Jump to content
  • Trusted platform module security defeated in 30 minutes, no soldering required


    Karlston

    • 1.4k views
    • 10 minutes
     Share


    • 1.4k views
    • 10 minutes

    Sometimes, locking down a laptop with the latest defenses isn't enough. 

    Let’s say you’re a large company that has just shipped an employee a brand-new replacement laptop. And let’s say it comes preconfigured to use all the latest best security practices, including full-disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually all other recommendations from the National Security Agency and NIST for locking down federal computer systems. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack your network?

     

    Research published last week shows the answer is a resounding yes. Not only that, but a hacker who has done her homework needs a surprisingly short stretch of time alone with the machine to carry out the attack. With that, the hacker can gain the ability to write not only to the stolen laptop, but to the fortified network it was configured to connect to.

     

    Researchers at the security consultancy Dolos Group, hired to test the security of one client’s network, received a new Lenovo computer preconfigured to use the standard security stack for the organization. They received no test credentials, configuration details, or other information about the machine. An analysis of the BIOS settings, boot operation, and hardware quickly revealed that the security measures in place were going to preclude the usual hacks, including:

     

    Fort Knox and the not-so-armored car

    With little else to go on, the researchers focused on the trusted platform module, or TPM, a heavily fortified chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noticed that, as is the default for disk encryption using Microsoft’s BitLocker, the laptop booted directly to the Windows screen, with no prompt for entering a PIN or password. That meant that the TPM was where the sole cryptographic secret for unlocking the drive was stored.

     

    Microsoft recommends overriding the default and using a PIN or password only for threat models that anticipate an attacker with enough skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said that the Microsoft advice is inadequate because it opens devices to attacks that can be performed by abusive spouses, malicious insiders, or other people who have fleeting private access.

     

    “A pre-equipped attacker can perform this entire attack chain in less than 30 minutes with no soldering, simple and relatively cheap hardware, and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that places it squarely into Evil-Maid territory.”

     

    TPMs have multiple layers of defenses that prevent attackers from extracting or tampering with the data they store. For instance, an analysis more than 10 years ago by reverse-engineer Christopher revealed that a TPM chip made by Infineon was designed to self-destruct in the event it was physically penetrated. Optical sensors, for instance, detected ambient light from luminous sources. And a wire mesh that covered the microcontroller was aimed at disabling the chip should any of its electrical circuits be disturbed.

     

    With little hope of cracking the chip inside the Lenovo laptop, the Dolos researchers sought other ways they might be able to extract the key that decrypted the hard drive. They noticed that the TPM communicated with the CPU using serial peripheral interface, a communications protocol for embedded systems.

     

    Abbreviated as SPI, the firmware provides no encryption capabilities of its own, so any encryption must be handled by the devices the TPM is communicating with. Microsoft’s BitLocker, meanwhile, doesn’t use any of the encrypted communications features of the latest TPM standard. That meant if the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.

     

    They wrote:

    Getting around the TPM in this manner is akin to ignoring Fort Knox and focusing on the not-so-armored car coming out of it.

     

    In order to sniff the data moving over the SPI bus, we must attach leads or probes to the pins (labeled above as MOSI, MISO, CS, and CLK) on the TPM. Normally that is simple but there is a practical problem in this case. This TPM is on a VQFN32 footprint, which is very tiny. The “pins” are actually only 0.25mm wide and spaced 0.5mm apart. And those “pins” aren’t actually pins, they are flat against the wall of the chip so it’s physically impossible to attach any sort of clip. You could solder “fly leads” to the solder pads but that’s a hassle and tends to be a very physically unstable connection. Alternatively a common tactic is to locate in-series resistors to solder to, but they were just as small, and even more fragile. This was not going to be easy.

     

    But before we got started we figured there might be another way. Many times SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections simpler, save on cost, and make troubleshooting/programming easier. We started looking throughout the board for any other chip that might be on the same bus as the TPM. Maybe their pins would be larger and easier to use. After some probing and consulting the schematics, it turned out that the TPM shared a SPI bus with a single other chip, the CMOS chip, which definitely had larger pins. In fact, the CMOS chip had just about the largest pin size you can find on standard motherboards, it was a SOP-8 (aka SOIC-8).

     

    CMOS-chip-annotated.jpg

     

    analyzer.jpg

     

    CMOS-hookup-close.jpg

     

     

    Short for complementary metal–oxide–semiconductor, a CMOS chip on a PC stores the BIOS settings, including the system time and date and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In short order, they were able to extract every byte moving through the chip. The researchers then used the bitlocker-spi-toolkit written by Henri Numi to isolate the key inside the mass of data.

     

    With the hard drive decrypted, the researchers combed through the data in search of something—encrypted or plaintext passwords, maybe exposed sensitive files or similar things—that might bring them closer to their goal of accessing the client’s network. They soon hit upon something: Palo Alto Networks’ Global Protect VPN client that had come pre-installed and preconfigured.

     

    One feature of the VPN is that it can establish a VPN connection before a user logs in. The capability is designed to authenticate an endpoint and enable domain scripts to run as soon as the machine powers on. This is useful because it allows admins to manage large fleets of machines without knowing the password for each one.

    A platform for launching internal attacks

    Now that the researchers could boot the machine, they had the ability to infect the laptop using any number of techniques, including rewriting driver files that would give their malware access to the Windows kernel, using a technique known as DLL hijacking, or adding a new account. In the interest of speed, they chose a simpler path: a decades-old technique for bypassing Windows logons by replacing the Utilman.exe file with the cmd.exe file.

     

    The researchers then booted the decrypted Windows image as a virtual machine, using a virtual machine file they reconstructed to work with the machine they had.

     

    The result of all their work is pictured in the screenshot below:

     

    VirtualBox_win10-3_28_06_2021_15_33_47-6

    Dolos Group

    The researchers wrote:

    That’s exactly what we wanted. For this to work, authentication to the VPN happens via a certificate attached to the computer account. Since every computer account has very basic privileges in Active Directory, we can run basic SMB commands within the domain. We queried the domain controller for various types of domain information such as users, groups, systems, etc. We could also list and view the contents of files on internal SMB shares:

    smb-shares.png

    Dolos Group

    We can also use this computer account’s access as a platform for launching internal attacks and escalating laterally. To prove we had write access to a server that we shouldn’t have, we chose the internal file server from above. The proof of concept was to write a file to that server and read it back to prove read/write access.

    read-write-access-640x427.png

    Dolos Group

    This “Scanner” share is a great choice for an attacker as a watering hole for various techniques, e.g. LNK attacks, trojaned PDFs, etc. At this point we had gained access to the internal network, basic privileges on Active Directory, and access to internal file shares, more than enough to start compromising sensitive corporate data.

    Here are other images taken from the writeup:

     
    tpm-chip-1440x946.jpg
    The TPM is a ST33TPHF20SPI from STMicroelectronics.
     
    tpm-features-1.png
    Features of the chip.
     
    laptop-schematics-1.png
    Laptop schematics.
     
    hla-1440x677.jpg
    The key as viewed by the High Level Analyzer within the bitlocker-spi-toolkit.
     
    mounted-ssd-1440x1080.jpg
    Mounting the drive in an adapter.
     

    Fellow researchers who read last week’s writeup have offered a variety of defenses that can thwart the attack. Matthew Garrett, for instance, took to Twitter to offer the following recommendations:

     

    • Require a user password in addition to the TPM sealed key
    • Use a TPM protection known as parameter encryption to protect the secrets between the TPM and the CPU
    • Don't assume a machine is trustworthy just because it’s on the company VPN
    • Store more keys on the TPM, like the VPN keys, so that a virtual copy can't use them

     

     

    Trammell Hudson, a security researcher at Lower Layer Labs, offered additional suggestions, including:

     

    • The user password should be for authorization of the TPM sealed secret so that dictionary attacks can be stopped by the TPM hardware
    • Prevent phishing attacks for the user authorization with tpm2-totp
    • Use cpHash and rpHash authorization to ensure that a TPM interposer like the TPM Genie isn't modifying commands
    • Case tamper switches should prevent a local attacker from easily making hardware changes
    • Using the Management Engine fTPM is slightly harder to tap than a SPI or i2c attached discrete TPM
    • Remote attestation should be used to verify the integrity of the system before allowing it to associate to the VPN

     

    The writeup shows how security is an iterative process that involves defenders putting new measures in place, attackers learning how to knock them down, and defenders revising those defenses or adding new ones. Defenses like full-disk encryption with BitLocker, locked BIOSes, UEFI SecureBoot, and TPMs can only go so far before someone finds ways to defeat them, at least given certain types of common configurations. Now, it’s on defenders to figure out where to go from here.

     

     

    Trusted platform module security defeated in 30 minutes, no soldering required

    • Like 3

    User Feedback

    Recommended Comments

    There are no comments to display.



    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Paste as plain text instead

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...