Home Blog Security Highlight Security Highlight: A further look at faulTPM’s deepest secrets

Security Highlight: A further look at faulTPM's deepest secrets

Author: Jasper van Woudenberg

Recently, a new paper was published by Hans Niklas Jacob et al, titled “faulTPM: Exposing AMD fTPMs’ Deepest Secrets“. The paper demonstrates the impact of a previously published Voltage Fault Injection (FI) vulnerability that compromises the AMD Secure Processor, which hosts the firmware-based TPM (fTPM) and its secrets. The attack targets AMD Ryzen CPUs (Zen 2 & 3), with Zen 1 likely also vulnerable.

The Voltage FI attack leverages the Serial Voltage Identification Interface 2.0 (SVI2) bus, enabling the AMD SoC to update supply voltages dynamically. Spring-loaded pins were used to do packet injection on SVI2. Interestingly, these packets allow an attacker to trick the power management of the device to induce a fault on itself. This fault bypasses firmware signature verification, which in turn allows loading of arbitrary code.

Spring-loaded pins are also used at Riscure to perform Voltage FI, available as our Riscure Glitch Needle. It enables rapid identification of vulnerable PCB lines and allows the remote control to various power planes when attached to an XY table.

Researchers reverse-engineered the fTPM nonvolatile storage and instrumented the original fTPM binary to understand key derivation and chip unique secret usage. The chip’s unique secret is crucial for cryptographic derivations. The researchers execute an attack code that extracts the secret and exfiltrates it via the SPI bus. Based on further reverse engineering, the researchers are able to derive all platform secrets. One demonstrated impact is the weakening of BitLocker’s full disk encryption.

Traditional discrete TPMs (dTPMs) are based on secure ICs with protections against faults and side channels. However, fTPMs may lack these protections. Intel published the introduction of FI countermeasures in their TEE equivalent, which were tested by Riscure.

Since the FI vulnerability is in the ROM, mitigation is difficult. Various FI countermeasures are known, and the paper offers additional security recommendations for FDE and TPM implementations. More countermeasures can be found in the Riscure whitepaper “Secure Application Programming in the Presence of Side Channel Attacks”.

Riscure recommends all development teams update their threat models according to the findings of Hans Niklas Jacob et al, and their recommendation. The paper authors calculate the hardware cost at around $195. This means that it’s within most attackers’ scope and capabilities.

If you have questions or want to test the security of your development, reach out to us at inforequest@riscure.com.


Share This