Black Hat paper on breaking Trusted Platform Module withdrawn

Abstract promised to show weakness of TPM chip protection

This is the abstract for a paper that was scheduled to be presented at Blackhat USA 2007 security conference next month. It was removed without explanation from the conference Web site this week, but promised to circumvent security afforded by trusted platform module chips:

This is the abstract for a paper that was scheduled to be presented at Black Hat USA 2007 security conference next month. It was removed without explanation from the conference Web site this week, and promised to circumvent security afforded by Trusted Platform Module chips:

"TPMkit: Breaking the Legend of Trusted Computing (TC [TPM]) and Vista (BitLocker)"

By Nitin Kumar and Vipin Kumar

"Trusted computing" means that the computer will consistently behave in specific ways, and those behaviors will be enforced by hardware and software. Trusted computing is often seen as a possible enabler for future versions of document protection (mandatory access control) and copy protection (Digital Rights Management)—which are of value to corporate and other users in many markets and which to critics, raises concerns about undue censorship. It's also being used by software vendors. (Source)

Trusted Computing includes the use of Trusted Platform Module (security processor (hardware chip) which can be used to enforce protections (such as BitLocker in Microsoft's Windows Vista).TCG has proposed a specification for Remote Attestation that allows a host to remotely prove its hardware and software while protecting its privacy. Trusted reporting is the key component for attestation of a host’s configuration and is accomplished by exposing trusted measurements. Remote Attestation is also used to Trusted Network Connect. The TNC architecture enables network operators to enforce policies regarding endpoint integrity at or after network connection.

TCPA/TPM DRM is a technical term for a Trustworthy Computing solution that limits what fair use consumers can use with the media they own. More info.

Nearly 150 Million TPM devices have already been shipped and this number is increasing day-by-day. (Source)

The TPM becomes the first step in the boot sequence, serving as a secure foundation for the BIOS, the boot loader, the kernel, and the rest of the operating system. Since the TPM performs this check every time the PC boots, it provides a regular check for rootkit infections. This means it will be easily apparent when a PC has been tampered with. (Source)

The attack procedure (TPMkit) involves an attack on the TPM chip. TPMkit lets you overcome technologies such as Vista's BitLocker. TPMkit also bypasses remote attestation and thus, will allow to connect over Trusted Network Connect(TNC) (although the system might not be in Trusted state).

TPMkit bypasses the security checks mentioned (in the above paragraphs) and thus, you will never know that you are using a compromised or changed system.

We will be demonstrating how to break TPM. The demonstration would include a few live demonstrations. For example, one demonstration will show how to login and access data on a Windows Vista System (which has TPM + BitLocker enabled).

More information on TPMkit (as it evolves) will be released.

< Return to main story: Integrity of hardware-based computer security is challenged >

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2007 IDG Communications, Inc.

Take IDG’s 2020 IT Salary Survey: You’ll provide important data and have a chance to win $500.