Trusted platform module security defeated in 30 minutes, no soldering required


Getty Images

Let’s say you are a large company that just shipped a brand new replacement laptop to an employee. And let’s say it’s preconfigured to use all the latest security best practices including full disk encryption using a trusted platform module, password protected BIOS settings, UEFI SecureBoot and virtually all other National Security Agency and NIST recommendations for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

Research released last week shows the answer to be a resounding “yes”. Not only that, but a homework hacker needs a surprisingly short time alone with the machine to complete the attack. With this, the hacker can gain the ability to write not only to the stolen laptop, but also to the fortified network that it has been configured to connect to.

Researchers at security consultancy Dolos Group, hired to test the security of a customer’s network, received a new Lenovo computer preconfigured to use the organization’s standard security stack. They were not given any test credentials, configuration details, or other machine information. An analysis of BIOS, boot operation, and hardware settings quickly revealed that the security measures in place would prevent typical hacks, including:

Fort Knox and the not-so-armored car

With little to do, the researchers focused on the Trusted Platform Module, or TPM, a heavily ruggedized chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, without prompting for a PIN or password. password. This meant that the TPM was where the only cryptographic secret to unlock the drive was stored.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard peripherals. After completing their analysis, the researchers said Microsoft’s advice is inadequate because it exposes devices to attacks that can be perpetrated by violent spouses, malicious insiders, or others with fleeting private access.

“A pre-equipped attacker can complete this entire chain of attack in less than 30 minutes without soldering, with simple and relatively inexpensive hardware and publicly available tools,” researchers from Dolos Group wrote in an article, ” a process that places him squarely in Territory of the Wicked.

TPMs have multiple layers of defenses that prevent attackers from extracting or tampering with the data they store. For example, an analysis done over 10 years ago by reverse engineer Christopher found that a TPM chip made by Infineon was designed to self-destruct if physically penetrated. Optical sensors, for example, detect ambient light from light sources. And a metal mesh that covered the microcontroller was intended to deactivate the chip in the event of a disturbance of one of its electrical circuits.

With little hope of breaking the chip inside the Lenovo laptop, researchers at Dolos looked for other ways to extract the key that decrypted the hard drive. They noticed that the TPM communicated with the CPU using a serial peripheral interface, a communication protocol for on-board systems.

Short as SPI, the firmware does not provide any encryption capability of its own, so any encryption must be handled by the devices with which the TPM communicates. Microsoft’s BitLocker, on the other hand, does not use any of the encrypted communication features of the latest TPM standard. If the researchers could exploit the connection between the TPM and the CPU, perhaps they could extract the key.

They wrote:

Bypassing TPM in this way is like ignoring Fort Knox and focusing on the not-so-armored car coming out of it.

In order to sniff data moving on the SPI bus, we need to attach wires or probes to the pins (labeled above MOSI, MISO, CS, and CLK) on the TPM. Normally it is simple, but there is a practical problem in this case. This TPM is on a VQFN32 footprint, which is very small. The “pins” are actually only 0.25mm wide and are spaced 0.5mm apart. And these “pins” aren’t actually pins, they’re flat against the wall of the chip, so it’s physically impossible to attach some kind of clip. You can solder “flying leads” to the solder pads, but that’s a problem and tends to be a very unstable connection physically. Alternatively, a common tactic is to locate solder-in series resistors, but they were just as small and even more fragile. It wasn’t going to be easy.

But before we started, we thought there might be another way. Many times the SPI chips share the same “bus” with other SPI chips. It is a technique that hardware designers use to simplify connections, reduce costs, and make troubleshooting / programming easier. We started to search the entire card for any other chips that might be on the same bus as the TPM. Maybe their pins would be bigger and easier to use. After some probing and looking at the schematics, it turned out that the TPM was sharing an SPI bus with just one other chip, the CMOS chip, which definitely had bigger pins. In fact, the CMOS chip had about the largest pin size you could find on standard motherboards, it was an SOP-8 (aka SOIC-8).

Short for complementary metal-oxide-semiconductor, a CMOS chip on a PC stores BIOS settings, including system time and date, and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In no time, they were able to extract every byte moving through the chip. The researchers then used the bitlocker-spi-toolkit written by Henri Numi to isolate the key within the mass of data.

Once the hard drive was decrypted, the researchers combed through the data for something (encrypted or clear passwords, perhaps sensitive files exposed, or the like) that could bring them closer to their goal. access the customer’s network. They quickly found something: the Global Protect VPN client from Palo Alto Networks that came preinstalled and preconfigured.

A feature of VPN is that it can establish a VPN connection before a user connects. The capability is designed to authenticate an endpoint and allow domain scripts to run as soon as the machine is turned on. This is useful because it allows administrators to manage large fleets of machines without knowing the password for each.

Leave A Reply

Your email address will not be published.