AMD faulTPM Exploit Targets Zen 2 and Zen 3 Processors

[AleksandarK]

Researchers at the Technical University of Berlin have published a paper called "faulTPM: Exposing AMD fTPMs' Deepest Secrets," highlighting AMD's firmware-based Trusted Platform Module (TPM) is susceptible to the new exploit targeting Zen 2 and Zen 3 processors. The faulTPM attack against AMD fTPMs involves utilizing the AMD secure processor's (SP) vulnerability to voltage fault injection attacks. This allows the attacker to extract a chip-unique secret from the targeted CPU, which is then used to derive the storage and integrity keys protecting the fTPM's non-volatile data stored on the BIOS flash chip. The attack consists of a manual parameter determination phase and a brute-force search for a final delay parameter. The first step requires around 30 minutes of manual attention, but it can potentially be automated. The second phase consists of repeated attack attempts to search for the last-to-be-determined parameter and execute the attack's payload.

Once these steps are completed, the attacker can extract any cryptographic material stored or sealed by the fTPM regardless of authentication mechanisms, such as Platform Configuration Register (PCR) validation or passphrases with anti-hammering protection. Interestingly, BitLocker uses TPM as a security measure, and faulTPM compromises the system. Researchers suggested that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 wasn't mentioned. The attack requires several hours of physical access, so remote vulnerabilities are not a problem. Below, you can see the $200 system used for this attack and an illustration of the physical connections necessary.




AMD has issued a statement for Tom's Hardware:

AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.

The attack is also public with code available on GitHub.

View at TechPowerUp Main Site | Source

 

[Solaris17]

aw damn not me secrets! all this while I was getting coffee now my docs are on github TwT

 

[neatfeatguy]

So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!

 

[Crackong]

I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

 

[Kohl Baas]

I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

My thoughts exactly.

Any system that allows undisturbed physical access to an attacker should be (and probably are) considered compromised beyond saving.

 

[Gica]

Do we worry about these holes while accessing Google?
"- Ha ha ha! You don't know anything, Google. You're wrong"
- Your mother's husband is where you say. Your father is where I say."

 

[TumbleGeorge]

It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.

 

[qlum]

I wonder if this is applicable to consoles as well?

 

[N3utro]

I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

Because enterprise users are loosing their laptops with encrypted data on it all the time, and this is a relatively cheap method to access them.

 

[Muser99]

Because enterprise users are loosing their laptops with encrypted data on it all the time, and this is a relatively cheap method to access them.

Bingo! This is a big issue!

 

[fancucker]

I know a bug is a bug and it is worth fixing.

But this one is just way too impractical to be put on any kind of news article.

If someone can
- Physically access your hardware for a few hours
- Carry in special equipment without being identified as suspicious.
- Have time to identified all the correct soldering points needed on the motherboard
- Have time to solder all the wires onto your motherboard
- Have time doing all the hacks

He must have 100+ more ways to do the same thing with less effort.
Why doing it like this ?

Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always

 

[Crackong]

Another reminder to stay with Intel, always

Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

 

[Lionheart]

Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

I think even Intel themselves can't be that confident

Fancucker is a troll, no idea why it's still on this site.

 

[W1zzard]

Are you saying Intel platform won't be cracked if given the intruder hardware level access for a few hours with specialized equipment ( with soldering irons) ?

Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)

 

[Luminescent]

I wonder who sponsored this research

 

[chrcoluk]

Exactly that is the promise of TPM, otherwise it's a useless technology that creates a false sense of security (TPM is disabled on all my machines btw)

I keep it enabled for measured boot, but that seems to be the only real benefit from it.

 

[Rais]

It is obvious that these "researchers" are criminals who are only looking to make money through their criminal activities. I hope that justice in the countries where they live will do their duty to society and remove them from the scene.

What a huge display of ignorance. If you are indeed a criminal, you don't publish your instruments.

 

[TumbleGeorge]

Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

 

[Rais]

Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

Clearly you know nothing on the topic. Without these researchers IT specialist wouldn't be aware about the vulnerabilities and would go blind on their efforts.

 

[R0H1T]

So, like a lot of exploits on CPUs (either side, AMD or Intel) you're information is ripe for the taking as long as someone has physical access to your computer and an hour or two of time, with specialty hardware/software?

I better start breaking down my computers everyday and hiding all my hardware to prevent this from ever happening! I'm going to start right now!

You better start hiding that pron anime stash

Ignorance, but they also educate other criminals in this way. Which, or at least many of them, wouldn't even know there were such vulnerabilities.

Except most state level actors or even highly sophisticated criminal groups exploit some of them regularly & are well aware of them!

 

[Zareek]

I find it very interesting that someone or some group spent a lot of money on research to find a hole in AMD hardware security again. Hardware that only represents a tiny portion of all the mobile hardware that is shipped. It's almost like a company has a vested interest in scaring corporations and governments away from AMD products. I wonder if anyone or group has spent as much money doing the same sort of research on far more common Intel based mobile machines.

 

[evernessince]

Doesn't matter, it's still a massive violation of public trust and could potentially affect server processors as well. AMD needs to pay materially for it and inform consumers so they don't waste hard earned money on their compromised products. Another reminder to stay with Intel, always

Intel has 663 known exploits and AMD has 35.

Intel : Security vulnerabilities, CVEs

Security vulnerabilities related to Intel : List of vulnerabilities affecting any product of this vendor

www.cvedetails.com

AMD : Security vulnerabilities, CVEs

Security vulnerabilities related to AMD : List of vulnerabilities affecting any product of this vendor

www.cvedetails.com

Either you jest or you troll, I'm sure your reply that I'll ignore will give readers that happen to pass by a laugh.