A team of academics has disclosed today two vulnerabilities known collectively as TPM-FAIL that could allow an attacker to retrieve cryptographic keys stored inside TPMs.
Thanks to efforts from the research team, both vulnerabilities have been fixed, which is a good thing since both issues can be weaponized in doable real-world attacks -- something that is very rare in the case of TPM vulnerabilities.
What are Trusted Platform Modules
TPM stands for Trusted Platform Module. In the early days of computing, TPMs were separate chips added to a motherboard were a CPU would store and manage sensitive information such as cryptographic keys.
These keys were used to ensure hardware integrity during the boot-up process or to attest various cryptographic operations, such as handling digital certificates, ensuring HTTPS connections on servers, or verifying authentication-related processes.
However, as the hardware ecosystem evolved with modern smartphones and "smart" embedded devices, there was no room for a separate TPM chipset on all devices, and a 100% software-based solution was developed in the form of firmware-based TPMs -- also known as fTPMs.
Nowadays, it's hard to find a device that's not using a TPM, either in the form of a hardware-isolated chip, or a software-based solution. TPMs are at the heart of most devices, even in tiny electronics, such as some IoT "smart" devices.
TPM-Fail -- what is impacted
In a research paper published today, a team of academics from the Worcester Polytechnic Institute (USA), the University of Lübeck (Germany), and the University of California, San Diego (USA) has disclosed two vulnerabilities that impact two very widely used TPM solutions.
The first vulnerability is CVE-2019-11090 and impacts Intel's Platform Trust Technology (PTT).
Intel PTT is Intel's fTPM software-based TPM solution and is widely used on servers, desktops, and laptops, being supported on all Intel CPUs released since 2013, starting with the Haswell generation.
The second is CVE-2019-16863 and impacts the ST33 TPM chip made by STMicroelectronics.
This chip is incredibly popular and is used on a wide array of devices ranging from networking equipment to cloud servers, being one of the few chips that received a CommonCriteria (CC) EAL 4+ classification -- which implies it comes with built-in protection against side-channel attacks like the ones discovered by the research team.
TPM-Fail -- the attacks
The actual attacks on these two TPM technologies is what security researcher call a "timing leakage."
An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip -- all based on the amount of time the TPM takes to do the same thing over and over again.
The research team says the "timing leakage" they discovered can be used to extract 256-bit private keys that are being stored inside the TPM. More specifically, 256-bit private keys used by certain digital signature schemes based on elliptic curves algorithms such as ECDSA and ECSchnorr.
While this sounds like a very narrow attack surface, these two are common digital signature schemes used in many of today's cryptographically-secured operations, such as establishing TLS connections, signing digital certificates, and authorizing logins.
But the novelty and danger factor surrounding TPM-FAIL relies in the fact that this attack is also fully weaponizable in a real-world scenario.
Similar attacks on TPMs usually recover partial keys or take too long to execute. TPM-FAIL does not.
"They are practical," the research team said about TPM-FAIL.
"A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level," they said.
"We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours."
Performing a five-hour-long attack on a remote VPN server isn't as hard as it sounds. Per the research team, the attack involves initiating around 45,000 authentication handshakes against a remote VPN server and recording the responses.
After enough observations of the response time, attackers would be able to recover the private key that the VPN server was using to sign and verify authentication operations, and allowing themselves to access a VPN-protected network.
The only good news is that the attack is not trivial and that some advanced technical knowledge would be needed from an attacker -- however, not that advanced that would exclude any potential attacks.
"The attacks could indeed be weaponized with some effort," Daniel Moghimi from the Worcester Polytechnic Institute, and one of the researchers behind TPM-FAIL, told ZDNet in an interview today.
"The required skill to pull this kind of attack is, of course, more than the script-kiddie effort, but there are many people out there who use similar techniques to solve more advanced CTF challenges."
TPM-FAIL -- patches and proof-of-concept code
Moghimi told ZDNet that the research team started working on exploring this new attack vector inside TPMs earlier this year in January.
They tested many TPM technologies and not just the ones from Intel and STMicroelectronics. However, TPMs from Infineon and Nuvoton were not found to be vulnerable.
The first issue that they discovered was the one impacting Intel's PPT, which they reported to the company in February.
"Intel was quite professional," Moghimi told ZDNet. "In the last two years, they have pretty much streamlined the disclosure process. Our only concern was the initial assigned CVS score, but after we provided them a detailed [proof-of-concept] showing that the attack can be performed remotely, they changed/increased it."
Moghimi said this disclosure process ended today, on November 12, when Intel released firmware updates for the Intel PTT, which users can download via the company's official security advisory.
The STMicroelectronics issue was discovered a few months later after the Intel one, namely in May, when the research team also reached out to the company.
Since STMicroelectronics was shipping a hardware-enforced TPM, the company couldn't just issue a software update. Instead, they prepared a new iteration of the ST33 chip.
The research team said they received a version of this new chip and confirmed that it was resistant to the TPM-FAIL attacks on September 12, 2019.
The company was supposed to publish a security advisory at the following URL (also mentioned in a Microsoft security advisory), but the security advisory was not public at the time of this article's publication.
Now, a long process starts during which end-users -- home consumers and enterprise customers alike -- are expected to update CPU/motherboard firmware, and replace outdated equipment.
Of the two, the issue impacting Intel's fTPM solution is considered the most dangerous, as it could be exploited remotely.
The research team told ZDNet they plan to publish the tools they used to analyze the vulnerable TPMs, along with proof-of-concept code, on GitHub.
In large enterprise networks, some system administrators may not be fully aware of what TPMs they are using on particular devices. The proof-of-concept code should help these sysadmins test and see if they have devices vulnerable to the two attacks.
Unfortunately, the same proof-of-concept code may also end up helping attackers, once it gets published online. Applying the Intel PPT firmware updates should be a top priority.
A technical whitepaper on the TPM-FAIL attacks is available for download, and is entitled "TPM-FAIL: TPM meets Timing and Lattice Attacks." A dedicated website is also available. Some of the researchers involved in TPM-FAIL were also involved in the discovery of the Zombieload and Spoiler CPU vulnerabilies.