Security flaws found affecting billions of computer chips

November 21, 2019 //By Jean-Pierre Joosting
Security flaws found affecting billions of computer chips
Security researchers Berk Sunar and Daniel Moghimi Worcester Polytechnic Institute (WPI) led an international team of researchers that discovered serious security vulnerabilities in computer chips made by Intel and STMicroelectronics.

The security flaws affect billions of laptop, server, tablet, and desktop users around the world. The proof-of-concept attack is dubbed TPM-Fail

The two newly found vulnerabilities, which have been addressed, would have allowed hackers to employ timing side-channel attacks to steal cryptographic keys that are supposed to remain safely inside the chips. The recovered keys could be used to compromise a computer's operating system, forge digital signatures on documents, and steal or alter encrypted information.

"If hackers had taken advantage of these flaws, the most fundamental security services inside the operating system would have been compromised,” said Sunar, professor of electrical and computer engineering and leader of WPI’s Vernam Lab, which focuses on applied cryptography and computer security research. “This chip is meant to be the root of trust. If a hacker gains control of that, they’ve got the keys to the castle."

The flaws announced are located in TPMs, or trusted platform modules, which are specialized, tamper-resistant chips that computer manufacturers have been deploying in nearly all laptops, smart phones, and tablets for the past 10 years. Following an international security standard, TPMs are used to secure encryption keys for hardware authentication and cryptographic keys, including signature keys and smart card certificates. Pushing the security down to the hardware level offers more protection than a software-only solution and is required by some core security services.


Vous êtes certain ?

Si vous désactivez les cookies, vous ne pouvez plus naviguer sur le site.

Vous allez être rediriger vers Google.