At the Black Hat DC Conference 2010 security researcher Christopher Tarnovsky of FlyLogic Engineering has demonstrated a way to defeat the Trusted Platform Module chips widely used to secure data in computers, identity cards, gaming systems like the Xbox 360, cable set-top boxes, and other electronics. TPM modules are widely used in enterprise, health care, government, and military applications to protect data through encryption, particularly on portable devices that might be easily lost or stolen. Although Tarnovsky’s process is labor intensive and requires both specialized equipment and a significant period of physic access to the device to be cracked, his step-by-step instructions do outline how to get data out of a TPM-protected system, including encryption keys and manufacturing information that could be used to create pre-cracked counterfeit chips.
Tarnovsky used a highly detailed (and time consuming) process of analyzing the Infineon SLE 66 CL PE chip using an electron microscope to identity the core of the chip and create a “bridge map” that enabled him to bypass the chip’s integrated tamper-prevention measures using tiny needles to tap the system’s data bus. This was after soaking the chips in acids and rust removers to remove the chip’s shells and delicate mesh wiring. The process took Tarnovsky about nine months, but once it was done he had access to not only any data on the computer, but to critical information that could be used to create counterfeit chips.
Tarnovsky has said he believes similar exploits are possible with chips other than the Infineon units he attacked, but has not tried them yet. He went through a large number of Infineon TPM chips and needles—and a lot of electron microscope time—but believes subsequent cracks would be faster now that a process has been established. Tarnovsky said he reported his results to both Infineon and the Trusted Platform Module standards organization, but hasn’t heard back from anyone.
TPM advocates have never claimed the chips are magically immune to a sophisticated, long-term hardware based attack, and Tarnovsky repeatedly admitted the Infineon chip he attacked was very difficult to crack thanks to all the traps engineers had set to prevent just that sort of tampering. Although Tarnovsky’s process isn’t widely practical in the real world, it does crack open the lid on data that was widely believed to be well-protected. And in an age where industrial espionage and cyberattacks are becoming commonplace, we’re sure someone somewhere is looking very carefully at TPM modules.