February 12, 2010
TPM Chip Hacked
Darkreading and a few other sites have posted this story about a security researcher named Chris Tarnovsky who has been able to hack one of the vaunted Trusted Platform Module (TPM) chips. These are common in most laptop and desktop systems today though it’s hard to say how much they are leveraged. There are certainly some Full Disk Encryption (FDE) solutions which make use of the chip though I don’t have any data on how many deployments are configured to use the TPM.
I first became intimately familiar with the chip about 3 years ago when I worked on Microsoft Vista for IT Security Professionals. I wrote a chapter which specifically dealt with how Windows Vista included functions to leverage the chip. Aside from providing this basic information including what the chip can be used for, how Vista can use the TPM, and how the chip can and should be managed, I also drew some conclusions about the chip and what it meant to the security field.
Looking back with the benefit of hindsight, I’m still happiest with that bit of writing versus any of the other publications I’ve worked on. First of all, it was a deeply technical bit of writing and as a result of that challenge, I learned a lot. Second, I feel pretty good about the conclusions I had reached 3 years before Chris Tarnovsky was able to hack the chip.
First, I said that the TPM provided a great leap forward in terms of security. I think then and now IT people face a situation where the security perimeter they are trying to defend is miles away from a data center. There is still a core set of assets that can be protected by firewalls, but more and more we see data traveling out into that scary world outside the data center walls via laptops, thumb drives, MP3 players, and other mobile devices. The TPM enables a type of FDE that is stronger than others we had before that relied on a key stored on a USB device or a simple 4-digit PIN entered by a user. Did it create an encryption that could not be defeated? Absolutely not. It was a big step forward though.
While the TPM has been hacked, it was done using an electron microscope, acids, tiny needles, 9 months of research, and a lot of other things your average hacker is not going to have. So, if we keep in mind that no system can ever completely eliminate risk, our real goal is to reduce the risk as much as possible by making the attack significantly difficult. If we can do this then the attackers will move on to easier attacks. The real failing here is that Infineon’s marketing team doesn’t understand this and decided to call the chip “unhackable.” They should have read the book where I said that, “therefore [TPMs] can never be touted as the end game in information security.” Chris Tarnovsky is a bit understated when pointing out the drastic gap between difficulty and impossibility when he says “I’m not saying it was easy, but this technology is not as secure as some vendors would like you to think.”
Second, I had mentioned that the TPM enables us to use a small set of very powerful technical controls. No one in their right mind would rely on this as the full extent of their information security program. In fact, I would recommend that no one ever rely on a single countermeasure like this for even just one unique aspect of their information security program.
I doubt there is anyone who is not familiar with the concept of defense in depth, and yet when confronted with situations like this, people too often fall into the trap of saying “this countermeasure is good enough to stand on its own.” This may not be entirely true for organizations implementing TPM-based security controls, but I think it is very true in general. I have spent a lot of time recently working with the operations folks in an organization who liked to counter every recommendation with “that’s overkill. We’re behind 3 firewalls.”
Finally, I don’t want to toot my own horn too much because honestly, this is something any good security person would have pointed out. But in the chapter summary I wrote, “it’s good to bring at least a small degree of skepticism anytime you examine something. As we pointed out throughout this chapter, as old attack surfaces vanish, attackers will find new ones.” The point is that attackers are motivated and nothing is perfect . . . or unhackable as Infineon claimed. Therefore, at some point there will be some way to defeat the security mechanism you are currently working to implement. As always, our goal is to reduce risk to an acceptable level. Over time that risk level may change as new attacks become feasible, and so we must always re-evaluate and reinforce the security systems we design and implement.
Congrats to Chris for his success. Despite the setback for the TPM it is something we as security professionals should have expected and been planning layered controls to protect against. Additionally, his success should result in improved TPM specifications and designs. Most of all it keeps vendors and those of us in the field honest.