The past week or so there have been two stories about very secure system protocols being able to be successfully hacked by researchers. The first concerned the report by the AP that Christopher Tarnovsky, a former U.S. Army computer-security specialist and who now runs the Flylogic security company, was able to crack open (literally) a Trusted Platform Module or TPM and obtain its cryptographic keys. This hadn't been done before, or at least admitted to publicly.
The TPM, says the Trusted Computing Group (which developed the specification for the module) is a computer chip (microcontroller) that can securely store artifacts (e.g., passwords, certificates, or encryption keys) used to authenticate a computing platform (your PC, laptop, cell phone, network equipment, etc). Being a hardware encryption device, it is generally less vulnerable to software hacking attacks.
The TCG says on its website that,
"These [TPM] capabilities can improve security in many areas of computing, including e-commerce, citizen-to-government applications, online banking, confidential government communications and many other fields where greater security is required. Hardware-based security can improve protection for VPN, wireless networks, file encryption (as in Microsoft's BitLocker) and password/PIN/credentials' management. TPM specification is OS-agnostic, and software stacks exist for several Operating Systems."
You can read more about a TPM here.
TPMs are everywhere: some 100 million are in personal computers and servers where sold in 2007 alone, says the TCG. So a successful hack of a TPM would seemingly put a lot of devices at risk - at least theoretically.
Except that Tarnovsky required six months effort to crack an Infineon Technologies TPM (Infineon is a leading manufacturer of TPMs). The AP story says that he had to soak the TPM in acid to remove the chip's outer shell, use rust remover to take off layers of mesh wiring to find the core, and then tap into the chip's communications using a fine probe. He then had to figure out what the software was doing to be able to extra the cryptographic keys (a more detailed description of what he did can be found here).
According to Tarnovsky, it required about $200,000 in lab equipment alone to do what he did, which few hackers have access to. So many observers say what Tarnovsky accomplished was not practical for the "average hacker," at least today.
It may be more so for government security agencies, however, who I would venture a guess have already done what Tarnovsky has done or will soon be doing so. My guess is also that the TCG and Infineon will think about this hack and how to make it much harder to accomplish in the future.
As this TPM hacking story came out, so did another successful hacking story from the UK, this one involving "chip and pin" technology used in credit, debit and bank cards there. The London Telegraph reported that researchers at Cambridge University had found a way to trick a bank into approving a credit card transaction without a valid pin. This is not supposed to be able to happen.
The approach is a bit clumsy - a person needs to carry separate credit card reader hidden in a back pack - but it looks more feasible than trying to crack open a TPM chip and less costly too. The Cambridge researchers claim to have made several fraudulent transactions without the banks being any wiser.
The banks dismissed the researchers' claims as being impractical, the Telegraph says, and argue that the approach doesn't pose any real threat. They also say that there are simpler ways to commit fraud, so why would criminals use it?
The latter may be true, but even so it don't seem to be a very strong argument to make to credit, debit or bank card users in the UK, who are generally held responsible for fraudulent activity on their cards (since users must verify a transaction using their pin). Some 13-14% of UK card owners already believe that their credit/debit card or bank accounts have unauthorized activity on them.
So do these two reported exploits really matter in the grand IT security scheme of things? Maybe not much in the TPM case, but probably more so in the chip and pin one. What both point out, however, is that whatever the level of security present, people are going to try and find innovative ways to defeat it.
Robert N. Charette is a Contributing Editor to IEEE Spectrum and an acknowledged international authority on information technology and systems risk management. A self-described “risk ecologist,” he is interested in the intersections of business, political, technological, and societal risks. Charette is an award-winning author of multiple books and numerous articles on the subjects of risk management, project and program management, innovation, and entrepreneurship. A Life Senior Member of the IEEE, Charette was a recipient of the IEEE Computer Society’s Golden Core Award in 2008.