Unveiling the ‘faulTPM’ Exploit: AMD’s Vulnerable Trusted Platform Module

Microsoft mandated personal computer support for TPM to install Windows 11, provoking controversy upon the operating system’s 2021 release. Since then, TPM’s inherent security flaws, requisite workarounds, and other issues have cast doubt on its necessity for Windows 11, with a newly discovered vulnerability potentially devastating the protective layer for some AMD processors.

A recent scholarly article elucidates vulnerabilities called ‘faulTPM’ within AMD SoCs that could enable attackers to neutralize any security provided by their TPM implementation. Such attacks may expose encrypted information or other credentials safeguarded by TPM. The researchers have also shared the code used for the attack on GitHub and a list of the inexpensive hardware used for the attack.

Image credit: Technische Universitat Berlin – SecT

Trusted Platform Modules (TPMs) introduce a security stratum to CPUs by sequestering sensitive data, such as encryption keys and certificates, thereby rendering hacker access more formidable. In systems utilizing this feature, it constitutes the mechanism underpinning PIN-based Windows login. Traditionally, TPMs are housed within a physical chip on the motherboard; however, many processors also encompass a software-based variant, dubbed Firmware TPM (fTPM), which users can activate through BIOS.

TPM’s early issues exacerbated Microsoft’s insistence, but researchers from the Technische Universität Berlin – SecT and Fraunhofer SIT recently discovered a vulnerability capable of completely nullifying fTPM. Successful attacks could enable arbitrary code execution and extraction of encrypted information.

One assault method involves voltage fault injection attacks, wherein manipulating the power supply forces Zen 2 or Zen 3 CPUs to accept spurious information, empowering attackers to tamper with firmware. Another simpler approach is a ROM attack, exploiting an unpatchable defect within Zen 1 and Zen+ processors.

These vulnerabilities gravely threaten security measures reliant on TPM, such as BitLocker. Researchers posit that a robust password offers greater security than TPM and PIN codes.

“AMD is aware of the research report attacking our firmware trusted platform module which appears to leverage related vulnerabilities previously discussed at ACM CCS 2021. This includes attacks carried out through physical means, typically outside the scope of processor architecture security mitigations. We are continually innovating new hardware-based protections in future products to limit the efficacy of these techniques. Specific to this paper, we are working to understand potential new threats and will update our customers and end-users as needed.” — AMD spokesperson to Tom’s Hardware.

Fortunately for users, these faulTPM attacks necessitate hours of physical access to the target system, meaning they do not involve remote infection via malicious software. The vulnerability primarily concerns lost or stolen devices. Voltage fault attacks entail approximately $200 worth of specialized hardware to manipulate motherboards, whereas executing a ROM attack necessitates only an SPI flash programmer.

Here’s the step-by-step method of attack:

• Backup the BIOS flash image using an SPI flash programmer
• Connect the fault injection hardware and determine the attack parameters (4.1)
• Compile & deploy the payload extracting the key derivation secret (4.3)
• Start the logic analyzer to capture the extracted key derivation secrets via SPI
• Start the attack cycle on the target machine until the payload was executed successfully
• Parse & decrypt the NVRAM using the BIOS ROM backup and payload output with amd-nv-tool
• Extract and decrypt TPM objects protected by this fTPM with amd ftpm unseal