Never mind the WPA2 drama... Details emerge of TPM key cockup that hits tonnes of devices

About a third of all crypto modules globally generate weak, crackable RSA pairs


RSA keys produced by smartcards, security tokens, laptops, and other devices using cryptography chips made by Infineon Technologies are weak and crackable – and should be regenerated with stronger algorithms.

In short, Infineon TPMs – aka trusted platform modules – are used in countless computers and gadgets to generate RSA key pairs for securing VPNs, implementing trusted boot sequences, performing whole disk encryption, granting access to cloud accounts, producing encryption certificates, and more. The secrets at the heart of these systems can be mathematically cracked by determined adversaries, allowing them to potentially gain control of computers and decipher data secured by the TPM-built RSA keys.

We've previously covered the firmware bug on these pages. Now, while everyone's distracted by the WPA2 KRACK flaw, a few more details of the Infineon screwup have emerged, and you should check them out to make sure you're not affected or take action if so. For example, the bug causes some Yubikey 4 gadgets to generate weak authentication keys, and should be replaced as soon as possible.

Essentially, you should upgrade your TPM's firmware, via updates from your device's manufacturer or operating system's maker, as soon as possible, and refresh your weak keys using the new code on the hardware or using a stronger implementation.

Crypto expert Thomas Ptáček had this to say:

The TPM vulnerability can be exploited to compute, by factorization, the private keys from public keys in TPM-generated RSA private-public key pairs. Suffice to say, this shouldn't be possible, and the private component is supposed to remain secret.

The bug lies in the chipset's firmware code that generates key pairs, and was discovered by a team of researchers at Masaryk University in Brno, Czech Republic; UK security firm Enigma Bridge; and Ca' Foscari University of Venice, Italy. Infineon security chips manufactured from 2012 onwards, including the latest versions, are all vulnerable.

We're told you'll need somewhere in the region of $30,000 in cloud computing power to crack a 2,048-bit RSA key pair generated by the dodgy Infineon hardware. For 1,024-bit keys, which are generally crap anyway, it is trivial to factorize a vulnerable private key.

“The attack is practical, although it’s unlikely to be cost-effective for large-scale attacks,” Dan Cvrcek of Enigma Bridge told El Reg on Monday. “The current indicative processor times for 1,024 and 2,048 bit keys are 97 vCPU days ($40 to $80) and 51,400 vCPU days ($20,000 to $40,000), respectively.

“Worst hit, at the moment, seems to be ... whole-disk encryption, as well as for securing access to some cloud platforms, but it extends to non-repudiation signatures, email signing, access to VPN and buildings, e-Health cards, and e-IDs."

Cvrcek estimated that Infineon's TPMs are "25 to 30 per cent of TPMs used globally." The flawed Infineon chipset has been integrated into motherboards, laptops including Chromebooks, authentication systems, trusted boot mechanisms, and cryptographic tokens sold by computer and device makers worldwide.

Major vendors including HP, Lenovo and Fujitsu have released software updates and mitigation guidelines.

An idea of the stuff affected by the TPM bug ... From the bug's researchers

The vulnerability has been dubbed ROCA, aka Return of Coppersmith's Attack aka CVE-2017-15361, and is believed to be behind recent security problems with Estonian ID cards. The code flaw was documented by Google and Microsoft last week.

Full details of the research, including the factorisation method, will be released at the ACM’s Computer and Communications Security (CCS) conference. A paper, "The Return of Coppersmith's Attack: Practical Factorization of Widely Used RSA Moduli," will be unveiled at the confab in Dallas, Texas, on November 2.

Ahead of the talk, the researchers have produced offline and online detection tools that will allow folks to figure out whether or not their keys are affected by the issue. ®

Similar topics


Other stories you might like

  • Prisons transcribe private phone calls with inmates using speech-to-text AI

    Plus: A drug designed by machine learning algorithms to treat liver disease reaches human clinical trials and more

    In brief Prisons around the US are installing AI speech-to-text models to automatically transcribe conversations with inmates during their phone calls.

    A series of contracts and emails from eight different states revealed how Verus, an AI application developed by LEO Technologies and based on a speech-to-text system offered by Amazon, was used to eavesdrop on prisoners’ phone calls.

    In a sales pitch, LEO’s CEO James Sexton told officials working for a jail in Cook County, Illinois, that one of its customers in Calhoun County, Alabama, uses the software to protect prisons from getting sued, according to an investigation by the Thomson Reuters Foundation.

    Continue reading
  • Battlefield 2042: Please don't be the death knell of the franchise, please don't be the death knell of the franchise

    Another terrible launch, but DICE is already working on improvements

    The RPG Greetings, traveller, and welcome back to The Register Plays Games, our monthly gaming column. Since the last edition on New World, we hit level cap and the "endgame". Around this time, item duping exploits became rife and every attempt Amazon Games made to fix it just broke something else. The post-level 60 "watermark" system for gear drops is also infuriating and tedious, but not something we were able to address in the column. So bear these things in mind if you were ever tempted. On that note, it's time to look at another newly released shit show – Battlefield 2042.

    I wanted to love Battlefield 2042, I really did. After the bum note of the first-person shooter (FPS) franchise's return to Second World War theatres with Battlefield V (2018), I stupidly assumed the next entry from EA-owned Swedish developer DICE would be a return to form. I was wrong.

    The multiplayer military FPS market is dominated by two forces: Activision's Call of Duty (COD) series and EA's Battlefield. Fans of each franchise are loyal to the point of zealotry with little crossover between player bases. Here's where I stand: COD jumped the shark with Modern Warfare 2 in 2009. It's flip-flopped from WW2 to present-day combat and back again, tried sci-fi, and even the Battle Royale trend with the free-to-play Call of Duty: Warzone (2020), which has been thoroughly ruined by hackers and developer inaction.

    Continue reading
  • American diplomats' iPhones reportedly compromised by NSO Group intrusion software

    Reuters claims nine State Department employees outside the US had their devices hacked

    The Apple iPhones of at least nine US State Department officials were compromised by an unidentified entity using NSO Group's Pegasus spyware, according to a report published Friday by Reuters.

    NSO Group in an email to The Register said it has blocked an unnamed customers' access to its system upon receiving an inquiry about the incident but has yet to confirm whether its software was involved.

    "Once the inquiry was received, and before any investigation under our compliance policy, we have decided to immediately terminate relevant customers’ access to the system, due to the severity of the allegations," an NSO spokesperson told The Register in an email. "To this point, we haven’t received any information nor the phone numbers, nor any indication that NSO’s tools were used in this case."

    Continue reading

Biting the hand that feeds IT © 1998–2021