Trusted Platform Module " TPM " Security Defeated in 30 Minutes

[upnorth]

Content source

https://arstechnica.com/gadgets/2021/08/how-to-go-from-stolen-pc-to-network-intrusion-in-30-minutes/

Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:

• pcileech/DMA attacks because Intel’s VT-d BIOS protection was enabled
• Authentication bypasses using tools such as Kon-boot
• Use of tools such as LAN turtle, Responder to exfiltrate data from USB ethernet adapters

With little else to go on, the researchers focused on the trusted platform module, or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, with no prompt for entering a PIN or password. That meant that the TPM was where the sole cryptographic secret for unlocking the drive was stored.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said that the Microsoft advice is inadequate because it opens devices to attacks that can be performed by abusive spouses, malicious insiders, or other people who have fleeting private access. “A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”

The writeup shows how security is an iterative process that involves defenders putting new measures in place, attackers learning how to knock them down, and defenders revising those defenses or adding new ones. Defenses like full-disk encryption with BitLocker, locked BIOSes, UEFI SecureBoot, and TPMs can only go so far before someone finds ways to defeat them, at least given certain types of common configurations. Now, it’s on defenders to figure out where to go from here.

Trusted platform module security defeated in 30 minutes, no soldering required

Sometimes, locking down a laptop with the latest defenses isn’t enough.

arstechnica.com

 

[Andy Ful]

I had in mind this article in my post in the thread about TPM:
https://malwaretips.com/threads/how-windows-10-uses-the-trusted-platform-module.108948/post-953283

The most important part is as follows:

One has to use "Allow enhanced PINs for startup" policy and sophisticated enhanced PIN to make the brute-force attacks unprofitable. Using TPM with startup key and PIN, can increase the protection (The startup key can be stored on a removable device, for instance, a USB-stick).

https://docs.microsoft.com/en-us/wi...cker-countermeasures#attacker-countermeasures

 

[Venustus]

The TPM requirement for W11 was never about security but about economics..Spoonfieding the hardware manufacturers

 

[Local Host]

There is no security to discuss when we talking local attacks with physical access to the machines, this is nitpicking to put TPM in a bad light, and is honestly ridiculous at best.

Is enough to fool less tech savvy users that won't ever bother to read beyond the title, I expect this to be used to counter Windows 11 requirements and long discussions, same way when the media made false accusations about the Windows 10 privacy concerns (which is still used as an excuse to not use Windows 10 by less intelligent humans).

 

[Andy Ful]

Yes. Most of the articles that are posted on MT are related to organizations.
The whole discussion about TPM security (pros and cons) is not especially important for Home users (so far). No one here will use sophisticated enhanced PIN and startup key to protect the Home desktop machine. Furthermore, about 1/3 of users (or more) do not have machines with TPM.
Anyway, MT is a security forum so discussing such articles is normal.

 

[SpiderWeb]

Windows is like swiss cheese of security. Even if you have a TPM and all security mechanisms in place, privilege escalation is too easy to achieve because at the core, the kernel is from 1994.

 

[qua3k]

These types of attacks are not new. Additionally, users should be opting for PTT/fTPM instead of the weaker dTPM.