Hacker extracts crypto key from TPM chip
An American hacker has, with a great deal of effort, managed to crack a Trusted Platform Module (TPM) by Infineon. He was able to read the data stored on the TPM chip, for instance cryptographic keys (RSA, DES) such as those also used by Microsoft's BitLocker on appropriate motherboards.
TPM hardware incorporates various levels of logical as well as physical measures designed to counter a range of attacks, such as differential electromagnetic analyses (DEMA) and even physical intrusions. Once the keys are retrieved, however, an attacker can read the encrypted data stored on a hard disk without needing a password.
Previously known as the smart card hacker, Christopher Tarnovsky of Flylogic Engineering has presented his work at the Black Hat DC security conference. He apparently managed to suss out a processor in the "SLE 66CLX360PE" family used in the TPM. For this purpose, he extracted the actual chip from the housing in his special lab using various procedures that involved liquids and gases (a video about this is available online).
He then worked his way through the different layers of the chip using, for instance, a Focused Ion Beam microscope and Photoshop to figure out the chip's structure and find a way into the heart of the TPM. Subsequently, he analysed the on-chip signalling pathways to obtain access to the processor's data bus. This took Tarnovsky the better part of six months and numerous TPM chips. However, retrieving the license key of an XBox 360, which also contains Infineon's TPM, apparently only required an additional six hours.
While Tarnovsky says that Infineon has so far said such attacks just weren't feasible, Peter Laackmann, Infineon's Senior Principal for Chip Cards & Product Security, in an interview with The H's associates at heise Security, denied this is the case. The executive said that Infineon does not rule out the possibility of successful attacks. Laackmann said that TPM chips are not uncrackable and are not advertised as such. The potential for such an attack was already evident in an earlier evaluation phase and had apparently been carried out successfully by company researchers, quite some time ago. However, one mustn't neglect the effort involved in such an attack, said Laackmann, adding that even Tarnovsky himself admits that the necessary steps aren't easy to reproduce and require a considerable amount of special equipment. According to Tarnovsky, the required lab equipment represents an investment of about $200,000.
Laackmann also said that the product family has become obsolete, and that the cracked processor was only intended for smart cards. There is a new generation of TPM chips based on the SLE78 family, which apparently offers not only further physical anti-intrusion measures, but also additional cryptographic features. In these chips, recording data bus traffic after breaking into the housing is said to be ineffective because the data is encrypted. Infineon's Integrity Guard concept is designed to avoid the transmission and processing of plain text data altogether. However, so far, few devices incorporate these new chips.
The hack's potential consequences for the many TPM-protected systems in corporate environments, for instance, are difficult to predict. One can hardly assume that criminals will reproduce such attacks on a practical level in the medium term. However, intelligence agencies could use the technology in targeted attacks – perhaps they are doing so already. Tarnovsky does not intend to publish the details of his approach – but he is also a business man. He plans to test the security of other vendors' TPMs in the near future.