Reliable platform module safety is defeated in 30 minutes, no welding required

Reliable platform module safety is defeated in 30 minutes, no welding required

fake images

Let’s say you are a large company that just sent an employee a new replacement laptop. And let’s say it comes preconfigured to use the latest security best practices, including full disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and just about every other recommendation in the world. National security agency Y NIST for blocking federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

Research published last week shows that the answer is a resounding yes. Not only that, but a hacker who has done his homework needs a surprisingly short period of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop, but also to the fortified network that it was configured to connect to.

Researchers at security consultancy Dolos Group, hired to test a customer’s network security, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They did not receive test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were to prevent common attacks, including:

Fort Knox and the not so armored car

With little else to go on, the researchers focused on the Trusted Platform Module, or TPM, a highly hardened chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noted that, as is the default for disk encryption with Microsoft’s BitLocker, the laptop started directly to the Windows screen, without being prompted to enter a PIN or password. That meant the TPM was where the only cryptographic secret was stored to unlock the drive.

Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder the motherboard devices. After completing their analysis, the researchers said Microsoft’s advice is inappropriate because it opens devices up to attacks that can be carried out by abusive spouses, malicious insiders, or others who have fleeting private access.

“A pre-equipped attacker can accomplish this entire chain of attack in less than 30 minutes without welding, simple and relatively inexpensive hardware, and publicly available tools,” the Dolos Group researchers wrote in a mail, “A process that places you directly in Evil-Maid’s territory.”

TPMs have multiple layers of defenses that prevent attackers from extracting or manipulating the data they store. For example, an analysis more than 10 years ago by reverse engineer Christopher revealed that a TPM chip made by Infineon was designed to self-destruct should it be physically penetrated. Optical sensors, for example, detect ambient light from light sources. And a wire mesh covering the microcontroller was intended to deactivate the chip in case any of its electrical circuits were disturbed.

With little hope of breaking the chip inside the Lenovo laptop, Dolos researchers looked for other ways they could extract the key that decrypted the hard drive. They noticed that the TPM was communicating with the CPU using Serial peripheral interface, a communications protocol for embedded systems.

Abbreviated as SPI, the firmware does not provide encryption capabilities of its own, so any encryption must be handled by the devices that the TPM communicates with. Microsoft’s BitLocker, meanwhile, does not use any of the encrypted communications features of the latest TPM standard. That meant that if the researchers could take advantage of the connection between the TPM and the CPU, they could extract the key.

They wrote:

Getting around the TPM this way is akin to ignoring Fort Knox and concentrating on the not-so-armored car coming out of it.

To sniff out the data moving over the SPI bus, we need to connect cables or probes to the pins (labeled MOSI, MISO, CS, and CLK above) on the TPM. Normally that is simple but there is a practical problem in this case. This TPM has a VQFN32 footprint, which is very small. The “pins” are actually only 0.25mm wide and 0.5mm apart. And those “pins” are not actually pins, they are flat against the wall of the chip, so it is physically impossible to place any kind of clip. You can solder “fly wires” to the solder pads, but that’s a hassle and tends to be a very physically unstable connection. Alternatively, a common tactic is to place resistors in series to solder, but they were just as small and even more brittle. This was not going to be easy.

But before we start, we thought there might be another way. SPI chips often share the same “bus” with other SPI chips. It is a technique used by hardware designers to simplify connections, save costs, and facilitate troubleshooting and programming. We started searching the entire board for any other chip that might be on the same bus as the TPM. Perhaps its pins would be bigger and easier to use. After probing and consulting the schematics, it turned out that the TPM shared an SPI bus with another chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had almost the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).

Short for Complementary Metal Oxide Semiconductor, a CMOS chip in a PC stores BIOS settings, including system date and time and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In no time, they were able to extract every byte that moved through the chip. The researchers then used the bitlocker-spi-toolkit written by Henri Numi to isolate the key within the data mass.

With the hard drive decrypted, the researchers scoured the data for something – encrypted or plaintext passwords, perhaps exposed confidential files, or the like – that might bring them closer to their goal of accessing the customer’s network. They soon came up with something: Palo Alto Networks Global protection VPN client that came pre-installed and preconfigured.

One feature of VPN is that you can establish a VPN connection before a user logs in. The ability is designed to authenticate an endpoint and allow domain scripts to run as soon as the machine is powered on. This is useful because it allows administrators to manage large fleets of machines without knowing the password for each one.

Leave a Reply

Your email address will not be published.