Very interesting video. For those who can't watch, he creates a PCB with a RPi Pico and some data pins which can sniff the BitLocker key as it's sent from the TPM chip back to the CPU. I was surprised to see that this was sent in plaintext, so although his board probably will only work for that particular motherboard, the method would be sound for other computers as well.
I'll leave the comments about MS requiring TPM chips for Win11 to others.
It's a bit of a chicken-egg problem when the TPM is the root of trust for the entire system. Sure you can encrypt the data on the bus, but where do you store that key?
No big deal here. This attack looks like it's using a crusty old TPM 1.2 laptop, so encrypted parameters to the TPM aren't supported. Even with Win11 and TPM2.0 (required for Win11), encrypted parameters to the TPM would just slow down an attacker.
You need to use pre-boot auth, like a PIN. Obviously, the TPM needs to have some kind of authentication to release the key, not just the default mode where Windows just needs to request it. This is all outlined in MS documentation: https://learn.microsoft.com/en-us/windows/security/operating...
There is nothing that is safe against physical attacks practically. You can always find a point where you can do a MITM attack as the communication channels between the TPM and anything else is almost always insecure.
Having a non-zero attack surface doesn't mean your security system provides "zero practical security". This is at best equally as hyperbolic as the vendors' own marketing claims that you are arguing against.
Not really? Encrypted sessions block the trivial attack of just watching the secret go across the bus. Pushing people to MITM attacks is already an improvement, and while generating initial trust in the TPM for that purpose isn't straightforward, it's not impossible. The almost universal implementation of TPM-backed secret management isn't secure against physical attack, but that's very different to "insecure by design". All the primitives to make this work reasonably are there, OS and firmware vendors just aren't using them.
Nothing new. This attack is demonstrated here many times and the Microsoft docs discuss a similar attack using self encrypting drives. The counter measure is to use a virtual TPM built into the CPU or to use TPM+PIN (which is standard practice for security).
Yes, it does, as does using any other CPU or chipset based TPM (Intel PTT, the AMD PSP-based TPM, running in Trustzone on ARM). The non-Pluton approaches potentially have greater overall attack surface, so Pluton is probably the best choice if available.
This is particularly interesting considering that TrueCrypt recommended migration to BitLocker as the main option for Windows: https://truecrypt.sourceforge.net/
IIRC Apple's version of TPM (Secure Enclave) should be immune to such attacks (since it's on the SoC, but I'm not sure whether the communication is encrypted or not), and the main data encryption method for GNU/Linux (LUKS) does not utilize TPM by default (might depend on distro though).
EDIT: I believe that the method in the video only works for volumes that aren't password/PIN-protected.
If you worry about someone sniffing your hardware buses, you should also worry about them intercepting your keyboard connection when you type the TrueCrypt password.
TPM 2.0 supports encrypted sessions, which block this kind of attack (TPM 2.0 is wholly different beast than TPM 1.x series).
I do not recall if cryptsetup's TPM2 support sets up encrypted session, but for BitLocker just setting it to require PIN breaks this attack (the PIN is used as part of TPM policy preventing automatic decryption).
Additionally, some laptops at the very least attempt to erase TPM on case open.
Didn't know! After TC vanished with recommendation to use BL I had kept few files in direct Windows storage protected by BL. The more sensitive ones I still kept in Vera. Here my natural scepticism protected me lol.
Note: there's also Bitlocker for non-boot drives, aka Bitlocker to Go. It functions more like TV/VC in that you can encrypt a drive/partition/removable storage with a password. You probably don't want it to auto-unlock in that case.
I predict that this will necessitate an upgrade to TPM 3.0 with a key exchange handshake mitigation along with it being a requirement to upgrade to Windows 12. That’s fine though because it will help with economic growth and all the relevant companies’ bottom lines.
I think TPM-only encryption is still good enough for cases where a thief may try to swipe the hard drive out to steal the information on it later.
Plus, in a business where laptops may get reused, it could be a method to make an old Windows install inaccessible by wiping the backup key from the cloud and clearing the TPM on the device without any formatting. You may want to do a quick format to be sure (you never know if someone kept their private files in the EFI partition) but it'll protect you against data recovery risks from reassigned sectors without having to force everyone to enter a password twice every time they boot their laptop.
These kinds of attacks aside, the intent is that you need to turn on the PC and then actually boot to the intended operating system, which is then protected with a login screen
The "big deal" is just seeing it demonstrated this quickly. TPM-Sniffing is an old hat [1], but I always thought it would take at least hours of painstaking fiddling with a soldering iron. I find this video impressive and eye opening.
Modern systems don't have a dedicated TPM, so it's a lot harder to read the settings off the chip, as it is part of the CPU.
Then I believe modern TPM communication is encrypted.
On too of that you want your laptop to support physical tampering resistance, which prevents both this (outdated) chip attack and freezing the RAM. When you then boot the laptop the master password is required. I would prefer it to throw off the PCR but hey, it works too.
I do wonder if you have 8GB of soldered RAM and 8GB on a stick, Windows keeps the key in the soldered part to increase difficulty stealing?
Opposite - the TPM is hardware TPM and that's why it was easier to sniff the communication between it and the CPU over LPC. fTPM resides inside the CPU so sniffing is not as easy.
aquova|2 years ago
I'll leave the comments about MS requiring TPM chips for Win11 to others.
ghostpepper|2 years ago
p_l|2 years ago
Of course you need to first use them...
briHass|2 years ago
You need to use pre-boot auth, like a PIN. Obviously, the TPM needs to have some kind of authentication to release the key, not just the default mode where Windows just needs to request it. This is all outlined in MS documentation: https://learn.microsoft.com/en-us/windows/security/operating...
NotPractical|2 years ago
Dowwie|2 years ago
A PIN auth step eliminates the convenience value proposition of a TPM.
Selling passwordless authentication as a solution requiring a PIN just isn't recognizing that the PIN is now the password.
i5-2520M|2 years ago
osy|2 years ago
The only secure implementation is called D-RTM which requires a level of chip, OEM, and OS support that's not done in practice.
northern-lights|2 years ago
shawnz|2 years ago
mjg59|2 years ago
Avamander|2 years ago
mike_hock|2 years ago
jsmith99|2 years ago
p_l|2 years ago
jpalomaki|2 years ago
[1] https://learn.microsoft.com/en-us/windows/security/hardware-...
mjg59|2 years ago
matsz|2 years ago
IIRC Apple's version of TPM (Secure Enclave) should be immune to such attacks (since it's on the SoC, but I'm not sure whether the communication is encrypted or not), and the main data encryption method for GNU/Linux (LUKS) does not utilize TPM by default (might depend on distro though).
EDIT: I believe that the method in the video only works for volumes that aren't password/PIN-protected.
dist-epoch|2 years ago
p_l|2 years ago
I do not recall if cryptsetup's TPM2 support sets up encrypted session, but for BitLocker just setting it to require PIN breaks this attack (the PIN is used as part of TPM policy preventing automatic decryption).
Additionally, some laptops at the very least attempt to erase TPM on case open.
linarism|2 years ago
Kluggy|2 years ago
dist-epoch|2 years ago
kopirgan|2 years ago
Guess turning on pre boot pw is next thing to do.
briHass|2 years ago
bugbuddy|2 years ago
p_l|2 years ago
whyoh|2 years ago
It's disappointing that TPM-only is the default for Bitlocker, but you can just use something else (pin/password, key file, ...).
jeroenhd|2 years ago
Plus, in a business where laptops may get reused, it could be a method to make an old Windows install inaccessible by wiping the backup key from the cloud and clearing the TPM on the device without any formatting. You may want to do a quick format to be sure (you never know if someone kept their private files in the EFI partition) but it'll protect you against data recovery risks from reassigned sectors without having to force everyone to enter a password twice every time they boot their laptop.
shawnz|2 years ago
mr_mitm|2 years ago
[1] https://www.orangecyberdefense.com/ch/insights/blog/tpm-snif... (2021)
goriloser|2 years ago
Dowwie|2 years ago
WirelessGigabit|2 years ago
Then I believe modern TPM communication is encrypted.
On too of that you want your laptop to support physical tampering resistance, which prevents both this (outdated) chip attack and freezing the RAM. When you then boot the laptop the master password is required. I would prefer it to throw off the PCR but hey, it works too.
I do wonder if you have 8GB of soldered RAM and 8GB on a stick, Windows keeps the key in the soldered part to increase difficulty stealing?
joemazerino|2 years ago
blinkingled|2 years ago
unknown|2 years ago
[deleted]