Let’s say you’re a large company that just sent an employee a brand new replacement laptop. And let’s say it’s preconfigured to use the latest, best security practices, including full disk encryption using a trusted platform module, password-protected BIOS settings, UEFI SecureBoot, and virtually every other recommendation from the National Security Agency and NIST for locking down federal computer systems. Switch off. And let’s say an attacker manages to intercept the machine. Can the attacker use it to hack into your network?
Research published last week shows the answer is a resounding “yes”. Not only that, but a hacker who has done her homework would need a surprisingly short amount of time alone with the machine to launch the attack. With that, the hacker can gain the ability to write not only to the stolen laptop, but also to the fortified network it is configured to connect to.
Researchers from security consultancy Dolos Group, hired to test the security of a customer’s network, received a new Lenovo computer preconfigured to use the organization’s default security stack. They have not received any test references, configuration data, or other information about the machine. An analysis of BIOS settings, boot operations, and hardware soon revealed that the security measures in place would preclude common hacks, including:
Fort Knox and the not so armored car
With little else to do, the researchers focused on the Trusted Platform Module, or TPM, a heavily reinforced chip installed on the motherboard that communicates directly with other hardware installed on the machine. The researchers noted that, like the standard for disk encryption with Microsoft’s BitLocker, the laptop boots directly to the Windows screen, without being prompted to enter a PIN or password. That meant the TPM was the only cryptographic secret to unlocking the drive.
Microsoft recommends overriding the standard and using only a PIN or password for threat models that anticipate an attacker with sufficient skill and time alone with an unattended target machine to open the case and solder motherboard devices. After completing their analysis, the researchers said Microsoft’s advice is inadequate as it opens up devices to attacks that could be carried out by abusive spouses, malicious insiders or other people who have volatile private access.
“A pre-equipped attacker can execute this entire attack chain in less than 30 minutes without soldering, simple and relatively inexpensive hardware and publicly available tools,” the Dolos Group researchers wrote in a post, “a process that squares the Evil-Maid -territory.”
TPMs have multiple layers of defense that prevent attackers from extracting or tampering with the data they store. For example, an analysis conducted over 10 years ago by reverse engineer Christopher revealed that a TPM chip made by Infineon was designed to self-destruct if physically penetrated. For example, optical sensors detected ambient light from light sources. And a mesh covering the microcontroller was meant to shut down the chip if one of its electrical circuits were to be disrupted.
With little hope of cracking the chip in the Lenovo laptop, the Dolos researchers looked for other ways to extract the key that decrypted the hard drive. They noticed that the TPM communicated with the CPU through a serial peripheral interface, a communication protocol for embedded systems.
Abbreviated as SPI, the firmware does not provide encryption capabilities of its own, so any encryption must be handled by the devices the TPM communicates with. Microsoft’s BitLocker, meanwhile, does not use any of the encrypted communication features of the latest TPM standard. If the researchers could tap into the connection between the TPM and the CPU, they might be able to extract the key.
Bypassing the TPM this way is akin to ignoring Fort Knox and focusing on the not so armored car coming out.
In order to be able to smell the data moving over the SPI bus, we need to attach cables or probes to the pins (marked above as MOSI, MISO, CS and CLK) on the TPM. Normally that is simple, but in this case there is a practical problem. This TPM has a VQFN32 footprint, which is very small. The “pins” are actually only 0.25mm wide and spaced 0.5mm apart. And those “pins” aren’t actually pins, they’re flat against the wall of the chip, so it’s physically impossible to attach any kind of clip. You could solder “fly wires” to the solder pads, but that’s a hassle and is usually a very unstable connection physically. Alternatively, a common tactic is to look for in-series resistors to solder to, but they were just as small and even more fragile. This wasn’t going to be easy.
But before we started, we thought there might be another way. Often SPI chips share the same “bus” with other SPI chips. It’s a technique hardware designers use to make connections easier, cut costs, and make troubleshooting/programming easier. We started looking all over the board for another chip that could be on the same bus as the TPM. Perhaps their pins would be bigger and easier to use. After some research and checking the schematics, it turned out that the TPM shared an SPI bus with a single other chip, the CMOS chip, which certainly had larger pins. In fact, the CMOS chip had just about the largest pin size you’ll find on standard motherboards, it was an SOP-8 (aka SOIC-8).
Short for Complementary Metal Oxide Semiconductor, a CMOS chip on a PC stores the BIOS settings, including the system time and date and hardware settings. The researchers connected a Saleae logic analyzer to the CMOS. In a short time, they were able to extract every byte that passed through the chip. The researchers then used the bitlocker spi toolkit written by Henri Numi to isolate the key in the mass of data.
With the hard drive decrypted, the researchers combed through the data looking for anything — encrypted or readable passwords, perhaps exposed sensitive files, or the like — that could get them closer to their goal of accessing the customer’s network. They soon stumbled upon something: Palo Alto Networks’ Global Protect VPN client that came pre-installed and configured.
A feature of the VPN is that it can establish a VPN connection before a user logs in. The capability is designed to authenticate an endpoint and run domain scripts as soon as the machine is powered on. This is useful because it allows administrators to manage large fleets of machines without knowing the password for each machine.