Supergeek pulls off 'near impossible' crypto chip hack

Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former US Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google.



The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.



But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.



Jeff Moss, founder of the Black Hat security conference and a member of the US Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"



Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation.



Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.



When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.



Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it.



If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.



"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, California, and demonstrated his hack last week at the Black Hat security conference in Arlington, Virginia.



The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft's Xbox 360 game console and smart phones.



That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorised accessories that circumvent security protocols are not certified to meet our safety and compliance standards."



The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.



Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.



"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption."



The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialised equipment, know-how and money - was impossible. No form of security can ever be held to that standard."



It stood by TPM chips as the most cost-effective way to secure a PC.



It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.



Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.



Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.



The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.



Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.



Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defence.



"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.



Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.



"His work is the next generation of hardware hacking," Grand said.

PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
News
Angelina Jolie with her father Jon Voight
people
News
Bill Kerr has died aged 92
people
Sport
footballPremiership preview: All the talking points ahead of this weekend's matches
Arts and Entertainment
Warner Bros released a mock-up of what the new Central Perk will look like
tv'Friends' cafe will be complete with Gunther and orange couch
News
Keira Knightley poses topless for a special September The Photographer's issue of Interview Magazine, out now
people
Voices
The Ukip leader has consistently refused to be drawn on where he would mount an attempt to secure a parliamentary seat
voicesNigel Farage: Those who predicted we would lose momentum heading into the 2015 election are going to have to think again
Arts and Entertainment
Cara Delevingne made her acting debut in Anna Karenina in 2012
film Cara Delevingne 'in talks' to star in Zoolander sequel
News
i100
Sport
Mario Balotelli pictured in his Liverpool shirt for the first time
football
Life and Style
tech
Independent
Travel Shop
the manor
Up to 70% off luxury travel
on city breaks Find out more
santorini
Up to 70% off luxury travel
on chic beach resorts Find out more
sardina foodie
Up to 70% off luxury travel
on country retreats Find out more
Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Java Developer - 1 year contract

    £350 - £400 Per Day: Clearwater People Solutions Ltd: Our client based in Cent...

    Junior Analyst - Graduate - 6 Month fixed term contract

    £17000 - £20000 Per Annum Bonus, Life Insurance + Other Benefits: Clearwater P...

    IT Support - Hampshire - £24,000

    £19000 - £24000 per annum + benefits: Ashdown Group: The Ashdown Group have be...

    Research and Insight Analyst (Mathematics Graduate)

    £25000 - £35000 Per Annum: Clearwater People Solutions Ltd: Our client are cur...

    Day In a Page

    Ukraine crisis: The phoney war is over as Russian troops and armour pour across the border

    The phoney war is over

    Russian troops and armour pour into Ukraine
    Potatoes could be off the menu as crop pests threaten UK

    Potatoes could be off the menu as crop pests threaten UK

    The world’s entire food system is under attack - and Britain is most at risk, according to a new study
    Gangnam smile: why the Chinese are flocking to South Korea to buy a new face

    Gangnam smile: why the Chinese are flocking to South Korea to buy a new face

    Seoul's plastic surgery industry is booming thanks to the popularity of the K-Pop look
    From Mozart to Orson Welles: Creative geniuses who peaked too soon

    Creative geniuses who peaked too soon

    After the death of Sandy Wilson, 90, who wrote his only hit musical in his twenties, John Walsh wonders what it's like to peak too soon and go on to live a life more ordinary
    Caught in the crossfire of a cyber Cold War

    Caught in the crossfire of a cyber Cold War

    Fears are mounting that Vladimir Putin has instructed hackers to target banks like JP Morgan
    Salomé's feminine wiles have inspired writers, painters and musicians for 2,000 years

    Salomé: A head for seduction

    Salomé's feminine wiles have inspired writers, painters and musicians for 2,000 years. Now audiences can meet the Biblical femme fatale in two new stage and screen projects
    From Bram Stoker to Stanley Kubrick, the British Library's latest exhibition celebrates all things Gothic

    British Library celebrates all things Gothic

    Forthcoming exhibition Terror and Wonder: The Gothic Imagination will be the UK's largest ever celebration of Gothic literature
    The Hard Rock Café's owners are embroiled in a bitter legal dispute - but is the restaurant chain worth fighting for?

    Is the Hard Rock Café worth fighting for?

    The restaurant chain's owners are currently embroiled in a bitter legal dispute
    Caribbean cuisine is becoming increasingly popular in the UK ... and there's more to it than jerk chicken at carnival

    In search of Caribbean soul food

    Caribbean cuisine is becoming increasingly popular in the UK ... and there's more to it than jerk chicken at carnival
    11 best face powders

    11 best face powders

    Sweep away shiny skin with our pick of the best pressed and loose powder bases
    England vs Norway: Roy Hodgson's hands tied by exploding top flight

    Roy Hodgson's hands tied by exploding top flight

    Lack of Englishmen at leading Premier League clubs leaves manager hamstrung
    Angel Di Maria and Cristiano Ronaldo: A tale of two Manchester United No 7s

    Di Maria and Ronaldo: A tale of two Manchester United No 7s

    They both inherited the iconic shirt at Old Trafford, but the £59.7m new boy is joining a club in a very different state
    Israel-Gaza conflict: No victory for Israel despite weeks of death and devastation

    Robert Fisk: No victory for Israel despite weeks of devastation

    Palestinians have won: they are still in Gaza, and Hamas is still there
    Mary Beard writes character reference for Twitter troll who called her a 'slut'

    Unlikely friends: Mary Beard and the troll who called her a ‘filthy old slut’

    The Cambridge University classicist even wrote the student a character reference
    America’s new apartheid: Prosperous white districts are choosing to break away from black cities and go it alone

    America’s new apartheid

    Prosperous white districts are choosing to break away from black cities and go it alone