• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors

AleksandarK

News Editor
Staff member
Joined
Aug 19, 2017
Messages
2,565 (0.97/day)
Researchers at the Technical University of Berlin have published a paper called "faulTPM: Exposing AMD fTPMs' Deepest Secrets," highlighting AMD's firmware-based Trusted Platform Module (TPM) is susceptible to the new exploit targeting Zen 2 and Zen 3 processors. The faulTPM attack against AMD fTPMs involves utilizing the AMD secure processor's (SP) vulnerability to voltage fault injection attacks. This allows the attacker to extract a chip-unique secret from the targeted CPU, which is then used to derive the storage and integrity keys protecting the fTPM's non-volatile data stored on the BIOS flash chip. The attack consists of a manual parameter determination phase and a brute-force search for a final delay parameter. The first step requires around 30 minutes of manual attention, but it can potentially be automated. The second phase consists of repeated attack attempts to search for the last-to-be-determined parameter and execute the attack's payload.

Once these steps are completed, the attacker can extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms, such as Platform Configuration Register (PCR) validation or passphrases with anti-hammering protection. Interestingly, BitLocker uses TPM as a security measure, and faulTPM compromises the system. Researchers suggested that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 wasn't mentioned. The attack requires several hours of physical access, so remote vulnerabilities are not a problem. Below, you can see the $200 system used for this attack and an illustration of the physical connections necessary.




AMD has issued a statement for Tom's Hardware:
AMD Spokesperson said:
AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.

The attack is also public with code available on GitHub.

View at TechPowerUp Main Site | Source
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
26,912 (3.83/day)
Location
Alabama
System Name RogueOne
Processor Xeon W9-3495x
Motherboard ASUS w790E Sage SE
Cooling SilverStone XE360-4677
Memory 128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 2TB WD SN850X | 2x 8TB GAMMIX S70
Display(s) 49" Philips Evnia OLED (49M2C8900)
Case Thermaltake Core P3 Pro Snow
Audio Device(s) Moondrop S8's on schitt Gunnr
Power Supply Seasonic Prime TX-1600
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD Quest 3
Software Windows 11 Pro Workstation
Benchmark Scores I dont have time for that.
1683085504454.png


aw damn not me secrets! all this while I was getting coffee now my docs are on github TwT
 
Joined
May 18, 2009
Messages
2,948 (0.52/day)
Location
MN
System Name Personal / HTPC
Processor Ryzen 5900x / Ryzen 5600X3D
Motherboard Asrock x570 Phantom Gaming 4 /ASRock B550 Phantom Gaming
Cooling Corsair H100i / bequiet! Pure Rock Slim 2
Memory 32GB DDR4 3200 / 16GB DDR4 3200
Video Card(s) EVGA XC3 Ultra RTX 3080Ti / EVGA RTX 3060 XC
Storage 500GB Pro 970, 250 GB SSD, 1TB & 500GB Western Digital / lots
Display(s) Dell - S3220DGF & S3222DGM 32"
Case CoolerMaster HAF XB Evo / CM HAF XB Evo
Audio Device(s) Logitech G35 headset
Power Supply 850W SeaSonic X Series / 750W SeaSonic X Series
Mouse Logitech G502
Keyboard Black Microsoft Natural Elite Keyboard
Software Windows 10 Pro 64 / Windows 10 Pro 64
So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!
 
Joined
Feb 15, 2019
Messages
1,658 (0.79/day)
System Name Personal Gaming Rig
Processor Ryzen 7800X3D
Motherboard MSI X670E Carbon
Cooling MO-RA 3 420
Memory 32GB 6000MHz
Video Card(s) RTX 4090 ICHILL FROSTBITE ULTRA
Storage 4x 2TB Nvme
Display(s) Samsung G8 OLED
Case Silverstone FT04
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?
 
Joined
Sep 10, 2015
Messages
529 (0.16/day)
System Name My Addiction
Processor AMD Ryzen 7950X3D
Motherboard ASRock B650E PG-ITX WiFi
Cooling Alphacool Core Ocean T38 AIO 240mm
Memory G.Skill 32GB 6000MHz
Video Card(s) Sapphire Pulse 7900XTX
Storage Some SSDs
Display(s) 42" Samsung TV + 22" Dell monitor vertically
Case Lian Li A4-H2O
Audio Device(s) Denon + Bose
Power Supply Corsair SF750
Mouse Logitech
Keyboard Glorious
VR HMD None
Software Win 10
Benchmark Scores None taken
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?
My thoughts exactly.

Any system that allows undisturbed physical access to an attacker should be (and probably are) considered compromised beyond saving.
 
Joined
Jun 6, 2022
Messages
622 (0.69/day)
Do we worry about these holes while accessing Google? :kookoo:
"- Ha ha ha! You don't know anything, Google. You're wrong"
- Your mother's husband is where you say. Your father is where I say."
 
Joined
Sep 1, 2020
Messages
2,338 (1.52/day)
Location
Bulgaria
It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.
 
Joined
Oct 18, 2017
Messages
181 (0.07/day)
System Name 1080p 144hz
Processor 7800X3D
Motherboard Asus X670E crosshair hero
Cooling Noctua NH-D15
Memory G.skill flare X5 2*16 GB DDR5 6000 Mhz CL30
Video Card(s) Nvidia RTX 4070 FE
Storage Western digital SN850 1 TB NVME
Display(s) Asus PG248Q
Case Phanteks P600S
Audio Device(s) Logitech pro X2 lightspeed
Power Supply EVGA 1200 P2
Mouse Logitech G PRO
Keyboard Logitech G710+
Benchmark Scores https://www.3dmark.com/sw/1143551
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?
Because enterprise users are loosing their laptops with encrypted data on it all the time, and this is a relatively cheap method to access them.
 
Joined
Oct 25, 2019
Messages
203 (0.11/day)
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?
Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always
 
Joined
Feb 15, 2019
Messages
1,658 (0.79/day)
System Name Personal Gaming Rig
Processor Ryzen 7800X3D
Motherboard MSI X670E Carbon
Cooling MO-RA 3 420
Memory 32GB 6000MHz
Video Card(s) RTX 4090 ICHILL FROSTBITE ULTRA
Storage 4x 2TB Nvme
Display(s) Samsung G8 OLED
Case Silverstone FT04
Another reminder to stay with Intel, always
Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

Episode 12 Nbc GIF by Law & Order
 
Joined
Apr 30, 2008
Messages
4,897 (0.81/day)
Location
Multidimensional
System Name Boomer Master Race
Processor Intel Core i5 12600H
Motherboard MinisForum NAB6 Lite Board
Cooling Mini PC Cooling
Memory Apacer 16GB 3200Mhz
Video Card(s) Intel Iris Xe Graphics
Storage Kingston 512GB SSD
Display(s) Sony 4K Bravia X85J 43Inch TV 120Hz
Case MinisForum NAB6 Lite Case
Audio Device(s) Built In Realtek Digital Audio HD
Power Supply 120w External Power Brick
Mouse Logitech G203 Lightsync
Keyboard Atrix RGB Slim Keyboard
VR HMD ( â—” Ę–ĚŻ â—” )
Software Windows 11 Home 64bit
Benchmark Scores Don't do them anymore.
Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

Episode 12 Nbc GIF by Law & Order
Fancucker is a troll, no idea why it's still on this site.
 

W1zzard

Administrator
Staff member
Joined
May 14, 2004
Messages
27,798 (3.71/day)
Processor Ryzen 7 5700X
Memory 48 GB
Video Card(s) RTX 4080
Storage 2x HDD RAID 1, 3x M.2 NVMe
Display(s) 30" 2560x1600 + 19" 1280x1024
Software Windows 10 64-bit
Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?
Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)
 
Joined
Sep 8, 2020
Messages
214 (0.14/day)
System Name Home
Processor 5950x
Motherboard Asrock Taichi x370
Cooling Thermalright True Spirit 140
Memory Patriot 32gb DDR4 3200mhz
Video Card(s) Sapphire Radeon RX 6700 10gb
Storage Too many to count
Display(s) U2518D+u2417h
Case Chieftec
Audio Device(s) onboard
Power Supply seasonic prime 1000W
Mouse Razer Viper
Keyboard Logitech
Software Windows 10
I wonder who sponsored this research :)
 
Joined
Feb 1, 2019
Messages
3,575 (1.69/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)
I keep it enabled for measured boot, but that seems to be the only real benefit from it.
 
Joined
Apr 23, 2015
Messages
80 (0.02/day)
It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.

What a huge display of ignorance. If you are indeed a criminal, you don't publish your instruments.
 
Joined
Sep 1, 2020
Messages
2,338 (1.52/day)
Location
Bulgaria
Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.
 
Joined
Apr 23, 2015
Messages
80 (0.02/day)
Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.
Clearly you know nothing on the topic. Without these researchers IT specialist wouldn't be aware about the vulnerabilities and would go blind on their efforts.
 
Joined
Apr 12, 2013
Messages
7,517 (1.77/day)
So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!
You better start hiding that pron anime stash :D
Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.
Except most state level actors or even highly sophisticated criminal groups exploit some of them regularly & are well aware of them!
 
Joined
Apr 18, 2019
Messages
935 (0.46/day)
Location
The New England region of the United States
System Name Gaming Rig
Processor Ryzen 7 3800X
Motherboard Gigabyte X570 Aurus Pro Wifi
Cooling Noctua NH-D15 chromax.black
Memory 32GB(2x16GB) Patriot Viper DDR4-3200C16
Video Card(s) EVGA RTX 3060 Ti
Storage Samsung 970 EVO Plus 1TB (Boot/OS)|Hynix Platinum P41 2TB (Games)
Display(s) Gigabyte G27F
Case Corsair Graphite 600T w/mesh side
Audio Device(s) Logitech Z625 2.1 | cheapo gaming headset when mic is needed
Power Supply Corsair HX850i
Mouse Redragon M808-KS Storm Pro (Great Value)
Keyboard Redragon K512 Shiva replaced a Corsair K70 Lux - Blue on Black
VR HMD Nope
Software Windows 11 Pro x64
Benchmark Scores Nope
I find it very interesting that someone or some group spent a lot of money on research to find a hole in AMD hardware security again. Hardware that only represents a tiny portion of all the mobile hardware that is shipped. It's almost like a company has a vested interest in scaring corporations and governments away from AMD products. I wonder if anyone or group has spent as much money doing the same sort of research on far more common Intel based mobile machines.
 
Joined
Jul 13, 2016
Messages
3,270 (1.07/day)
Processor Ryzen 7800X3D
Motherboard ASRock X670E Taichi
Cooling Noctua NH-D15 Chromax
Memory 32GB DDR5 6000 CL30
Video Card(s) MSI RTX 4090 Trio
Storage Too much
Display(s) Acer Predator XB3 27" 240 Hz
Case Thermaltake Core X9
Audio Device(s) Topping DX5, DCA Aeon II
Power Supply Seasonic Prime Titanium 850w
Mouse G305
Keyboard Wooting HE60
VR HMD Valve Index
Software Win 10
Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always

Intel has 663 known exploits and AMD has 35.


Either you jest or you troll, I'm sure your reply that I'll ignore will give readers that happen to pass by a laugh.
 
Top