A flawed Infineon Technology chipset used on PC motherboards to securely store passwords, certificates and encryption keys risks undermining the security of government and corporate computers protected by RSA encryption keys. In a nutshell, the bug makes it possible for an attacker to calculate a private key just by having a target's public key.
Security experts say the bug has been present since 2012 and found specifically in the Infineon's Trusted Platform Module used on a large number of business-class HP, Lenovo and Fijitsu computers, Google Chromebooks as well as routers and IoT devices.
The vulnerability allows for a remote attacker to compute an RSA private key from the value of a public key. The private key can then be misused for purposes of impersonation of a legitimate owner, decryption of sensitive messages, forgery of signatures (such as for software releases) and other related attacks, according to researchers.
The Infineon flaw is tied to a faulty design of Infineon's Trusted Platform Module (TPM), a dedicated microcontroller designed to secure hardware by integrating cryptographic keys into devices and used for secured crypto processes.
(Score: 5, Insightful) by crafoo on Wednesday October 18 2017, @12:44PM (9 children)
Even the name should make you immediately skeptical: "Trusted Platform Module". Really? Trusted by whom, exactly? Certainly not me because I cannot verify what is inside.
(Score: 4, Insightful) by KiloByte on Wednesday October 18 2017, @12:59PM
This is correct, but not in the common sense of the word. In security speak, "trusted" means "authorized to break your security".
The word you're looking for is "trustworthy". Which also tends to be abused in marketing materials these days.
Ceterum censeo systemd esse delendam.
(Score: 2) by DannyB on Wednesday October 18 2017, @01:26PM (4 children)
The name does make me immediately skeptical: "Trump Platform Module" Really?
How can I expect a TPM to be working in my best interest?
It does things I neither wanted nor asked for. While I cannot verify what is on the inside of a TPM, I can see the results of having it installed and operational, without a means of overriding it or shutting it down in the BIOS.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 3, Insightful) by DECbot on Wednesday October 18 2017, @03:30PM (3 children)
If I don't trust the chip, why would I believe that it respects the BIOS settings and disables itself? Desoldering it from the motherboard seems to me to be the only way to trust that it isn't actively compromising your system.
cats~$ sudo chown -R us /home/base
(Score: 3, Insightful) by DannyB on Wednesday October 18 2017, @04:16PM
It is relevant to mention Intel's "management engine" here. You can't desolder that.
When trying to solve a problem don't ask who suffers from the problem, ask who profits from the problem.
(Score: 1, Interesting) by Anonymous Coward on Wednesday October 18 2017, @11:08PM (1 child)
i have used an exacto knife. fortunately, in the systems that happened to, the OS merely reports an error that tpm isnt functioning properly, maybe let an administrator know.
i do not expect that to fly in a corporate environment, nor a permissive attitude towards knife wielding.
(Score: 2) by takyon on Thursday October 19 2017, @02:35AM
If your corporate environment doesn't consider removal of TPM to be a security enhancement, that is their business unless it is your job to convince them otherwise.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 4, Insightful) by JoeMerchant on Wednesday October 18 2017, @09:08PM
Anyone want to lay odds that this flaw was included intentionally (as a *cough* backdoor)?
🌻🌻 [google.com]
(Score: 2, Informative) by pdfernhout on Thursday October 19 2017, @03:40AM
https://www.youtube.com/watch?v=XgFbqSYdNK4 [youtube.com]
Related website: http://againsttcpa.com/ [againsttcpa.com]
The biggest challenge of the 21st century: the irony of technologies of abundance used by scarcity-minded people.
(Score: 0) by Anonymous Coward on Thursday October 19 2017, @04:02AM
of course no, there is not an ounce of honesty on these corporations or the way they make you pay for their honestly-backdoored hardware