TID-214: Secrets Extracted from Device Root of Trust
Threat Description
Some device have mutable or immutable secure Roots of Trust (ROTs) that may store keys or secrets. If the device has a ROT mechanism to validate the authenticity of the firmware/software, the ROT can be either a software or hardware mechanisms, such as a Trusted Platform Module (TPM), firmware TPM (fTPM), Secure Element, or similar security module. If a threat actor can access authentication material on the ROT, such as the keys or other secrets, they can potentially use them to sign a malicious version of firmware/software which can then be installed on the device.
Threat Maturity and Evidence
Proof of Concept
Uprooting Trust: Learnings from an Unpatchable Hardware Root-of-Trust Vulnerability in Siemens S7-1500 PLCs
“Specifically, this assessment is conducted by uncovering novel vulnerabilities related to the discrete RoT implementation on the Siemens S7-1500 series Programmable Logic Controllers (PLCs). Our findings are cautionary evidence of how flawed assumptions related to RoT implementation may allow malicious actors to spoof authentication credentials, re-encrypt firmware, and ultimately gain covert, privileged control over these devices without invasive or destructive practices.”
100 Seconds of Solitude: Defeating Cisco Trust Anchor With FPGA Bitstream Shenanigans
“A vulnerability in the logic that handles access control to one of the hardware components in Cisco’s proprietary Secure Boot implementation could allow an authenticated, local attacker to write a modified firmware image to the component. This vulnerability affects multiple Cisco products that support hardware-based Secure Boot functionality.”
faulTPM: Exposing AMD fTPMs’ Deepest Secrets
“In this paper, we show that AMD’s fTPMs are vulnerable to physical attacks against their execution environment: the AMD-SP. Our attack utilizes the AMD-SP’s vulnerability to voltage fault injection attacks to extract a chip-unique secret from the targeted CPU. This secret is subsequently used to derive the storage and integrity keys protecting the fTPM’s non-volatile (NV) data stored on the Basic Input/Output System (BIOS) flash chip.”
CWE
CWE-1326: Missing Immutable Root of Trust in Hardware
“A missing immutable root of trust in the hardware results in the ability to bypass secure boot or execute untrusted or adversarial boot code.”
CVE
CVE-2022-38773
“Affected devices do not contain an Immutable Root of Trust in Hardware. With this the integrity of the code executed on the device can not be validated during load-time. An attacker with physical access to the device could use this to replace the boot image of the device and execute arbitrary code.”