Researchers Expose Vulnerabilities in AMD's Firmware-Based TPMs

Published by

teaser

In their recent paper, "faulTPM: Exposing AMD fTPMs' Deepest Secrets," researchers at the Technical University of Berlin have highlighted a new exploit targeting AMD's firmware-based Trusted Platform Module (TPM) that affects Zen 2 and Zen 3 processors. 



The faulTPM attack utilizes the vulnerability of the AMD secure processor to voltage fault injection attacks, allowing attackers to extract a unique secret from the targeted CPU chip. With this information, the storage and integrity keys protecting the fTPM's non-volatile data stored on the BIOS flash chip can be derived.

The attack consists of two phases: a manual parameter determination phase and a brute-force search for a final delay parameter. The first phase requires around 30 minutes of manual attention, but automation is possible. The second phase involves repeated attack attempts to search for the last-to-be-determined parameter and execute the attack's payload. Once the attack is successful, the attacker can extract any cryptographic material stored or sealed by the fTPM, even without authentication mechanisms like PCR validation or passphrases with anti-hammering protection. This vulnerability compromises the security of systems that use TPMs as a security measure, such as BitLocker. The research suggests that Zen 2 and Zen 3 CPUs are vulnerable, while Zen 4 was not mentioned. The attack requires several hours of physical access, making remote vulnerabilities unlikely. However, the researchers' $200 system used for the attack demonstrates how easily attackers can access the physical connections necessary for the exploit.

AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.

Researchers Expose Vulnerabilities in AMD's Firmware-Based TPMs


Share this content
Twitter Facebook Reddit WhatsApp Email Print