Defeated Trusted Platform Module Safety in 30 Minutes, No Soldering Required
Let’s say you’re a large company that just delivered a brand new replacement laptop to an employee. And let’s say it’s preconfigured to use the latest and greatest security practices, including full disk encryption with a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually every other recommendation from the National Security Agency and NIST to lock down federal computer systems . And let’s assume an attacker manages to intercept the machine. Can the attacker use it to hack your network?
Research released last week shows the answer is a resounding “yes”. In addition, a hacker who has done his homework will need surprisingly little time alone with the machine to carry out the attack. This allows the hacker not only to write on the stolen laptop, but also on the reinforced network to which it was configured.
Researchers at security consultancy Dolos Group hired to test the security of a customer’s network were given a new Lenovo computer that was preconfigured to use the company’s standard security stack. You did not receive test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, the boot process and the hardware quickly revealed that the existing security measures would rule out the usual hacks, including:
Fort Knox and the less armored car
The researchers focused on the Trusted Platform Module, or TPM, a highly reinforced chip that is installed on the motherboard and communicates directly with other hardware installed on the computer. The researchers found that, as is common practice with full disk encryption with Microsoft’s BitLocker, the laptop boots directly to the Windows screen without the need for a prompt for a PIN or password. This meant that the only cryptographic secret used to unlock the drive was stored in the TPM.
Microsoft recommends overriding the default setting and using a PIN or password only for threat models that expect an attacker with enough skill and time alone with an unattended target computer to open the case and solder motherboard devices. Upon completing their analysis, the researchers said that Microsoft’s advice is inadequate as it opens devices for attacks that can be carried out by an abusive spouse, malicious insider, or anyone with volatile private access.
“A preconfigured attacker can execute this entire chain of attacks in less than 30 minutes without soldering, simple and relatively cheap hardware and publicly available tools,” the researchers from the Dolos Group wrote in an article, “a process that you can use directly in Evil-Maid- Territory.”
TPMs have several levels of protection that prevent attackers from extracting or tampering with the data they hold. For example, an analysis by reverse engineering Christopher more than 10 years ago revealed that an Infineon TPM chip is designed to self-destruct if it is physically penetrated. Optical sensors detected, for example, ambient light from illuminants. And a wire mesh covering the microcontroller was supposed to deactivate the chip should one of its circuits be disturbed.
With little hope of cracking the chip in the Lenovo laptop, the Dolos researchers looked for other ways to extract the key that decrypts the hard drive. They discovered that the TPM was communicating with the CPU through a serial peripheral interface, a communication protocol for embedded systems.
The firmware, abbreviated as SPI, does not offer any encryption functions of its own, so any encryption must be carried out by the devices with which the TPM communicates. Microsoft’s BitLocker, on the other hand, does not use any of the encrypted communication functions of the latest TPM standard. If the researchers could tap into the connection between the TPM and the CPU, they could potentially extract the key.
Bypassing the TPM in this way is akin to ignoring Fort Knox and focusing on the not-so-armored car that comes out of it.
To sniff the data moving over the SPI bus, we need to connect cables or probes to the pins (labeled MOSI, MISO, CS, and CLK above) of the TPM. Usually it’s easy, but in this case there is a practical problem. This TPM has a VQFN32 footprint that is very small. The “pins” are actually only 0.25 mm wide and have a distance of 0.5 mm. And these “pins” aren’t actually pins, they lie flat against the wall of the chip, so it’s physically impossible to attach any kind of clip. You could solder “fly leads” to the solder pads, but that is tedious and tends to be a very physically unstable connection. Alternatively, a common tactic is to place resistors in series for soldering, but they were just as small and even more fragile. It wasn’t going to be easy.
But before we started we figured there might be another way. SPI chips often share the same “bus” with other SPI chips. It is a technique hardware designers use to make connections easier, save costs, and simplify troubleshooting / programming. We started searching the entire board for other chips that might be on the same bus as the TPM. Maybe their pens would be bigger and easier to use. After some browsing and consulting the circuit diagrams, it turned out that the TPM shared an SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip was almost the largest pin size you can find on standard motherboards, it was an SOP-8 (also known as SOIC-8).
Abbreviation for complementary metal-oxide-semiconductor, a CMOS chip on a PC stores the BIOS settings, including the system time and date, and the hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In a short amount of time, they were able to extract every byte that moved through the chip. The researchers then used the Bitlocker-Spi toolkit written by Henri Numi to isolate the key in the mass of data.
After the hard drive was decrypted, the researchers combed the data looking for anything – encrypted or clear-text passwords, potentially exposed sensitive files, or the like – that could bring them closer to their goal of accessing the customer’s network. They quickly came across something: Palo Alto Networks’ Global Protect VPN client, which came pre-installed and preconfigured.
One function of the VPN is that it can establish a VPN connection before a user logs on. The function is to authenticate an endpoint and allow domain scripts to run as soon as the computer is turned on. This is useful because administrators can manage large fleets of machines without knowing the password for each one.