setup using a local account then it’s not enabled. On that note… OOBE\BYPASSNRO is your friennnnnnnd

[StDragon]

6 hours ago, PocketNerd said:

Fun fact: If you sign in with a Microsoft account during the out-of-box-experience (aka. Initial setup) then bitlocker gets enabled without your knowledge or consent and without keys being stored anywhere the M$ docs say they’d be.

Run the following command from an elevated prompt.

manage-bde -status

If the Encryption Method says "XTS-AES 128", then it's software defined BitLocker encryption which the vast majority of the implementations are. However if it says "Hardware Encryption" then the drive is a SED using the TCG Opal standard.

To view the recovery password you can also run this command

manage-bde -protectors -get c: