According to leaked documents acquired by the German newspaper Die Zeit from the German Federal Office for Information Security (BSI) the subsystem on Windows 8 that implements the latest version of the wretched Trusted Computing technology (Richard Stallman referred to this as trecherous computing), TPM 2.0, is a serious concern:
Due to the loss of full sovereignty over the information technology, the security objectives of 'confidentiality' and 'integrity' [under Windows 8] can no longer be guaranteed. ... This can have significant consequences on the IT security of the [German] Federal Administration. ... The use of 'Trusted Computing' technology in this form ... is unacceptable for the Federal Administration and for operators of critical infrastructure.
(The translation above is taken from a Business Insider article on the leak)
TPM is a form of Digital Rights Management designed in favor of the interests of the major software and media companies and implicitly creates a backdoor that can be used to monitor and or control a computer without the user's permission or knowledge. Die Zeit quoted Rüdiger Weis, a professor at the Beuth University of Applied Sciences in Berlin, as saying:
One must assume that the NSA could compromise the corresponding computer problems - just the way the Chinese [could for a] TPM chip ... manufactured in China.
It's interesting to note that Apple, which once did incorporate TPM in their systems, stopped doing so in 2006 and Linux has no "baked-in" support for TPM.
While it's easy to shrug off any suggestions of the possibility of NSA surveillance and Chinese spying as just more fallout from the Snowden case there's really a much bigger issue here: To what extent do corporations know what is built-in and enabled in their desktops and servers and who has access? I'd bet that the full scope of risk from TPM is not just poorly understood by most corporations but, in reality, completely unknown.
Of course, I could be wrong, so tell me ... and pass this around to your co-workers and industry friends ... how much do they really know?
Note: Die Zeit updated their online article:
ZEIT ONLINE has first published this article under a different heading.Microsoft has subsequently obtained a court injunction that could cause ZEIT ONLINE may not distribute under the original title of the product. In order to make it more accessible, ZEIT ONLINE headline and teaser and the first paragraph has been changed. ZEIT ONLINE fights currently in the courts against the injunction, with the aim of the article in its original version, to be allowed to publish again.
TPM Hardware Background & Market Penetration
TPM functionality is implemented by a custom chip integrated with the computer system motherboard or, in one case, on an Ethernet chip from Broadcom. These chips are provided by quite a few manufacturers including Atmel, Broadcom, Infineon (Infineon TPM), Sinosun, STMicroelectronics, Nuvoton (formerly Winbond), ITE (ITE TPM), Toshiba, and Intel and Wikipedia notes "[currently] TPM is used by nearly all PC and notebook manufacturers, primarily offered on professional product lines."
The list of computer vendor implementations is impressive and worrying. Again, from Wikipedia:
- Acer, Wipro, Asus, Dell, Inc., Gigabyte Technology, IBM, LG, Fujitsu, HP, Lenovo, MSI, Panasonic, Samsung, Sony, Eurocom Corporation, and Toshiba provide TPM integration on their devices.
- Infineon provides both TPM chips and TPM software, which is delivered as OEM versions with new computers, as well as separately by Infineon for products with TPM technology which complies to the TCG standards.
- Wave Systems offers a broad range of client and server software, which runs on all TPM chip-sets. For instance, this software is pre-installed on several models from Dell and Gateway.
- Microsoft's operating systems Windows Vista, Windows 7 and Windows 8 as well as Microsoft Windows Server starting from Windows Server 2008, use the chip in conjunction with the included disk encryption software named BitLocker. Microsoft has announced that from January 1, 2015 all computers will have to be equipped with a TPM 2.0 module in order to pass the Windows 8.1 hardware certification.
- In 2006, with the introduction of the first Macintosh models with Intel processors, Apple started to ship Macs with TPMs. Apple never provided an official driver, but there was a port under GPL available. Apple has not shipped a computer with TPM since 2006.
- In 2011, Taiwanese manufacturer MSI launched its Windpad 110W tablet featuring an AMD cpu and Infineon Security Platform TPM, which ships with controlling software version 3.7. The chip is disabled by default but can be enabled with the included, pre-installed software.
- Oracle ships TPMs in their recent X- and T-Series Systems such as the T3 or T4 series of servers. Support is included in Solaris 11.
- Google includes TPMs in Chromebooks as part of their security model.
- VMware's ESXi hypervisor has supported TPM since 4.x, and from 5.0 it is enabled by default.
- PrivateCore vCage uses TPM chips in conjunction with Intel Trusted Execution Technology (Intel TXT) to validate systems on bootup.