Supergeek pulls off 'near impossible' crypto chip hack

Deep inside millions of computers is a digital Fort Knox, a special chip with the locks to highly guarded secrets, including classified government reports and confidential business plans. Now a former US Army computer-security specialist has devised a way to break those locks.

The attack can force heavily secured computers to spill documents that likely were presumed to be safe. This discovery shows one way that spies and other richly financed attackers can acquire military and trade secrets, and comes as worries about state-sponsored computer espionage intensify, underscored by recent hacking attacks on Google.



The new attack discovered by Christopher Tarnovsky is difficult to pull off, partly because it requires physical access to a computer.



But laptops and smart phones get lost and stolen all the time. And the data that the most dangerous computer criminals would seek likely would be worth the expense of an elaborate espionage operation.



Jeff Moss, founder of the Black Hat security conference and a member of the US Department of Homeland Security's advisory council, called Tarnovsky's finding "amazing."

"It's sort of doing the impossible," Moss said. "This is a lock on Pandora's box. And now that he's pried open the lock, it's like, ooh, where does it lead you?"



Tarnovsky figured out a way to break chips that carry a "Trusted Platform Module," or TPM, designation by essentially spying on them like a phone conversation.



Such chips are billed as the industry's most secure and are estimated to be in as many as 100 million personal computers and servers, according to market research firm IDC.



When activated, the chips provide an additional layer of security by encrypting, or scrambling, data to prevent outsiders from viewing information on the machines. An extra password or identification such as a fingerprint is needed when the machine is turned on.



Many computers sold to businesses and consumers have such chips, though users might not turn them on. Users are typically given the choice to turn on a TPM chip when they first use a computer with it.



If they ignore the offer, it's easy to forget the feature exists. However, computers needing the most security typically have TPM chips activated.



"You've trusted this chip to hold your secrets, but your secrets aren't that safe," said Tarnovsky, 38, who runs the Flylogic security consultancy in Vista, California, and demonstrated his hack last week at the Black Hat security conference in Arlington, Virginia.



The chip Tarnovsky hacked is a flagship model from Infineon Technologies AG, the top maker of TPM chips. And Tarnovsky says the technique would work on the entire family of Infineon chips based on the same design. That includes non-TPM chips used in satellite TV equipment, Microsoft's Xbox 360 game console and smart phones.



That means his attack could be used to pirate satellite TV signals or make Xbox peripherals, such as handheld controllers, without paying Microsoft a licensing fee, Tarnovsky said. Microsoft confirmed its Xbox 360 uses Infineon chips, but would only say that "unauthorised accessories that circumvent security protocols are not certified to meet our safety and compliance standards."



The technique can also be used to tap text messages and email belonging to the user of a lost or stolen phone. Tarnovsky said he can't be sure, however, whether his attack would work on TPM chips made by companies other than Infineon.



Infineon said it knew this type of attack was possible when it was testing its chips. But the company said independent tests determined that the hack would require such a high skill level that there was a limited chance of it affecting many users.



"The risk is manageable, and you are just attacking one computer," said Joerg Borchert, vice president of Infineon's chip card and security division. "Yes, this can be very valuable. It depends on the information that is stored. But that's not our task to manage. This gives a certain strength, and it's better than an unprotected computer without encryption."



The Trusted Computing Group, which sets standards on TPM chips, called the attack "exceedingly difficult to replicate in a real-world environment." It added that the group has "never claimed that a physical attack - given enough time, specialised equipment, know-how and money - was impossible. No form of security can ever be held to that standard."



It stood by TPM chips as the most cost-effective way to secure a PC.



It's possible for computer users to scramble data in other ways, beyond what the TPM chip does. Tarnovsky's attack would do nothing to unlock those methods. But many computer owners don't bother, figuring the TPM security already protects them.



Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.



Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.



The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.



Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.



Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defence.



"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.



Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.



"His work is the next generation of hardware hacking," Grand said.

Voices
On the last day of campaigning before the polling booths open, the SNP leader has written to voters in a final attempt to convince them to vote for independence
voicesIs a huge gamble on oil keeping the First Minister up at night?
Sport
A 'Sir Alex Feguson' tattoo
football

Arts and Entertainment
Liam Neeson said he wouldn't
tv

Liam Neeson's Downton dreams

Voices
voicesApple continually kill off smaller app developers, and that's no good for anyone
PROMOTED VIDEO
Life and Style
ebooksA superb mix of recipes serving up the freshest of local produce in a delicious range of styles
Life and Style
ebooksFrom the lifespan of a slug to the distance to the Sun: answers to 500 questions from readers
Arts and Entertainment
Ben Whishaw is replacing Colin Firth as the voice of Paddington Bear
tv

Thriller is set in the secret world of British espionage

Life and Style
life

News
ScienceGallery: Otherwise known as 'the best damn photos of space you'll see till 2015'
Travel
travelWhy Japan's love hotels are thriving through an economic downturn
Life and Style
fashion

Bomber jacket worn by Mary Berry sells out within an hour

Life and Style
Alexander McQueen A/W 2014
fashionPolitics aside, tartan is on-trend again this season
Arts and Entertainment
Rapper Jay Z performs on the Pyramid Stage at Glastonbury in 2008
musicSinger sued over use of the single-syllable sample in 'Run This Town'
Sport
Joel jumps over the board...and into a giant hole
footballFrom joy to despair in a matter of seconds
News
i100
Arts and Entertainment
Pointless host Alexander Armstrong will voice Danger Mouse on CBBC
tv

Much-loved cartoon character returns - without Sir David Jason

Arts and Entertainment
Meera Syal was a member of the team that created Goodness Gracious Me
tv

Actress to appear in second series of the hugely popular crime drama

Latest stories from i100
Have you tried new the Independent Digital Edition apps?
Independent Dating
and  

By clicking 'Search' you
are agreeing to our
Terms of Use.

ES Rentals

    iJobs Job Widget
    iJobs Gadgets & Tech

    Technical Product Marketing Specialist - London - £70,000

    £50000 - £70000 per annum: Ashdown Group: Cloud Product and Solutions Marketin...

    Trainee Helpdesk Analyst / 1st Line Application Support Analyst

    £18000 per annum: Ashdown Group: An established and growing IT Consultancy fir...

    Data Analyst / Marketing Database Analyst

    £24000 per annum: Ashdown Group: An established and growing IT Consultancy fir...

    Business Analyst – 2 year fixed term contract – Kent – Circa £55k

    £45000 - £55000 Per Annum 31 days holiday, pension, healthcare, annual bonus: ...

    Day In a Page

    Mystery of the Ground Zero wedding photo

    A shot in the dark

    Mystery of the wedding photo from Ground Zero
    His life, the universe and everything

    His life, the universe and everything

    New biography sheds light on comic genius of Douglas Adams
    Save us from small screen superheroes

    Save us from small screen superheroes

    Shows like Agents of S.H.I.E.L.D are little more than marketing tools
    Reach for the skies

    Reach for the skies

    From pools to football pitches, rooftop living is looking up
    These are the 12 best hotel spas in the UK

    12 best hotel spas in the UK

    Some hotels go all out on facilities; others stand out for the sheer quality of treatments
    These Iranian-controlled Shia militias used to specialise in killing American soldiers. Now they are fighting Isis, backed up by US airstrikes

    Widespread fear of Isis is producing strange bedfellows

    Iranian-controlled Shia militias that used to kill American soldiers are now fighting Isis, helped by US airstrikes
    Topshop goes part Athena poster, part last spring Prada

    Topshop goes part Athena poster, part last spring Prada

    Shoppers don't come to Topshop for the unique
    How to make a Lego masterpiece

    How to make a Lego masterpiece

    Toy breaks out of the nursery and heads for the gallery
    Meet the ‘Endies’ – city dwellers who are too poor to have fun

    Meet the ‘Endies’ – city dwellers who are too poor to have fun

    Urbanites are cursed with an acronym pointing to Employed but No Disposable Income or Savings
    Paisley’s decision to make peace with IRA enemies might remind the Arabs of Sadat

    Ian Paisley’s decision to make peace with his IRA enemies

    His Save Ulster from Sodomy campaign would surely have been supported by many a Sunni imam
    'She was a singer, a superstar, an addict, but to me, her mother, she is simply Amy'

    'She was a singer, a superstar, an addict, but to me, her mother, she is simply Amy'

    Exclusive extract from Janis Winehouse's poignant new memoir
    Is this the role to win Cumberbatch an Oscar?

    Is this the role to win Cumberbatch an Oscar?

    The Imitation Game, film review
    England and Roy Hodgson take a joint step towards redemption in Basel

    England and Hodgson take a joint step towards redemption

    Welbeck double puts England on the road to Euro 2016
    Relatives fight over Vivian Maier’s rare photos

    Relatives fight over Vivian Maier’s rare photos

    Pictures removed from public view as courts decide ownership
    ‘Fashion has to be fun. It’s a big business, not a cure for cancer’

    ‘Fashion has to be fun. It’s a big business, not a cure for cancer’

    Donatella Versace at New York Fashion Week