It should be noted that this attack was demonstrated on a nearly 10 year old laptop that has the TPM traces exposed on the motherboard.
Most TPMs nowadays are built into the CPU which does not leave them vulnerable to this type of attack.
this post was submitted on 11 Feb 2024
361 points (93.1% liked)
Technology
73792 readers
3196 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
Too late, Canada's banned Raspberry Pi's already. :(
I don't get the downvoting. This is solid commentary on the Flipper Zero idiocy.
Prolly from people who don’t yet know about the Flipper Canada bullshit hahaha
Its definitely sort or misleading but MS needs to really have its feet held to the fire when it comes to these things. It sort of pushes the narrative in the correct direction which is towards privacy AND security, not a half-ass balance where one or the other or both is compromised or is an illusion altogether
The Outlook stuff has demonstrated how fundamentally irresponsible and unserious they are about their obligation to secure and regulate their own systems, they need all the bad press they can get so they are compelled to do betwr
Because MS designed Lenovo motherboard for them and told them where to put the tpm debug pins? I think you're casting blame at the wrong vendor here.
Doesn't matter how good the software is if the hardware vendor fucks up like that.
They're heavily involved with the development of the spec and guidance to OEMs on how to implement it
Fake news. Nobody is getting a raspberry pi for $10 lol
I get your joke, but it's even cheaper than a "Raspberry Pi". Pi Pico, one RP2040 chip, that's basically RPi's new version of a Teensy. I just installed one in my GameCube to defeat its "BIOS" and boot from micro SD card :P
I just installed one in my GameCube to defeat its "BIOS" and boot from micro SD card :P
Coolest thing I heard all day. Didn't know that was a thing.
With shipping it's more than ten but on it's own it's 6,10 for the H model
Yet another example of "hardware access is root access"
As it should be really so you can repair things.
I agree
$10.. not really in video. He had a custom PCB made so the pogo pins were on the board, all in one.
Honestly, pretty awesome. Although as noted, this is for older boards without TPM integration in CPU.
It can also be done with a logic analyzer.
The pi is $10. The rest is much more.
That is a PI Nano. They gave them away for free at a trade fair. I've got a bag of them laying around for my next project.
Pi Pico. With a RP2040 MCU. Which retails for [$9.91 on Amazon](Seeed Studio Raspberry Pi Pico Flexible Microcontroller Board Based on The Raspberry Pi RP2040 Dual-core ARM Cortex M0+ Processor for Gamecube, 1pc. https://a.co/d/0A0hAXX).
I’m sure they were giving away at some events because we’re trying to popularize the new chip to get more devs to jump on board. I use a RP2040 on my current project and it’s a great chip.
What does that have to do with the GameCube?
I’m not quite sure what you’re asking but I believe you are talking about PicoBoot, which is a way to hack your GameCube using a Raspberry Pi Pico RP2040.
https://hackaday.com/2022/07/05/raspberry-pi-pico-modchip-unlocks-the-gamecube/
And
https://github.com/webhdx/PicoBoot
Edit: I just realized the Amazon sale says GameCube. Makes sense now.
Just your standard Amazon SEO product name.
Pis are 10$ again? That's the real story.
It's a Pi Pico (RP2040), which is an MCU, not CPU. Similar to an Arduino UNO (ATmega328p).
The concept and implementation of TPM use has been a joke since inception.
veracrypt or luks; bitlocker is a total joke.
Unsurprised. Physical security seems to be a lot tougher for the industry to “nail”
Just look at this UEFI boot fail vuln/exploit. Crazy.
Yet we still can't crack Denuvo...
Hey - hey member that time when Truecrypt was like, “Peace, we out. Use bitlocker. lol”
When’s the new Truecrypt coming out? Yeah yeah Veracrypt, I know. It’s cool, its just not. I dunno.
Veracrypt does fine
I know, I know.
Requires physical access. A non-story outside of cybersec academia/research
Bitlocker's threat model is physical access, though. And it's 50% of TPM's threat model too.
Yeah which is why no one cares about either. The threat vector is usually not discussed and mostly ignored by non state-level actors in practice.
I do agree that it's fascinating. My master's degree thesis was on sourcing trust and eliminating various evil maid type attacks, including supply side targeted poisoned hardware aimed at state level.
This is categorically false. Laptops are not a story but rather company property.