Trusted Platform Module " TPM " Security Defeated in 30 Minutes

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:
  • pcileech/DMA attacks because Intel’s VT-d BIOS protection was enabled
  • Authentication bypasses using tools such as Kon-boot
  • Use of tools such as LAN turtle, Responder to exfiltrate data from USB ethernet adapters
With little else to go on, the researchers focused on the trusted platform module, or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, with no prompt for entering a PIN or password. That meant that the TPM was where the sole cryptographic secret for unlocking the drive was stored.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said that the Microsoft advice is inadequate because it opens devices to attacks that can be performed by abusive spouses, malicious insiders, or other people who have fleeting private access. “A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”
The writeup shows how security is an iterative process that involves defenders putting new measures in place, attackers learning how to knock them down, and defenders revising those defenses or adding new ones. Defenses like full-disk encryption with BitLocker, locked BIOSes, UEFI SecureBoot, and TPMs can only go so far before someone finds ways to defeat them, at least given certain types of common configurations. Now, it’s on defenders to figure out where to go from here.
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
I had in mind this article in my post in the thread about TPM:
https://malwaretips.com/threads/how-windows-10-uses-the-trusted-platform-module.108948/post-953283

The most important part is as follows:

One has to use "Allow enhanced PINs for startup" policy and sophisticated enhanced PIN to make the brute-force attacks unprofitable. Using TPM with startup key and PIN, can increase the protection (The startup key can be stored on a removable device, for instance, a USB-stick).

https://docs.microsoft.com/en-us/wi...cker-countermeasures#attacker-countermeasures
 
L

Local Host

There is no security to discuss when we talking local attacks with physical access to the machines, this is nitpicking to put TPM in a bad light, and is honestly ridiculous at best.

Is enough to fool less tech savvy users that won't ever bother to read beyond the title, I expect this to be used to counter Windows 11 requirements and long discussions, same way when the media made false accusations about the Windows 10 privacy concerns (which is still used as an excuse to not use Windows 10 by less intelligent humans).
 

Andy Ful

From Hard_Configurator Tools
Verified
Honorary Member
Top Poster
Developer
Well-known
Dec 23, 2014
8,040
Yes. Most of the articles that are posted on MT are related to organizations.
The whole discussion about TPM security (pros and cons) is not especially important for Home users (so far). No one here will use sophisticated enhanced PIN and startup key to protect the Home desktop machine. Furthermore, about 1/3 of users (or more) do not have machines with TPM.
Anyway, MT is a security forum so discussing such articles is normal.
 
Last edited:

SpiderWeb

Level 10
Verified
Well-known
Aug 21, 2020
468
Windows is like swiss cheese of security. Even if you have a TPM and all security mechanisms in place, privilege escalation is too easy to achieve because at the core, the kernel is from 1994.
 
  • Like
Reactions: Nevi and Venustus

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top