A researcher with expertise in hacking hardware Tuesday detailed at the Black Hat DC conference how it's possible to subvert the security of a processor used to protect computers, smartcards and even Microsoft's Xbox 360 gaming system.
Christopher Tarnovsky, a researcher at Flylogic Engineering, said he has hacked an Infineon SLE 66 CL PC processor that is also used with Trusted Platform Module (TPM) chips. He emphasized that his research shows TPM, which was developed as an industry specification for hardware-based computer security by the Trusted Computing Group and has been implemented in hardware by Infineon and other manufacturers, is not as secure as presumed. TPM can be used for a wide variety of purposes, including storage of encryption keys and is used with Microsoft’s BitLocker encryption technology.
"The TPM 1.2 chip is not as secure as the vendor tries to tell you it is," Tarnovsky said. "I can recover all your secrets inside this chip. Your keys to the Xbox 360, the licensing chip," plus the RSA cryptoengine, if it's used. "There's nothing in this device I can't see."
Tarnovsky's method, as he described it, entailed jumping the wire into the internal circuitry of the Infineon chips to create a bypass into the core. Tarnovsky acknowledged it took him six months to figure out how to effectively penetrate it, which required bypassing circuitry on chips he purchased inexpensively from Chinese manufacturers.
Tarnovsky's examination process involved subtle use of hardware-based liquid chemical and gas technologies in a lab setting to probe with specialized needles to build tungsten bridges. "Once I'm physically through the device, I have to eavesdrop on the databus," he said, adding "I can sit in the databus and listen." At this point, it now takes him about six hours to break the licensing keys to the XBox 360.
Tarnovsky, with the excruciating detail of a surgeon discussing a heart bypass operation, said he had shared his findings with Infineon. But he said that over the past month the company appeared to have dropped contact with him after he informed Infineon how he had hacked TPM, even though he had shared source code with them to prove what progress he had made in subverting the Infineon smartcard processor.
Speaking with reporters, Tarnovsky said Infineon had claimed the type of exploit he did wasn't really possible. But the fact that it can be done raises serious questions about security in TPM modules that should be addressed by the industry, he pointed out, adding two other manufacturers make TPM modules and he may be examining their products next. He acknowledged his hardware-hacking methods are probably not easy to duplicate and he doesn't plan to share them widely.