[HN Gopher] TPM Sniffing ___________________________________________________________________ TPM Sniffing Author : amenghra Score : 21 points Date : 2021-11-17 21:10 UTC (1 hours ago) (HTM) web link (blog.scrt.ch) (TXT) w3m dump (blog.scrt.ch) | rasz wrote: | I smelled trouble the second I read "low transmission speed" and | "25Mhz" in same sentence :) At that point picture of 30cm leads | was a given. | | "I mean it's low speed interface, Michael. How fast could it go? | 25MHz?" | gnabgib wrote: | This isn't a trivial task (attaching probes to chip legs, or | board connectors), and it's a good write-up, but sniffing seems | like a poor word choice. This isn't picking up the data via | covertly via existing attached components, or through some kind | of software exploit - this is literally reading traveling | messages which is nigh impossible to defend against aka "Reading | data from the TPM" | | Short of a physically sealed path from the chip to all components | that benefit from its knowledge (impossible on a desktop?), that | can only be destructively accessed (triggering an alarm; like | case-open switches) - I don't see how this can be defended | against. | opencl wrote: | TPM 2.0 allows communications over the bus to be encrypted | specifically to prevent this attack, though Windows apparently | does not actually use this feature[0]. | | Newer CPUs (since about 5 years ago) have the TPM embedded in | the CPU. Intel calls this PTT and AMD calls it fTPM. | | [0] https://pulsesecurity.co.nz/articles/TPM-sniffing | stefan_ wrote: | You can combine it all in a chip like the Apple T2 and then you | would have to somehow probe the silicon, which is of course | impossible. (Until you discover that the chip has some | critical, unfixable software vulnerability like the T2) | | You can also pair the chip and the CPU at the factory or on | initial powerup and have them communicate encrypted from | thereon. This is a bit like the iPhone 13 display having some | FaceID chip on it where a replacement with a wholly new display | will leave FaceID non-functioning. | XMPPwocky wrote: | probing silicon is just hard and expensive, not impossible! - | though those might be similar enough for most purposes | opwieurposiu wrote: | You can buy very small test clips for hooking on to TSSOP pins. | They are kind of expensive and quite delicate, but come in handy | if you do not want to solder on tiny wires. | | https://www.ebay.com/itm/182107308498 | artificialLimbs wrote: | You should be careful about running software on your production | domain controller. | | Great write up. | Gys wrote: | > TL;DR: we reproduced Denis Andzakovic's proof-of-concept | showing that it is possible to read and write data from a | BitLocker-protected device (for instance, a stolen laptop) by | sniffing the TPM key from the LCP bus. ___________________________________________________________________ (page generated 2021-11-17 23:00 UTC)