Wave Systems Corp. (fka WAVXQ)

[helpfulbacteria]

Has the TPM been hacked?


Sorry for the provocative question. But I just came across this reference to something called the TPMkit (and the company behind it WILL be speaking a Black Hat USA 2007 in August.) This seems, well, at least, interesting. As with all PURPORTED hacks of anything, the devil will be in the details and the conditions/assumptions/context of the hack. So, yes, I know this all could be a false alarm.:

(EXCERPT FROM SECURITY NEWS SERVICE HERE):

From listuser at nvlabs.in Fri May 11 06:56:32 2007
From: listuser at nvlabs.in (Vipin Kumar)
Date: Fri, 11 May 2007 16:26:32 +0530
Subject: [Dailydave] TPMkit: Breaking the Legend of Trusted Computing(TC
[TPM]) and Vista (BitLocker) - Nitin Kumar & Vipin Kumar
Message-ID: <46444BE0.8020802@nvlabs.in>

Dear all,

We are working on TPMkit:Breaking the Legend of Trusted
Computing(TC [TPM]).We are almost in the final stages of breaking TPM. We have success on Window's Vista Bit Locker, though the method is OS independent.

we are planning for demonstrations at the Blackhat USA and HITB cons (if they accept us).

Abstract and general info about presentation
---------------------------------------------------------------------------
TPMkit: Breaking the Legend of Trusted Computing(TC [TPM]) and Vista (BitLocker)
*********************************************************************************

"Trusted computing" means that the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. Trusted Computing is often seen as a possible enabler for future versions of document protection (mandatory access control) and copy protection (Digital Rights Management) - which are of value to corporate and other users in many markets and which to critics, raises concerns about undue censorship.It's also being used by software vendors. (Source http://en.wikipedia.org/wiki/Trusted_Computing)

Trusted Computing includes the use of trusted Platform
Module(security processor(hardware chip)) which can be used to enforce protections ( such as BitLocker in Microsoft's Windows Vista). TCG has proposed a specification for Remote Attestation that allows a host to remotely prove its hardware and software while protecting its privacy. Trusted reporting is the key component for attestation of a host’s configuration and is accomplished by exposing trusted measurements. Remote Attestation is also used to Trusted Network Connect. The TNC architecture enables network operators to enforce
policies regarding endpoint integrity at or after network connection.

TCPA/TPM DRM is a technical term for a Trustworthy Computing solution that limits what fair use consumers can use with the media they own. More info on http://www.chillingeffects.org/weather.cgi?WeatherID=534

Nearly 150 Million TPM devices have already been shipped and this number is increasing day-by-day. ( Source: https://www.trustedcomputinggroup.org/news/Industry_Data/Implementing_Trusted_Computing_RK.pdf)


The TPM becomes the first step in the boot sequence, serving as a secure foundation for the BIOS, the boot loader, the kernel, and the rest of ,the operating system. Since the TPM performs this check every time the PC boots, it provides a regular check for rootkit infections. This means it will be easily apparent when a PC has been tampered with. (Source:
https://www.trustedcomputinggroup.org/news/Industry_Data/Whitepaper_Rootkit_Strom_v3.pdf)

The attack procedure (TPMkit) involves an attack on the TPM. TPMkit lets you overcome technologies such as Vista's BitLocker. TPMkit also bypasses remote attestation and thus, will allow to connect over Trusted Network Connect(TNC)(although the system might not be in Trusted state.).

TPMkit bypasses the security checks mentioned (in the above paragraphs) and thus, you will never know that you are using a compromised or changed system.

The demonstration will include a few live demonstrations. For example, one demonstration will show how to login and access data on a Windows Vista System( which has TPM + BitLocker enabled).