Researchers from the Worcester Polytechnic Institute (WPI) have discovered serious security vulnerabilities in computer chips made by Intel Corp. and STMicroelectronics. The flaws announced today are located in TPMs or trusted specialized platform modules tamper-resistant chips that computer manufacturers have been deploying in nearly all laptops, smartphones, and tablets for the past 10 years. TPMs are used to secure encryption keys for hardware authentication and cryptographic keys, including signature keys and smart card certificates.
One of the flaws the WPI team discovered is in Intel’s TPM firmware, software that runs in the Security and Management Engine in processors the company has produced since 2013. With this vulnerability, researchers used the timing leakage to recover the signature key in less than two minutes. With the signature key, hackers could forge digital signatures, enabling them to alter, delete, or steal information.
The second flaw is in STMicroelectronics’ TPM on the company’s ST33 chip. The vulnerability in STMicroelectronics’ TPM basically leaks the signature key, which should remain safely inside the hardware. The consequences for this vulnerability is the same as the Intel one, which is hackers will have the keys to the castle.
According to both companies, the vulnerabilities have been addressed and patched. With computer hardware getting more and more complicated every year, one has to wonder how many vulnerabilities are not getting noticed.