Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips (“Trusted Computing Modules” or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections.
The attacks can be mitigated with a firmware update from Intel, which you should really install, as the Tpmfail attacks can be executed over never-seen short timescales in the range of 4-20 minutes.
The attacks target the ST33 TPM chip and Intel PTT,a software-based TPM. There’s proof-of-concept code coming on Github, and a dedicated website that goes into detail on the theoretical basis for these attacks.
Successful attacks on TPMs are a really big deal: for many security applications, a TPM is presumed to be completely immune to remote attacks, with every other security measure relying on the TPM’s integrity.
Chances are this won’t be the last attack like this we see; as with Spectre and Meltdown, the discovery of a new way to compromise a system often sparks inspiration among other researchers, who dream up new and devious variations on the theme.
A hacker can use these vulnerabilities to forge digital signatures. If your operating system or any of the applications on your computer use the TPM to issue such digital signatures, the private signing key used for signature generation can be compromised. Compromised signing keys can be used to forge signatures for bypassing Authentication, tampering the OS, and other bad things depending on what the digital signatures are used for.
TPM-FAIL: TPM meets Timing and Lattice Attacks [Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger/Usenix Security 2020]
TPM-FAIL vulnerabilities impact TPM chips in desktops, laptops, servers [Catalin Cimpanu/Zdnet]
Infuriate your racist Facebook uncle this Thanksgiving with a Leopard RBG shirt.
It’s hard to believe, but the latest installment of McMansion Hell’s (previously) tour through the architectural monstrosities of America’s tastleless elites is even better than the previous ones — possibly that’s because in this edition, editor/critic Kate Wagner is visiting Virginia’s Fairfax and Loudoun Counties, these being affluent DC suburbs where beltway bandits and other […]
Earlier this year, Boing Boing favorite artist Darren Cullen (previously) and Gavin Grindon created a Museum of Neoliberalism in Brighton, England — now, he’s fundraising to open it up again in London for six months.
The more you use your computer, the more it becomes possible for others to use it too. Where there are anti-virus systems, there are hackers looking for a way to get around them. That’s why it’s important to get software that doesn’t just passively scout for viruses in the background. The folks behind GlassWire have […]
Knowledge is power. It’s a cliché, but sometimes things turn into a cliché because they’re true. If you’re making your way through the world of business and entrepreneurship, it only makes sense to read about the insights of people who have climbed that ladder before you. Trouble is, the modern workday doesn’t leave a lot […]
As much as some of us fear the loss of our jobs to robots, there’s one job we’re pretty sure they are welcome to: vacuuming. There’s nothing quite like kicking back and watching a robot vacuum do one of the most time-consuming tasks on the household chore list. And there are few ‘bots that do […]