AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors

AleksandarK · May 3, 2023

Researchers at the Technical University of Berlin have published a paper called "faulTPM: Exposing AMD fTPMs' Deepest Secrets," highlighting AMD's firmware-based Trusted Platform Module (TPM) is susceptible to the new exploit targeting Zen 2 and Zen 3 processors. The faulTPM attack against AMD fTPMs involves utilizing the AMD secure processor's (SP) vulnerability to voltage fault injection attacks. This allows the attacker to extract a chip-unique secret from the targeted CPU, which is then used to derive the storage and integrity keys protecting the fTPM's non-volatile data stored on the BIOS flash chip. The attack consists of a manual parameter determination phase and a brute-force search for a final delay parameter. The first step requires around 30 minutes of manual attention, but it can potentially be automated. The second phase consists of repeated attack attempts to search for the last-to-be-determined parameter and execute the attack's payload.

Once these steps are completed, the attacker can extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms, such as Platform Configuration Register (PCR) validation or passphrases with anti-hammering protection. Interestingly, BitLocker uses TPM as a security measure, and faulTPM compromises the system. Researchers suggested that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 wasn't mentioned. The attack requires several hours of physical access, so remote vulnerabilities are not a problem. Below, you can see the $200 system used for this attack and an illustration of the physical connections necessary.

AMD has issued a statement for Tom's Hardware:

AMD Spokesperson said:
AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.

The attack is also public with code available on GitHub.

View at TechPowerUp Main Site | Source

Solaris17 · May 3, 2023

aw damn not me secrets! all this while I was getting coffee now my docs are on github TwT

neatfeatguy · May 3, 2023

So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!

Crackong · May 3, 2023

I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

Kohl Baas · May 3, 2023

Crackong said:
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

My thoughts exactly.

Any system that allows undisturbed physical access to an attacker should be (and probably are) considered compromised beyond saving.

Gica · May 3, 2023

Do we worry about these holes while accessing Google? :kookoo:

"- Ha ha ha! You don't know anything, Google. You're wrong"
- Your mother's husband is where you say. Your father is where I say."

TumbleGeorge · May 3, 2023

It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.

qlum · May 3, 2023

I wonder if this is applicable to consoles as well?

N3utro · May 3, 2023

Crackong said:
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

Because enterprise users are loosing their laptops with encrypted data on it all the time, and this is a relatively cheap method to access them.

Muser99 · May 3, 2023

N3utro said:
Because enterprise users are loosing their laptops with encrypted data on it all the time, and this is a relatively cheap method to access them.

Bingo! This is a big issue!

fancucker · May 3, 2023

Crackong said:
I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always

Crackong · May 3, 2023

fancucker said:
Another reminder to stay with Intel, always

Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

Lionheart · May 3, 2023

Crackong said:
Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

Fancucker is a troll, no idea why it's still on this site.

W1zzard · May 3, 2023

Crackong said:
Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)

Luminescent · May 3, 2023

I wonder who sponsored this research

chrcoluk · May 3, 2023

W1zzard said:
Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)

I keep it enabled for measured boot, but that seems to be the only real benefit from it.

Rais · May 3, 2023

TumbleGeorge said:
It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.

What a huge display of ignorance. If you are indeed a criminal, you don't publish your instruments.

TumbleGeorge · May 3, 2023

Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

Rais · May 3, 2023

TumbleGeorge said:
Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

Clearly you know nothing on the topic. Without these researchers IT specialist wouldn't be aware about the vulnerabilities and would go blind on their efforts.

R0H1T · May 3, 2023

neatfeatguy said:
So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!

You better start hiding that ~~pron~~ anime stash

TumbleGeorge said:
Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

Except most state level actors or even highly sophisticated criminal groups exploit some of them regularly & are well aware of them!

Zareek · May 3, 2023

I find it very interesting that someone or some group spent a lot of money on research to find a hole in AMD hardware security again. Hardware that only represents a tiny portion of all the mobile hardware that is shipped. It's almost like a company has a vested interest in scaring corporations and governments away from AMD products. I wonder if anyone or group has spent as much money doing the same sort of research on far more common Intel based mobile machines.

evernessince · May 3, 2023

fancucker said:
Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always

Intel has 663 known exploits and AMD has 35.

Intel : Security vulnerabilities, CVEs

Security vulnerabilities related to Intel : List of vulnerabilities affecting any product of this vendor

www.cvedetails.com

AMD : Security vulnerabilities, CVEs

Security vulnerabilities related to AMD : List of vulnerabilities affecting any product of this vendor

www.cvedetails.com

Either you jest or you troll, I'm sure your reply that I'll ignore will give readers that happen to pass by a laugh.

System Name	RogueOne
Processor	Xeon W9-3495x
Motherboard	ASUS w790E Sage SE
Cooling	SilverStone XE360-4677
Memory	128gb Gskill Zeta R5 DDR5 RDIMMs
Video Card(s)	MSI SUPRIM Liquid X 4090
Storage	1x 2TB WD SN850X \| 2x 8TB GAMMIX S70
Display(s)	49" Philips Evnia OLED (49M2C8900)
Case	Thermaltake Core P3 Pro Snow
Audio Device(s)	Moondrop S8's on schitt Gunnr
Power Supply	Seasonic Prime TX-1600
Mouse	Lamzu Atlantis mini (White)
Keyboard	Monsgeek M3 Lavender, Moondrop Luna lights
VR HMD	Quest 3
Software	Windows 11 Pro Workstation
Benchmark Scores	I dont have time for that.

System Name	Personal / HTPC
Processor	Ryzen 5900x / Ryzen 5600X3D
Motherboard	Asrock x570 Phantom Gaming 4 /ASRock B550 Phantom Gaming
Cooling	Corsair H100i / bequiet! Pure Rock Slim 2
Memory	32GB DDR4 3200 / 16GB DDR4 3200
Video Card(s)	EVGA XC3 Ultra RTX 3080Ti / EVGA RTX 3060 XC
Storage	500GB Pro 970, 250 GB SSD, 1TB & 500GB Western Digital / lots
Display(s)	Dell - S3220DGF & S3222DGM 32"
Case	CoolerMaster HAF XB Evo / CM HAF XB Evo
Audio Device(s)	Logitech G35 headset
Power Supply	850W SeaSonic X Series / 750W SeaSonic X Series
Mouse	Logitech G502
Keyboard	Black Microsoft Natural Elite Keyboard
Software	Windows 10 Pro 64 / Windows 10 Pro 64

System Name	Personal Gaming Rig
Processor	Ryzen 7800X3D
Motherboard	MSI X670E Carbon
Cooling	MO-RA 3 420
Memory	32GB 6000MHz
Video Card(s)	RTX 4090 ICHILL FROSTBITE ULTRA
Storage	4x 2TB Nvme
Display(s)	Samsung G8 OLED
Case	Silverstone FT04

System Name	My Addiction
Processor	AMD Ryzen 7950X3D
Motherboard	ASRock B650E PG-ITX WiFi
Cooling	Alphacool Core Ocean T38 AIO 240mm
Memory	G.Skill 32GB 6000MHz
Video Card(s)	Sapphire Pulse 7900XTX
Storage	Some SSDs
Display(s)	42" Samsung TV + 22" Dell monitor vertically
Case	Lian Li A4-H2O
Audio Device(s)	Denon + Bose
Power Supply	Corsair SF750
Mouse	Logitech
Keyboard	Glorious
VR HMD	None
Software	Win 10
Benchmark Scores	None taken

System Name	1080p 144hz
Processor	7800X3D
Motherboard	Asus X670E crosshair hero
Cooling	Noctua NH-D15
Memory	G.skill flare X5 2*16 GB DDR5 6000 Mhz CL30
Video Card(s)	Nvidia RTX 4070 FE
Storage	Western digital SN850 1 TB NVME
Display(s)	Asus PG248Q
Case	Phanteks P600S
Audio Device(s)	Logitech pro X2 lightspeed
Power Supply	EVGA 1200 P2
Mouse	Logitech G PRO
Keyboard	Logitech G710+
Benchmark Scores	https://www.3dmark.com/sw/1143551

AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors

AleksandarK

News Editor

Solaris17

Super Dainty Moderator

neatfeatguy

Crackong

Kohl Baas

Gica

TumbleGeorge

qlum

N3utro

Muser99

fancucker

Crackong

Lionheart

W1zzard

Administrator

Luminescent

chrcoluk

Rais

TumbleGeorge

Rais

R0H1T

Zareek

evernessince

Intel : Security vulnerabilities, CVEs

AMD : Security vulnerabilities, CVEs

System Name	Boomer Master Race
Processor	Intel Core i5 12600H
Motherboard	MinisForum NAB6 Lite Board
Cooling	Mini PC Cooling
Memory	Apacer 16GB 3200Mhz
Video Card(s)	Intel Iris Xe Graphics
Storage	Kingston 512GB SSD
Display(s)	Sony 4K Bravia X85J 43Inch TV 120Hz
Case	MinisForum NAB6 Lite Case
Audio Device(s)	Built In Realtek Digital Audio HD
Power Supply	120w External Power Brick
Mouse	Logitech G203 Lightsync
Keyboard	Atrix RGB Slim Keyboard
VR HMD	( ◔ ʖ̯ ◔ )
Software	Windows 11 Home 64bit
Benchmark Scores	Don't do them anymore.

Processor	Ryzen 7 5700X
Memory	48 GB
Video Card(s)	RTX 4080
Storage	2x HDD RAID 1, 3x M.2 NVMe
Display(s)	30" 2560x1600 + 19" 1280x1024
Software	Windows 10 64-bit

System Name	Home
Processor	5950x
Motherboard	Asrock Taichi x370
Cooling	Thermalright True Spirit 140
Memory	Patriot 32gb DDR4 3200mhz
Video Card(s)	Sapphire Radeon RX 6700 10gb
Storage	Too many to count
Display(s)	U2518D+u2417h
Case	Chieftec
Audio Device(s)	onboard
Power Supply	seasonic prime 1000W
Mouse	Razer Viper
Keyboard	Logitech
Software	Windows 10

System Name	Main PC
Processor	13700k
Motherboard	Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling	Noctua NH-D15S
Memory	32 Gig 3200CL14
Video Card(s)	4080 RTX SUPER FE 16G
Storage	1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s)	LG 27GL850
Case	Fractal Define R4
Audio Device(s)	Soundblaster AE-9
Power Supply	Antec HCG 750 Gold
Software	Windows 10 21H2 LTSC

System Name	Gaming Rig
Processor	Ryzen 7 3800X
Motherboard	Gigabyte X570 Aurus Pro Wifi
Cooling	Noctua NH-D15 chromax.black
Memory	32GB(2x16GB) Patriot Viper DDR4-3200C16
Video Card(s)	EVGA RTX 3060 Ti
Storage	Samsung 970 EVO Plus 1TB (Boot/OS)\|Hynix Platinum P41 2TB (Games)
Display(s)	Gigabyte G27F
Case	Corsair Graphite 600T w/mesh side
Audio Device(s)	Logitech Z625 2.1 \| cheapo gaming headset when mic is needed
Power Supply	Corsair HX850i
Mouse	Redragon M808-KS Storm Pro (Great Value)
Keyboard	Redragon K512 Shiva replaced a Corsair K70 Lux - Blue on Black
VR HMD	Nope
Software	Windows 11 Pro x64
Benchmark Scores	Nope