The security flaws affect billions of laptop, server, tablet, and desktop users around the world. The proof-of-concept attack is dubbed TPM-Fail
The two newly found vulnerabilities, which have been addressed, would have allowed hackers to employ timing side-channel attacks to steal cryptographic keys that are supposed to remain safely inside the chips. The recovered keys could be used to compromise a computer's operating system, forge digital signatures on documents, and steal or alter encrypted information.
"If hackers had taken advantage of these flaws, the most fundamental security services inside the operating system would have been compromised,” said Sunar, professor of electrical and computer engineering and leader of WPI’s Vernam Lab, which focuses on applied cryptography and computer security research. “This chip is meant to be the root of trust. If a hacker gains control of that, they’ve got the keys to the castle."
The flaws announced are located in TPMs, or trusted platform modules, which are specialized, tamper-resistant chips that computer manufacturers have been deploying in nearly all laptops, smart phones, and tablets for the past 10 years. Following an international security standard, TPMs are used to secure encryption keys for hardware authentication and cryptographic keys, including signature keys and smart card certificates. Pushing the security down to the hardware level offers more protection than a software-only solution and is required by some core security services.