‘It’s not a good look for the PC ecosystem as a whole.” HP to make fix for TPM vulnerability an industry standard

HP has launched a new solution designed to thwart attackers looking to exploit a BitLocker security vulnerability made possible when those with malicious intent are able to gain physical access to a hardware device.

The vulnerability, which involves essentially hijacking the communication between a device’s Trusted Platform Module (TPM) and CPU (known as a TPM bus attack), can be exploited in less than a minute using a cheap tool you can buy online.

As such, it represents a major source of worry for businesses that are increasingly reliant on mobile devices - which are frequently lost or stolen - to support the employees in working wherever they are.

HP’s solution, dubbed TPM Guard, will be rolled out as a firmware update in July, but then baked into future products.

“The nature of vulnerabilities after they’ve been discovered is that it only gets easier to exploit them. We’ve seen that the cost of executing that attack and the level of sophistication required to do it have just gone down and down over time. It’s a serious concern for many organizations,” according to Dr. Ian Pratt, HP’s vice president, security and commercial systems CTO, personal systems.

“When this attack was first conceived, people thought it would be espionage agents breaking into hotel rooms, targeting an individual. You might use it not just for extracting information but also to implant malware and do things like that to the executive’s device while they’re out for dinner. The reality is that the bigger concern is around laptops, which are lost and stolen every day. They’re usually in a backpack, and there’s usually something in that backpack or bag that identifies the company the person works for.

“These devices can then work their way through the criminal underground to a criminal organization that’s a bit more sophisticated and knows how to perhaps monetize that data. So it’s a far broader issue.”

Existing ‘fixes’ for this include BitLocker PINs - which can create more complexity in terms of management and users forgetting them - or ways to identify if someone is trying to remove the back cover of a device.

But attackers have become wise to these, upping their game in response, according to Pratt.

“Although the possibility has been known about for a while, it’s only very recently become accessible. Just as an example, at Black Hat back in August, there was actually a training session being run teaching people how to do this. How to bypass some of the defenses that had been built in, like protecting the back cover of the machine,” he said.

“We had a unique capability to be able to detect the cover removal and wipe the machine. We were in a better position than other vendors in that respect. But in this session, they were showing how you can drill a hole through the back cover of the case and then use a tube of superglue to reach in through the hole, put a lot of superglue on the microwitch that detects the cover removal, and then you’re able to remove the cover. Seeing people actually being taught how to do it, we know this kind of attack is now being democratized, and we can’t just ignore it going forward.”

HP has worked closely with AMD and Intel to move TPM Guard from theory to reality and, according to Pratt, also envisages working with Qualcomm to implement the solution across its entire G2 commercial platform.

What’s more, in recognition that this issue affects more than just HP hardware, the tech giant hopes to turn it into an industry standard.

“It’s an industry-wide issue. We’re going to follow a similar oath we have done with many security innovations over the years. With HP Labs, we’ve spotted a problem, created a solution, and then ultimately driven it as an industry standard. Because this is something that needs all vendors. It’s not a good look for the PC ecosystem as a whole to have this kind of vulnerability,” Pratt added.

“We’re now working with the Trusted Computing Group to create a standard around this. There will be a new TPM standard, which will probably take a couple of years to roll out.”