With no simple way to patch affected systems, the security vulnerability in Trusted Platform Module (TPM) chipsets made by the firm Infineon may be with us for years to come, security experts warn.
At the same time as the world is sorting out the implications of a security flaw in the widely used Wi-Fi Protected Access (WPA-2) wireless technology, security experts warn that a flaw in the way encryption keys are generated on widely-used security chips could leave countless devices vulnerable to hacking.
A security vulnerability in Trusted Platform Module (TPM) chipsets made by the firm Infineon weakens the strength of cryptographic keys generated by those chips. The flaw, in firmware run by the TPMs, stretches across operating systems and applications and may affect hundreds of millions of devices on the Internet, experts warned.
Brute Force Attacks
The U.S. Department of Homeland Security on Monday issued a warning about the Infineon flaw, saying that attackers may be able to “recover the RSA private key corresponding to an RSA public key generated by this library.” Recovering a private key would allow the attacker to decrypt any information secured with the RSA key pair, breaking confidentiality. According to DHS, the Infineon RSA library version 1.02.013 does not properly generate RSA key pairs enabling so-called “brute force” attacks that essentially do rapid-fire guessing of key values. Such attacks are practical for key lengths less than 2048 bits, with the attacker only needing access to the victim’s RSA public key generated by the vulnerable library in order to calculate the private key.
Infineon has released updated firmware fixing the problem. Also, HP, HPE, Fujitsu, Lenovo and Toshiba have all released updates.
Microsoft has issued patches for most of its supported operating systems, but notes that those are simply work-arounds to the flaws, not fixes for it. Windows client systems are at increased risk due to the prevalence of TPM on client hardware systems, but Windows Server Operating Systems with TPM modules are also vulnerable, the company said.
Trusted Platform Module (TPM) chips are used on a wide range of electronic devices, from general purpose desktops and laptops to embedded systems. They provide a layer of security below the operating system that makes it more difficult for hackers to compromise sensitive information stored on a TPM-protected device.
Security experts said that the sheer number and diversity of devices affected by the flaw may mean that the Infineon key generation problem persists for years. That is because vendors and their customers do not typically track and manage chip and firmware versions across their deployed, IT infrastructure.
“We currently do not have methods to effectively track such chip usage within the supply chain,” said Deral Heiland, a lead researcher at the firm Rapid 7. “Builders of embedded products often use a number of sub-components manufactured by other companies, which may use any number of various chips sets, including chip sets which may contain this vulnerable code library.”
Even when the chipset and firmware version are known to customers, the methods for patching them are complex and risk-filled. Microsoft, for example, warned customers that any data protected by a TPM key would be lost if the TPM key is reset and that all services that use TPM keys may be unusable after the reset. Customers are advised to “contact third-party service vendors” for instructions on the proper way to reset the TPM keys.
Heiland of Rapid7 said, in an email message, that the issue takes on added importance with the Internet of Things, as more software-driven hardware devices populate our homes and workplaces. “With this RSA key generation vulnerability now looking over us, we should be using it as an opportunity to point the industry in the direction toward answering the right questions. How do we manage and track chip component supply chain? How do we track open source library usage within embedded technology? How do we build effective and secure over the air patching solutions?”