0

--- Question: What are the exact risks of using TPM 2.0 or owning this integrated chip? In what circumstances?

What are the solutions to minimize risks?

Details: My primary goal was to try to find out, how could deeper level backdoors compromise nowadays disk/messaging "encryption" practices, and how to solve them.

I found the well known article where the German government practically says, that having windows 8/10 with TPM 2.0 is probably acceptable for the average customers but otherwise its not recommended for Federal use, because it is a potential source of backdoor. Now after that the Wannacry defeated their whole railway system, exploiting an already known, but intentionally undisclosed Win security hole, their worries seem to be legit. But other firmware security developers like Guido Stepken (also in Germany) say if the computer is bought with preinstalled Win, the Endorsement Key is already signed by US authorities, than its practically enforcable by US law to insert any backdoor into MS products, or provide these keys, and then of course anyone with knowledge can practically have control over any machine (there were several successful attacks demonstrated too).

In this case, its not enough to wipe the hdd/ssd, and install a Linux distro, and ignore propriatery firmware installs (which may also be a risk). The next what we can do is to disable TPM and UEFI - how can we trust than that it really happens? This leaves the system more vulnerable to attack, therefore we need to find a way to make Linux work with UEFI - can it be trusted in a previously Win certified machine? Can we secure the system so the data is not tied to the TPM? (data loss due to physical error.

I searched for a few days, and I didn't find any clear answer, most of the articles are either infinitely paranoid or simply ignore the risk side, or MS advertisement. I need a rational balance between.

If I'm not exact enough, or you need sources, I react upon demand. Thanks for the effort, trying to reply.

TriloByte
  • 231
  • 2
  • 8
  • 2
    It hink various firmware components of a modern server and especially the CPUs privileged system management mode (remember the Intel Management Engine exploit?) and BMC are much more risky than a classic TPM - as it is not normally able to get into control flow. – eckes Aug 04 '17 at 17:46
  • 1
    Yes, and AMD also has its equivalent, practically the combination of the 2 which is especially worrying, since you can control these both in BIOS and there can you set things like wake on LAN, but if I am right, these do need both access to power and network. – TriloByte Aug 04 '17 at 18:43
  • A TPM is completely harmless. It resides on the LPC bus and does not have access to the LDRQ# line, so it cannot become bus master and is incapable of mounting DMA attacks. The absolute worst it could do is lie to you and let unsigned data through, which is the same as having no TPM at all. The iTPM (integrated TPM) is functionally the same, but not present on the physical LPC bus. – forgetful Oct 19 '17 at 12:00
  • Mixing up user enabled hack attacks (wannacry) and Hardware fulnerabilities as two different things that should not be mixed. It needs only one ignorant or uneducated user to allow a hacker access. When using hard and software, be it a personal computer, a smartphone or a car you have a level of trust to the vendor or the components. But yes, we had WEP where the name became a misnomer with a couple of months, so no, if you work on sensitive data the only secure way would be using pen and paper. – theking2 Oct 17 '21 at 09:14

2 Answers2

2

While we aim tech to solve all problems for us, in security, trust is an important contributing factor.

So the short answer is: When hardware, firmware (and why not chip-level?) backdoors are part of your threat model, TPM is just not good enough.

I'm skipping a longer answer coz your question already includes the scenarios to justify this answer. :)

It is a problem mainly because it is designed to inspire trust and thus lower your guard. In practice (as commented by @eckes) other risks are much bigger.

Edit based on the comments: Scenario: We can't trust signed updates by Microsoft (or any other OS publisher.

Yes TPM can be used to "sign our own bootloader" to counter the problem. As you already pointed out ("ignore the fact that..."), we need to assume trust of already installed components or accept the risk as you have pointed out ("ignore the fact of...").

IMHO, when you don't trust a vendor, you can't use any of the components (not just those protected by the TPM) supplied by that vendor without extensive verification. Further, you have to disable updates, or subject every update to the same level of verification.

Sas3
  • 2,638
  • 9
  • 20
  • I do accept, that using TPM does not secure a machine "enough". But my question is rather if the fact that the chip is sitting there enabled by default both with "Management" tools are risks or not by default or by disabled. – TriloByte Aug 05 '17 at 13:45
  • It is not practical to answer whether something is a "risk or not" - as if it were binary. Risk is measured on a scale / range. Threat models differ from entity to entity - hence risks differ too. If you ask whether the risk is zero, then the answer is that the risk is not zero. That's the closest to certainty that I would go. Rest depends on how accurate your threat model is. – Sas3 Aug 05 '17 at 17:59
  • Than I rather ask it this way to confirm: Is the maximal security, what we can achieve with TPM activated practically to sign our bootloader with our own unique key, so we can avoid backdoors signed by Microsoft? In this case we do ignore the fact of hardware backdoor or TPM security holes, or bios/uefi integrity before signing and updating. If this question is also senseless, I will not push it, I need more time to find it out myself. Thanks for the answer. – TriloByte Aug 05 '17 at 20:36
  • No the question is not senseless... so I edited the answer. The scenario is still a bit problematic, but... :) Hope that helps. – Sas3 Aug 06 '17 at 01:48
  • +1 you can trust the vendor based on reputation, or you can refuse to use their products. Short of verifying every line of source and every schematic yourself, any kind of middle-ground is just theatre. IMO this is **the** answer. – Mike Ounsworth Aug 06 '17 at 03:57
  • Final conclusion @ edited reply: So it practically means, if I have no resources to test, I have to trust the producer, the end shop and anyone else between, that they deliver a clean hardware and UEFI, where I can really opt out of MS controlled signatures (including linux) + remote "management" options to minimize backdoors. Since leading brands already preinstall firmware spywares on business category computers, and UEFI golden keys were leaked, any personal/business data stored on these devices should be considered "public". – TriloByte Aug 06 '17 at 10:35
  • I think I found an other part of my answer: Computrace UEFI backdoor blackhat usa 2014 – TriloByte Aug 06 '17 at 10:56
  • Most if not all EFI interfaces lets you delete (or reset) the keys stored on the TPM. That way there should be no *debris* from previous installation. If real paranoid and you don't trust that, the only option is to build your own hardware; motherboard and all. But even than you might use an AMD or INTEL chip and who know what these contain. – theking2 Oct 17 '21 at 09:09
0

To answer my question for those, who are facing similar issues:

There are some major problems with preinstalled firmware backdoors on all major brands:

  1. Driver and "Service" spywares
  2. UEFI golden key backdoor
  3. Computrace backdoor
  4. "Management" services

If we ignore the hardware backdoor possibilities, right now in 2017 it is very probable, that reformatting and installing Linux solves these problems. Sometimes you can turn off Computrace and remote Management tools in BIOS.

For more security, you can reflash with a custom UEFI mod, and sign the bootloader with your own key.

But warning: some articles suggest, that computrace does work under linux too, even when permanently disabled, it phones home, or some say it is not disappearing with reflashing the bios, or on a chip, thus an irremovable backdoor. This heavily depends on versions and brands, but it is possible, that they intentionally avoid providing information or correct support.

( further details about computrace Can my computer will be compromised by uBlock/Adblock filter list )

TriloByte
  • 231
  • 2
  • 8