According to researchers at the Technical University of Berlin, a new vulnerability has been discovered in AMD’s Trusted Platform Module (TPM) that exposes firmware TPMs (fTPMs) to attacks. The flaw enables the extraction of cryptographic data stored in the fTPM, bypassing authentication barriers such as Platform Configuration Register validation and defenses against brute force attacks on passphrases.
The attack on a system’s Trusted Execution Environment (TEE) can lead to a full TPM state compromise, warned Hans Niklas Jacob in his paper titled “faulTPM: Exposing AMD fTPMs’ Deepest Secrets,” which was released last week on the arXiv preprint server.
One method of attack involves voltage fault injection, which tricks Zen 2 and Zen 3 CPUs into accepting false data that can be used to compromise any application or encryption process exclusively using TPM security.
Originally, TPMs were designed as separate components physically attached to the motherboard to generate hardware-based encryption. However, the bus used to connect them with the CPU was vulnerable, providing an entryway for hackers targeting the CPU. The fTPM was designed to incorporate encryption duties inside the chip, making a separate component unnecessary.
While discrete TPMs are still used in higher-end systems, fTPMs are convenient and more affordable alternatives for use in CPUs. However, in the wake of increasing firmware attacks, Microsoft required users to have a PC supporting TPM to install Windows 11 in 2021, to protect encryption keys, user credentials, and other sensitive data behind a hardware barrier.
Jacob’s team believes their findings are the first attack against Full Disk Encryption solutions backed by an fTPM. They warn that systems relying on a single defense mechanism, such as Bitlocker’s TPM-only protector, can be overwhelmed by hackers who can gain access to a CPU for two or three hours. Applications relying exclusively on the TPM are left entirely unprotected, while those employing multiple layers of defense face the loss of their TPM-based security layer.
An AMD spokesperson said that they are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. They are working to understand potential new threats and will update their customers and end-users as needed.