Wave Systems Corp. (fka WAVXQ)

[Fullmoon]

PC Security Hack Is No Big Deal

http://www.glgroup.com/News/PC-Security-Hack-Is-No-Big-Deal-46489.html

Wednesday, February 10, 2010
Analysis by: Jim Turley
Analysis of: Security Chip That Does Encryption In PCs Hacked | www.npr.org
Source: www.glgroup.com
Summary:
The security hack was time-consuming, expensive, and technically difficult. It's not broadly applicable to PCs in general.
It required physically obtaining and disassembling the entire PC, so it's only relevant to stolen machines, not "drive by" security hacks.
The methods, although expensive and complex, are already well-known in the industry.
Analysis:

Chalk one up to sensational journalism

A new Associated Press article article describes, in somewhat breathless terms, how security consultant Chris Tarnovsky "cracked" the security chip found in most PCs. According to the article, this will lead to widespread identity theft, lost pa swords, stolen military secrets, and more.

Although the details of Tarnovsky's exploits are accurate, the fallout is not. In reality, this is no big deal. Here's the background.

Almost all new PCs now have a so-called "trusted platform module," or TPM, chip. This is something Microsoft has been urging PC vendors to include as a way to make PCs (and by extension, Windows) somewhat more trustworthy for online transactions, banking, and other secure tasks. Several chip vendors produce TPM chips, with Infineon's being the most common. The TPM chip stores the PC user's passwords and, in some cases, fingerprint or smartcard info. It's the TPM chip that authenticates these things when you turn on your PC.

Tarnovsky broke into a TPM chip by literally breaking into it. He opened up a PC, disassembled it, and removed the TPM chip from the motherboard. He then disassembled the chip itself, a lengthy and expensive process that likely took weeks to accomplish. This is known in the industry as "decapitating" a chip, and it's common practice when analyzing competitors' components. There are a handful of commercial firms that specialize in decapitating chips for their clients. ChipWorks, for example, is one such company. (These companies are typically based in Canada rather than the U.S. because of the more lenient copyright and patent laws there.)

Given that Tarnovsky had to physically disassemble an entire PC and then painstakingly decapitate the TPM chip inside it, his efforts hardly represent a widespread threat to PC users as a whole. The process is expensive, time-consuming, and very technically delicate. And in the end, it's no different than having a PC stolen or lost: all the data is effectively compromised anyway.

So the message here is: protect sensitive data on PCs but don't treat it -- or any form of security -- as foolproof. Padlocks, passwords, barbed-wires fences, moats, and every other form of security can be compromised if someones badly wants to. These are deterrents, not guarantees.