|
|
|
|
|
|
by sowbug
1187 days ago
|
|
|
That's a bit like putting a website password check in the client-side JavaScript. Attacker removes lockout, continues brute-forcing. There really isn't a solution if the entropy is low and the enforcement mechanisms are in the hands of the attacker. Even a TPM or secure element is just a financial obstacle to a sufficiently motivated attacker. |
|
|
For sure, but currently it's a fairly big step function for an attacker to have to teardown a TPM (or find a vulnerability in its firmware).