Trusted Platform Modules, specialized processors or firmware that protect the cryptographic keys used to secure operating systems, are not entirely trustworthy.
Boffins from the Worcester Polytechnic Institute and University of California, San Diego, in the US, and the University of Lübeck in Germany, have found that TPMs leak timing information that allows the recovery of the private keys used for cryptographic signatures.
In a paper [PDF] published on Tuesday, "TPM-FAIL: TPM meets Timing and Lattice Attacks," researchers Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger describes how they successfully conducted black-box timing analysis of TPM 2.0 devices to recover 256-bit private keys for ECDSA (Elliptic Curve Digital Signature Algorithm) and ECSchnorr signatures that are supposed to remain unobserved within the TPM.
Timing measurements represent a side channel attack that can be used to infer the inner workings of cryptographic systems.
"Our analysis reveals that elliptic curve signature operations on TPMs from various manufacturers are vulnerable to timing leakage that leads to recovery of the private signing key," the paper states. "We show that this leakage is significant enough to be exploited remotely by a network adversary."
The researchers found that a local attacker can recover the ECDSA key from Intel fTPM in 4-20 minutes, depending upon the available level of access. The technique can also be conducted remotely to obtain the authentication key from a VPN server in five hours or so.
In an email to The Register, Moghimi said the remote attack scenario assumes there's a VPN configured to use the TPM for authentication and is publicly available on a network.
"A client who is supposed to use the VPN as a service acts as an adversary and steals the VPN server's private key," said Moghimi. "As a result, she can impersonate the VPN's server and compromise the secure communication of other users with the VPN server."
Moghimi said the attacker would need to conduct multiple authentication handshakes in order to measure the time each takes and then use that time measurement as a side-channel to discern information about the VPN server's secrets inside the TPM. Such handshakes, he said, look like normal network traffic and wouldn't be obviously malicious.
"The remote attack takes much longer due to the network's noise on the timing channel," said Moghimi. "The faster a network is, the remote attack can be performed better since there will be less timing noise. We tested on a simple 1GB local network which is common in many organizations and companies. I can imagine the remote attack would be faster/easier on a 10GB network or a fiber network."
True to its name, Intel CPU flaw ZombieLoad comes shuffling back with new variantREAD MORE
The researchers identified flaws in Intel's fTPM, a firmware-based TPM on computers running Intel's management engine on PCs and laptops from vendors like Asus, Lenovo, Dell, and HP, and in computers with dedicated TPM hardware made by STMicroelectronics (ST33TPHF2ESPI). These vulnerabilities exist in devices certified FIPS 140-2 Level 2 and Common Criteria (CC) EAL 4+, certifications bestowed on hardware believed to be resistant to side-channel attacks.
The boffins also tested TPMs by Infineon and Nuvoton. The Infineno hardware (SLB 9670) exhibited non-constant time behavior but did not appear to have an exploitable vulnerability. The Nuvoton unit (rls NPCT) showed constant-time behavior for ECDSA, meaning it's not vulnerable.
The security flaws have been designated CVE-2019-11090 for Intel fTPM vulnerabilities and CVE-2019-16863 for STMicroelectronics TPM chip. The researchers responsibly disclosed their findings to the two companies, and the publication of their work – to be presented at the Real World Crypto 2020 conference in January – coincides with patches from Intel and STMicroelectronics.
Intel addresses the flaws in the INTEL-SA-00241 patch, which covers multiple CVEs. STMicroelectronics did not immediately respond to a request for comment, but the researchers say the biz has issued a new chip that fixes the flaws.
Intel disclosed its patch in a new security blog, noting that it found 22 of 24 flaws related to its management engine.
The now-obligatory vulnerability website, TPM.fail, provides further details. ®