Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger have published TPM-FAIL: TPM meets Timing and Lattice Attacks, their Usenix security paper, which reveals a pair of timing attacks against trusted computing chips ("Trusted Computing Modules" or TPMs), the widely deployed cryptographic co-processors used for a variety of mission-critical secure computing tasks, from verifying software updates to establishing secure connections.
The attacks can be mitigated with a firmware update from Intel, which you should really install, as the Tpmfail attacks can be executed over never-seen short timescales in the range of 4-20 minutes.
The attacks target the ST33 TPM chip and Intel PTT,a software-based TPM. There's proof-of-concept code coming on Github, and a dedicated website that goes into detail on the theoretical basis for these attacks.
Successful attacks on TPMs are a really big deal: for many security applications, a TPM is presumed to be completely immune to remote attacks, with every other security measure relying on the TPM's integrity.
Chances are this won't be the last attack like this we see; as with Spectre and Meltdown, the discovery of a new way to compromise a system often sparks inspiration among other researchers, who dream up new and devious variations on the theme.
A hacker can use these vulnerabilities to forge digital signatures. If your operating system or any of the applications on your computer use the TPM to issue such digital signatures, the private signing key used for signature generation can be compromised. Compromised signing keys can be used to forge signatures for bypassing Authentication, tampering the OS, and other bad things depending on what the digital signatures are used for.
TPM-FAIL: TPM meets Timing and Lattice Attacks [Daniel Moghimi, Berk Sunar, Thomas Eisenbarth and Nadia Heninger/Usenix Security 2020]
TPM-FAIL vulnerabilities impact TPM chips in desktops, laptops, servers [Catalin Cimpanu/Zdnet]
View this post on Instagram You don’t wanna miss *tomorrow’s post* it’ll be good. But for now this experimental piece inspired by John Cage. Been washing my hands so much in the basin—made me think of Water Music. My classic CR-78 and metal meets water. Our world, our habitat is a giant experiment! In geological […]
I have always been intrigued by the Gilbert U-238 Atomic Energy Lab Kit that was only sold for a year, starting in 1951. The kit included a Geiger counter, a Wilson cloud chamber, a spinthariscope, a electroscope, and a comic book in which Dagwood splits the atom. It also came with three sources of radiation […]
Matt Ruff is one of science fiction and fantasy's most consistently brilliant and innovative authors, whose recent work includes The Mirage (an incredible alternate history in which the Global War on Terror is kicked off when Christian crusaders from the blighted, tribal USA fly a plane into the United States of Arabia's Twin Towers in Dubai, giving the hawkish CIA chief Osama bin Laden the chance to launch the all-out war he's been champing for), and Lovecraft Country (an anti-racist reimagining of Cthulhu set in Jim Crow America where the real horror is white supremacy -- now being adapted for TV by Jordan Peele). In his new novel, 88 Names, Ruff adds to the canon of MMORPG heist novels (Charlie Stross's Rule 34, Neal Stephenson's Reamde, and my For the Win, to name three) with a unique take that he dubbed "Snow Crash meets The King and I."
Odds are, you picked your home as the best location to hang up your business outfits so you could relax and enjoy your off-hours in peace and comfort. Unfortunately, worlds are now colliding. In many cases, your home is now also your place of business. And trying to finish reports or make calls doesn’t always […]
You probably have a lot of items in your home that you’d hate to lose to theft or damage. While certainly no one ever hopes to fall victim to a natural disaster or home invasion, you need to be prepared just in case it does happen. When it comes to choosing a reliable renters insurance, […]
Stuck at home? Us too. And all anyone can think about is food. Stuffing your face for hours on end is definitely not a good way to stay healthy right now, but if you’re going to do it anyway (let’s be real—your original stash is already gone), why not improve what you’re snacking on? No, […]