A team of cybersecurity researchers today disclosed details of two new potentially serious CPU vulnerabilities that could allow attackers to retrieve cryptographic keys protected inside TPM chips manufactured by STMicroelectronics or firmware-based Intel TPMs.
Trusted Platform Module (TPM) is a specialized hardware or firmware-based security solution that has been designed to store and protect sensitive information from attackers even when your operating system gets compromised.
TMP technology is being used widely by billion of desktops, laptops, servers, smartphones, and even by Internet-of-Things (IoT) devices to protect encryption keys, passwords, and digital certificates.
Collectively dubbed as TPM-Fail, both newly found vulnerabilities, as listed below, leverage a timing-based side-channel attack to recover cryptographic keys that are otherwise supposed to remain safely inside the chips.
- CVE-2019-11090: Intel fTPM vulnerabilities
- CVE-2019-16863: STMicroelectronics TPM chip
According to researchers, elliptic curve signature operations on TPMs from various manufacturers are vulnerable to timing leakage issues, which could lead to the recovery of a private key by measuring the execution time of operation inside the TPM device.
“A privileged adversary can exploit the OS kernel to perform accurate timing measurement of the TPM, and thus discover and exploit timing vulnerabilities in cryptographic implementations running inside the TPM.”
“They are practical [attacks]. A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes, depending on the access level.”
As a proof-of-concept (code on GitHub), researchers tested and managed to recover 256-bit ECDSA and ECSchnorr private keys by collecting signature timing data with and without administrative privileges.
“Further, we managed to recover ECDSA keys from an fTPM-endowed server running StrongSwan VPN over a noisy network as measured by a client.”
“In this attack, the remote client recovers the server’s private authentication key by timing only 45,000 authentication handshakes via a network connection.”
“The fact that a remote attack can extract keys from a TPM device certified as secure against side-channel leakage underscores the need to reassess remote attacks on cryptographic implementations.”
Once recovered, an attacker can use stolen keys to forge digital signatures, steal or alter encrypted information, and bypass OS security features or compromise applications that rely on the integrity of the keys.
“The vulnerable Intel fTPM is used by many PC and laptop manufacturers, including Lenovo, Dell, and HP.”
Besides this, researchers also tested TMP solutions manufactured by Infineon and Nuvoton and found them vulnerable to non-constant execution timing leakage issues.
Researchers responsibly reported their findings to Intel and STMicroelectronics in February this year, and the companies just yesterday released a patch update for affected products.
TPM-FAIL — THE ATTACKS
The actual attacks on these two TPM technologies is what security researcher call a “timing leakage.”
An external observer can record the time differences when the TPM is performing repetative operations and infer the data being processed inside the secure chip — all based on the amount of time the TPM takes to do the same thing over and over again.
The research team says the “timing leakage” they discovered can be used to extract 256-bit private keys that are being stored inside the TPM. More specifically, 256-bit private keys used by certain digital signature schemes based on elliptic curves algorithms such as ECDSA and ECSchnorr.
While this sounds like a very narrow attack surface, these two are common digital signature schemes used in many of today’s cryptographically-secured operations, such as establishing TLS connections, signing digital certificates, and authorizing logins.
But the novelty and danger factor surrounding TPM-FAIL relies in the fact that this attack is also fully weaponizable in a real-world scenario.
Similar attacks on TPMs usually recover partial keys or take too long to execute. TPM-FAIL does not.
“They are practical,” the research team said about TPM-FAIL.
“A local adversary can recover the ECDSA key from Intel fTPM in 4-20 minutes depending on the access level,” they said.
“We even show that these attacks can be performed remotely on fast networks, by recovering the authentication key of a virtual private network (VPN) server in 5 hours.”
Performing a five-hour-long attack on a remote VPN server isn’t as hard as it sounds. Per the research team, the attack involves initiating around 45,000 authentication handshakes against a remote VPN server and recording the responses.
After enough observations of the response time, attackers would be able to recover the private key that the VPN server was using to sign and verify authentication operations, and allowing themselves to access a VPN-protected network.
The only good news is that the attack is not trivial and that some advanced technical knowledge would be needed from an attacker — however, not that advanced that would exclude any potential attacks.
“The attacks could indeed be weaponized with some effort,” Daniel Moghimi from the Worcester Polytechnic Institute, and one of the researchers behind TPM-FAIL, told ZDNet in an interview today.
“The required skill to pull this kind of attack is, of course, more than the script-kiddie effort, but there are many people out there who use similar techniques to solve more advanced CTF challenges.”
TPM-FAIL — PATCHES AND PROOF-OF-CONCEPT CODE
Moghimi told ZDNet that the research team started working on exploring this new attack vector inside TPMs earlier this year in January.
They tested many TPM technologies and not just the ones from Intel and STMicroelectronics. However, TPMs from Infineon and Nuvoton were not found to be vulnerable.
The first issue that they discovered was the one impacting Intel’s PPT, which they reported to the company in February.
“Intel was quite professional,” Moghimi told ZDNet. “In the last two years, they have pretty much streamlined the disclosure process. Our only concern was the initial assigned CVS score, but after we provided them a detailed [proof-of-concept] showing that the attack can be performed remotely, they changed/increased it.”
Moghimi said this disclosure process ended today, on November 12, when Intel released firmware updates for the Intel PTT, which users can download via the company’s official security advisory.
The STMicroelectronics issue was discovered a few months later after the Intel one, namely in May, when the research team also reached out to the company.
Since STMicroelectronics was shipping a hardware-enforced TPM, the company couldn’t just issue a software update. Instead, they prepared a new iteration of the ST33 chip.
The research team said they received a version of this new chip and confirmed that it was resistant to the TPM-FAIL attacks on September 12, 2019.
The company was supposed to publish a security advisory at the following URL (also mentioned in a Microsoft security advisory), but the security advisory was not public at the time of this article’s publication.
Now, a long process starts during which end-users — home consumers and enterprise customers alike — are expected to update CPU/motherboard firmware, and replace outdated equipment.
Of the two, the issue impacting Intel’s fTPM solution is considered the most dangerous, as it could be exploited remotely.
The research team told that they plan to publish the tools they used to analyze the vulnerable TPMs, along with proof-of-concept code, on GitHub.
In large enterprise networks, some system administrators may not be fully aware of what TPMs they are using on particular devices. The proof-of-concept code should help these sysadmins test and see if they have devices vulnerable to the two attacks.
Unfortunately, the same proof-of-concept code may also end up helping attackers, once it gets published online. Applying the Intel PPT firmware updates should be a top priority.
A technical whitepaper on the TPM-FAIL attacks is available for download, and is entitled “TPM-FAIL: TPM meets Timing and Lattice Attacks.” A dedicated website is also available. Some of the researchers involved in TPM-FAIL were also involved in the discovery of the Zombieload and Spoiler CPU vulnerabilies.
