Defeating Microsoft’s Trusted Platform Module

This is a really interesting story explaining how to defeat Microsoft’s TPM in 30 minutes — without having to solder anything to the motherboard.

Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine.

They were not only able to get into the BitLocker-encrypted computer, but then use the computer to get into the corporate network.

It’s the “evil maid attack.” It requires physical access to your computer, but you leave it in your hotel room all the time when you go out to dinner.

Original blog post.

Posted on August 9, 2021 at 6:19 AM22 Comments

Comments

Deimos August 9, 2021 7:22 AM

For access to the enterprise network, this attack seems to require that GlobalProtect remote access be configured with the “pre-logon” connection method. I do not see how it could succeed if GlobalProtect were configured with the user-logon connection method, particularly if multi-factor authentication were used.

M@ August 9, 2021 7:53 AM

Being able to recover the key to the encrypted drive is sufficient. There will always be something else to exploit once you can read the drive. Slick hack.

Winter August 9, 2021 7:58 AM

The funny thing is, that without the TPM, the laptop would have been secure. Another brilliant example of the fact that security is not composable.

Accepting that nothing is unbreakable, I would opt for a system that requires information that is not on the system itself. That is, the system cannot be decrypted without an externally supplied piece of information.

Winter August 9, 2021 8:11 AM

PS
If I would want to secure my laptop, and had the money, I would hire Joanna Rutkowska

Towards (reasonably) trustworthy x86 laptops
ht tps://media.ccc.de/v/32c3-7352-towards_reasonably_trustworthy_x86_laptops

On YouTube
ht tps://www.youtube.com/watch?v=rcwngbUrZNg

Some text about the presentation
ht tps://hackaday.com/2015/12/28/32c3-towards-trustworthy-x86-laptops/

TimH August 9, 2021 9:52 AM

The attacks work if BL is configured to only use the TPM for login auth. So use the PIN (password) option instead, after FIRST configuring it to the maximum 20 characters, and AES-256 from default AES-128.

echo August 9, 2021 9:56 AM

TPM is what it is. It makes my life easier. Bitlocker and other full disk encryption methods stop low hanging fruit from poking their noses in. That’s it. I know the instant anyone gets physical access they can compromise my laptop which is why they don’t get access. There’s nothing on my laptop a nation state wouldn’t either know or guess at and anything really important never goes anywhere near the laptop or anything with a CPU or plug on the end.

My laptop has TPM. I have a fair idea of what it is and what its limitations are. I never bought the “anti security theatre” of Veracrypt which made my life more difficult because of dogma and assuming the user was so stupid they would aoutmatically fall for “false reassurance”. But neither do I believe a single word off Microsoft who are using TPM to peddle a new OS version to take a second bite at the cherry and a bribe to IHV’s to maintain their dominant place in the software ecosystem.

As for Bitlocker on the one hand it sells the idea of security. On the other hand it is deliberately incompatible with other OS much like every other link in the chain from boot. That is the bigger security issue. It’s also an abuse of market position issue.

A Raspberry PI and roll up keyboard fits in a handbag…

Solarbonite August 9, 2021 10:02 AM

In fairness this attack has been known about for some time. Look at the videos on Secure Boot from years ago; there are a lot of avenues around the tech. That doesn’t mean we should just drop it; it’s patching holes that will be exploited over time. It’s also not “Microsoft’s TPM” haha; its the standard cryptographic co-processor that doesn’t encrypt communications over its CPU->chip comms channel.
The PIN is supposed to somehow help with this attack, iirc it does a hash derivative of the secret plus the TPM secret.
I would still argue that it’s more security than just the TPM or the PIN, cause now it’s hardware locked; when shipping there can’t be funny business if the parts are shipped separately.
Linux has LUKS which has the same problems when using Clevis to bind its secret to the TPM: without the pin and with hardware access it’s possible to circumvent the protection. 🙃

Megan August 9, 2021 3:05 PM

This is much easier than the article implies. Just boot the drive with a Linux boot disk and decrypt from there. Still takes maybe 30 minutes, but all you need is linux and a thumb drive to get this one.

lurker #11253 August 9, 2021 3:42 PM

I guess BIOS boot password would have rendered this particular attack useless.

Fed.up August 9, 2021 5:53 PM

In the time of Covid when onboarding new employees this is exactly why laptops should not be standard issue anymore.

Much safer to issue locked down thin client that is purpose built to NIST 800-53 controls. It can be configured to only work via Ethernet to the IP address that was set up during onboarding. It is such a bad idea to leave security up to an employee’s best judgment. Meanwhile their kids are Tik Tok’ng on the same modem. Service Providers need to offer different class of service to residential and allow multiple accounts to the same residence. Employers should pay and control the work ISP account. Monitor traffic and security.

It’s against corporate policy and often against the law to use public wifi for work, and the only way to stop that is negate the ability for it to be possible.

An engineer who developed high speed data transfer tech was killed when his laptop was stolen from him at a Starbucks a few years ago. There were 3 perps. They only caught 2 and they never recovered the laptop. https://www.nbcnews.com/news/us-news/man-s-laptop-was-stolen-starbucks-california-he-was-killed-n1109416

1.5 years into Covid. No one is going back to the office anytime soon. Maybe ever. Wishful thinking isn’t a wise business strategy.

John August 9, 2021 6:06 PM

Boot from media you don’t let out of your sight or off your person. I use a microSD card with my /boot/ directory on it.
The Linux system has full disk encryption via LUKs using 2FA with challenge/response via a Yubikey – that key doesn’t leave me either. 2 yubikeys are setup for access this way and a backup 66 character no-way-I-could-type-that passphrase is also setup. LUKS has 8 slots for decryption keys, so other people can have their access to the same system too.
Any time the computer is being moved or I’m not in the hotel room, it is shutdown. No hibernation. No standby.

Of course, once the computer is booted and the storage is unlocked, it is crackable due to normal security faults.

I can’t imagine trusting MS-Windows or OSX to be secure.
With physical access, eventually, someone can get in. The goal is to make that eventual time beyond their lifespan and then access to my Mom’s recipes really doesn’t seem so important.

lurker August 9, 2021 7:48 PM

My simple mind would have expected the TPM to be mounted on the cpu chip header to avoid bus exposure. But the cpu already looks like a colander that’s been used for target practice.

This system that was cracked was set up to trust the machine, not the person holding it. Well, hello? It’s the old saw again, convenience has trumped security. Systems like this are not intended to be secure, they are intended to sell seats for Windows. Don’t start me on SSO…

Matt August 9, 2021 10:52 PM

The way it is “[booting] directly to the Windows screen, with no prompt for entering a PIN or password” seems like they want to tick some compliance box for encrypting data at rest without putting up with the hassle of users forgetting their credentials.

echo August 10, 2021 12:59 AM

As per my comments in the Squid topic on models of reasoning this article by Arstechnica is part of the con by Microsoft to sell more product. More product being a “more secure” operating system called Windows 11. It’s a nod and a wink to the industry that play nice with them and you’ll make money. Every end user who conveniently doesn’t own hardware in alignment with the latest sales cycle mysteriously has found they are being put in a second class category and the slow lane. There’s no overt pressure to buy something new because Windows 10 is available on maintenance support for another five years but the message is there.

The security industry seems very mute both on the log chain of failures by Intel and Microsoft and others who brought us to this point. More curious is the instantaneous evaporation of criticising “security theatre” and more importantly the security theatre embedded in Windows 11.

The software, hardware, and and media industries and, yes, security industry seem to behaving like the wife beater who bought his wife a bunch of flowers from the housekeeping he has been withholding. Something whiffs not just about this article but the timing of this article but more importantly what is said and not said by Arstechnica especially. And there is no pushback from security “experts”.

It’s not just the usual suspects but also Lenovo. The refusal to update a bios to support secure boot or TPM 2.0 on Windows 7 class machines when Windows 8 came out and hardware without a hardware TPM module supported TPM 2.0 in software. There was also the case of unused payload in one of their firmware or software updates (I forget which) which could be used by an exploit to reduce its payload size. Then there is the spurious whitelisting of modems in the mini PCIE socket. Without a hacked BIOS (who wants that?) or a workaround (I have one) it’s impossible to upgrade from a 3G to 4G or 5G modem.

I am not ruling out legal or political action on any of these fronts whether it involves the courts or regulators or whoever. I know when someone is trying to pull the wool over my eyes even if on the face of things it has or is claimed to have the appearance of “legal”. I am also not above questioning whether UK government policy and regulation is legal and by this not just one narrow policy area but a broad spectrum of policy areas.

If you don’t want to radicalise someone don’t be a crook or mean or take advantange. That’s all I’m saying.

echo August 10, 2021 2:57 AM

@Winter

Nobody trusts Windows! It’s not a small exclusive club! I certainly don’t trust Microsoft or large chunks of American business even if it’s just the toxic effect they have on business practices and human rights. America has a lot of work to do pulling its socks up with respect of human rights and social policy and I know plenty of Americans agree. Not that this lets Russia or China or even the UK off the hook.

Jon August 10, 2021 4:53 AM

@Megan is wrong when she says;

“This is much easier than the article implies. Just boot the drive with a Linux boot disk and decrypt from there. Still takes maybe 30 minutes, but all you need is linux and a thumb drive to get this one.”

The article clearly states:

All BIOS settings were locked with a password
The BIOS boot order was locked to prevent booting from USB or CD
Secureboot was fully enabled and prevented any non-signed operating systems
Kon-boot auth bypass did not work because of full disk encryption

Clive Robinson August 10, 2021 3:03 PM

@ ALL,

Many years ago I pointed out that Full Disk Encryption was at best problematical as it was an “all or nothing” solution and as with “communications” users need to take a layered approach with crypto to,

1, Protect data at rest (stored).
2, Protect data in transit (communicated).
3, Protect data in use (processing).

Whilst there are known structured and layered solutions to both 1 and 2 we are only marginally closer than we wwre last century on 3.

For data in “transit” you need a four layered approach currently,

2.1, Link encryption.
2.2, End to End encryption.
2.3, User level encryption.
2.4, Object level encryption.

Yes it’s a lot of encryption and a wise person would use different encryption types and modes for each layer. The first two 2.1, 2.2, in general will be automatically generated afresh for each new communications path establishment. The other two need to be selected with care in other ways (to long to go into here).

In the same way storage encryprion needs to be multi-layered and use multiple algorithms and modes.

That way if the FDE gets cracked whilst in use, little or norhing becomes available to the attacker.

A discussion on these could and has easily filled books in the past so don’t jump in thinking the water is warm and shallow it realy is deep, glacial, and with strong under tow to drag you down…

That’s not to say people can not design workable solutions, they can, they just need to be aware of what they are doing and how it can go wrong.

Winter August 10, 2021 3:15 PM

@Clive
” we are only marginally closer than we wwre last century on 3..”

Protecting data during processing? The only thing I seem to hear about is Homeomorphic encryption. That seems to be not yet ready for practical use.

But I think the more urgent problem currently seems to be to compartmentalize the computers so the user can actually control what data gets stored where in the system. See the link to the talk by Joanna Rutkowska above.

Ray August 11, 2021 8:31 PM

Bruce I may be wrong but I don’t think it’s “Microsoft’s TPM” as the title of this post implies.

Zeph August 12, 2021 10:58 AM

“It requires physical access to your computer, but you leave it in your hotel room all the time when you go out to dinner.”

In my what? When I WHAT?

So, this threat is mostly applicable to jet-setters?

Clive Robinson August 12, 2021 4:13 PM

@ Zeph,

So, this threat is mostly applicable to jet-setters?

No not in the slightest, it’s a threat to anyone who leaves the ICT equipment “unguarded” even for moments (so back in the old days a grab of a laptop in a coffee shop was applicable).

The quote of,

“but you leave it in your hotel room all the time when you go out to dinner.”

Comes from the original “Evil Maid Attack” definition from what feels like ages back before the major change in society caused by the recent but necessery “Home Working” which was in turn caused by the failings of our political leaders and the lobbyists of a year or so ago. Who kind of proved “Stupid is as stupid does” and in some cases killed themselves with their stupidity (but not enough for the message to get through).

So take your average new “home worker” what do they do with that “work computer” when they are not “home working”?

Lock it in a desk draw? Do they even have a desk? Maybe they work of the kitchen or dining table or one of those sofa “TV Meals” type trays…

Do they have a propper physical safe for the ICT equipment that is rated at 60mins or more by Underwrighters Laboratories (UL)? That is wired into an alarm system that will get an armed guard response in 15mins or less? Probably not, and even if they did what’s the odds they would not pop-off for a few minutes whilst not locking it all up?

So effectively No?

Well that means they are a potential candidate for “New age Evil Maid” or a “cat burglar”. Or unfortunately more likely a “quater of a dozen of mercenary thugs”. Who these days turn up with guns, sledgehammers, and optionaly a set of tools to extract information out of you via your finger and toe nails etc.

That’s what “Physical Security measures” are all about when very valuable “physical items” are moved from “physically protected interanal secure areas” to “physically unprotected external areas” and the “Security Perimiter” needs the correct “physical adjustments” to cope with it.

There is a huge crossover between “Physical Security” for tangible physical objects and “Information Security” for intagible non physical information objects.

Why? Because there are only three things you can actually do with “information objects”,

1, Communicate them.
2, Store them.
3, Process them.

That is the “information” has to be “impressed or modulated” on physical energy, matter, or both which makes it possible for “us” “physical objects” to interact with it.

Thus whilst we might use “encryption” it is only as good as the ultimate protection of the “encryption keys” held by the likes of a “secret” be it a password or passphrase in a persons head (prey to what ever gods you believe in that some idiot has not used bio-metrics in the security design you have to use).

That is the simple reality, if an employer puts information of high value on a laptop so someone can “Home work” or “work whilst travelling” sooner or later somebody will work out that the easy way to realise “the value” is to get at the laptop whilst the information they want is “unlocked”.

It’s why I consider “security” that only uses FDE a very dangerous joke at best. Hence my earlier comments about the requirment for a layered approach,

https://www.schneier.com/blog/archives/2021/08/defeating-microsofts-trusted-platform-module.html/#comment-386471

Which if you design it properly –and very very few will– it will keep all but a tiny fraction of the information encrypted for most if not all of the time. Thereby reducing the likely hood of direct physical attack being either carried out or successfull.

Remember at the end of the day there are two basic sorts of crime,

1, Ego Food.
2, Realisation of value.

There is little or nothing you can do about “Ego Food” attacks they are about the attackers self-view more than they are anything else. So a graffiti artist putting up a rude message and their tag on the front of a Political Leaders home is an “Ego Food” attack.

What you can do by the use of “Probabilistic Security” is significantly reduce the likelyhood of a “Realisation of value” attack. If the attacker knows the probability of files being unencrypted at any point in time is incredibly small likewise the access to encryption keys, it means the ROI on such an attack is very small thus they will look for other attacks with a higher ROI.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.