[segfaultbuserr]

I find the title is misleading, it did not "extract" Bitlocker keys from the inside of a TPM at all, but merely sniffed the key material on the bus. I was so excited to see the title, and so disappointed after reading it...

Sniffing keys on the bus and extracting keys from a TPM are very different scenarios. If you can "extract keys from a TPM", it means you must have found a way to tamper the chip using a piece of semiconductor test equipment and to obtain it from the circuity via a microprobe (or somehow injecting a spurious signal externally), bypassing any verification and self-protections of the chip.

TPMv2-like security chips are usually implemented by a secure microcontroller core. The internal is mostly a secret, and there is little public information about its internal construction, public audits on their actual resistance against various forms of attacks is almost non-existent. Even obtaining these microcontrollers are difficult, usually even the basic datasheet is beind multiple NDAs, and their availability is usually highly restricted, they don't sell these microcontroller cores to ordinary people.

If you have broken it, it would be the breaking news in the infosec community. It means you would be possible to completely decrypt the entire harddrive (if no additional key is used) given a random computer without preconditions, and everyone would have an idea about how secure these chips actually are.

I suggest changing the title to "Sniffing Bitlocker Keys from a TPM".

[mjg59]

The described attack allows you to recover Bitlocker keys and decrypt the harddrive from any random computer that you have physical access to, since when you boot it the key will be sent over the LPC bus in a way that can be extracted. I'm not sure what the distinction you're making is, given that the probability that someone ends up with access to a TPM but not the system it's associated with is basically zero.

[close04]

> This post will look at extracting the clear-text key from a TPM chip by sniffing the LPC bus

It is a very interesting read but the title is a bit clickbaity. Luckily it's not with bad intentions, the first few lines (above) already tell you what it is.

> I'm not sure what the distinction you're making is

Imagine I tell you I can extract any information I want from the human brain. You'd be intrigued, how do I interface, how do I extract and process the data. Then I tell you I basically eavesdrop on your conversations.

I understand the end result is the same, the mechanism is compromised but the method makes all the difference to how interested I am in the article. I've read about sniffing already, I was now expecting to read how the TPM chip was "cracked".

[thisacctforreal]

Honestly it feels like splitting hairs, unless I'm misunderstanding something.

What is there to gain "cracking" the TPM itself, if you can get the keys fine by sniffing?

Apple's Secure Enclaves aren't vulnerable to sniffing, as the AES keys used for encryption live only in silicon, with access to use them granted to the Enclave.

The keys never exist in a software-readable form, even to the coveted Enclave firmware. Do TPMs offer this functionality, and Bitlocker needs to take advantage of it? Or do TPMs just not protect their keys against physical access?

[rstuart4133]

> What is there to gain "cracking" the TPM itself, if you can get the keys fine by sniffing?

Sniffing requires the TPM be unlocked first. If you can't get it unlocked (poor wording, but it will do), no amount if sniffing is going to get you anywhere. They sort of acknowledge that here:

> Don’t want to be vulnerable to this? Enable additional pre-boot authentication.

If they really could just extract keys from a TPM without if being unlocked there would be little point in having a TPM at all. "Little point in having a TPM at all" would be big news, and the reason many of use read the article is because the headline implied it was describing a way to do just that.

In reality the TPM remains perfectly capable of keeping it's secrets secret until someone with the right credentials comes along, and proves they have them to the TPM itself. But in the scenario described the only "credentials" required to make Bitlocker unlock the TPM was was someone pressing the on switch.

So it doesn't sound like someone extracted the keys from the TPM to me. Once the software has unlocked it and asked it to send the keys, they will exist in multiple locations. The LPC bus is one, but they will also end up in RAM, or for that matter intercept the keying material when it is sent via the SATA bus to the drives.

[dlgeek]

> What is there to gain "cracking" the TPM itself, if you can get the keys fine by sniffing?

The ability to forge remote attestations by extracting the endorsement key or various attestation identity keys that never leave the TPM in plaintext.

[thisacctforreal]

Ah I see, they can successfully protect asymmetric crypto but not symmetric.

[close04]

> What is there to gain "cracking" the TPM itself

The technical achievement itself. :) It would be a world first, unlike sniffing. Hacking the TPM chip itself could open the door to even more interesting stuff. I think the analogy I gave before perfectly illustrates the difference between the 2 ideas. Getting to the same end result doesn't mean the paths are equivalent.

Would you find it equally interesting to read about getting Bitlocker keys using the legendary xkcd $5 wrench [0]?

[0] https://xkcd.com/538/

[als0]

I’m not convinced it would be a world first. Certainly not for nation states :) but you should definitely check out the amazing work by Chris Tarnovsky on YouTube. The level of detail he goes into when decamping the chip... and the way he explains it all leaves me in a state of awe.

[close04]

Maybe nation states is a different case. When I say "world first" I mean "that we know of". But otherwise it's incredibly interesting to see work like this especially when it's about something so obscure and undocumented that the researchers have to dig up every single bit of information by themselves.

Someone obviously doesn't agree with me since in the 10s it took me to read the comment above, all of mine received an equal number of downvotes. Guess I now have a fan (and their very own small army of puppet accounts) :).

[kop316]

I get what your saying, but if the end result means that they were able to get the encryption keys, what's the difference?

Its kind of like if a bank had a big vault door and then a glass window to the vault. The bank robber will break the window and get all the cash. Who cares that the door wasn't breached? What the vault was supposed to protect still is gone.

[segfaultbuserr]

> Its kind of like if a bank had a big vault door and then a glass window to the vault. The bank robber will break the window and get all the cash. Who cares that the door wasn't breached?

A TPM without a PIN is kind of like if a bank had a big vault door and then an employee leaving the key on the office desk, the bank robber will get the key and open the door. Everyone would care whether the door itself is breached, or it was something else.

The bottomline is, if it doesn't even have a PIN code, no security is offered against an attacker with physical possession of both the motherboard and the harddrive (aka the computer), by design, and not even a considered 0day.