Tuesday, May 2nd 2023
AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors
Researchers at the Technical University of Berlin have published a paper called "faulTPM: Exposing AMD fTPMs' Deepest Secrets," highlighting AMD's firmware-based Trusted Platform Module (TPM) is susceptible to the new exploit targeting Zen 2 and Zen 3 processors. The faulTPM attack against AMD fTPMs involves utilizing the AMD secure processor's (SP) vulnerability to voltage fault injection attacks. This allows the attacker to extract a chip-unique secret from the targeted CPU, which is then used to derive the storage and integrity keys protecting the fTPM's non-volatile data stored on the BIOS flash chip. The attack consists of a manual parameter determination phase and a brute-force search for a final delay parameter. The first step requires around 30 minutes of manual attention, but it can potentially be automated. The second phase consists of repeated attack attempts to search for the last-to-be-determined parameter and execute the attack's payload.
Once these steps are completed, the attacker can extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms, such as Platform Configuration Register (PCR) validation or passphrases with anti-hammering protection. Interestingly, BitLocker uses TPM as a security measure, and faulTPM compromises the system. Researchers suggested that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 wasn't mentioned. The attack requires several hours of physical access, so remote vulnerabilities are not a problem. Below, you can see the $200 system used for this attack and an illustration of the physical connections necessary.
AMD has issued a statement for Tom's Hardware:
Sources:
faulTPM Paper, Tom's Hardware
Once these steps are completed, the attacker can extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms, such as Platform Configuration Register (PCR) validation or passphrases with anti-hammering protection. Interestingly, BitLocker uses TPM as a security measure, and faulTPM compromises the system. Researchers suggested that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 wasn't mentioned. The attack requires several hours of physical access, so remote vulnerabilities are not a problem. Below, you can see the $200 system used for this attack and an illustration of the physical connections necessary.
AMD SpokespersonAMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.The attack is also public with code available on GitHub.
21 Comments on AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors
aw damn not me secrets! all this while I was getting coffee now my docs are on github TwT
I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!
But this one is just way too impractical to be put on any kind of news article.
If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks
He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?
Any system that allows undisturbed physical access to an attacker should be (and probably are) considered compromised beyond saving.
"- Ha ha ha! You don't know anything, Google. You're wrong"
- Your mother's husband is where you say. Your father is where I say."
I think even Intel themselves can't be that confident
pronanime stash :DExcept most state level actors or even highly sophisticated criminal groups exploit some of them regularly & are well aware of them!www.cvedetails.com/vulnerability-list.php?vendor_id=238&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=663&sha=1d6011c41df6dde5f48a4f36352f44c40f918a0a
www.cvedetails.com/vulnerability-list.php?vendor_id=7043&product_id=&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=0&cvssscoremax=0&year=0&month=0&cweid=0&order=3&trc=35&sha=5d677a4c9e2eb1367064584d278001d10a4b5a92
Either you jest or you troll, I'm sure your reply that I'll ignore will give readers that happen to pass by a laugh.