Ex-Army man cracks popular security chip Hardware hacker Christopher Tarnovsky just wanted to break Microsoft's grip on peripherals for its Xbox 360 game console. In the process, he cracked one of the most heavily fortified chips ever put into a consumer device. The attack by the former US Army computer-security specialist is notable because it goes where no hacker …
To those who believe that digital voting machines can be made impervious to mischief, they should read this article. Eventually, they'll harden the systems to the point where it will be impossible for an outsider, even one of the author's motivation and ability, to know what's going on inside the chips.
"It's very monopolistic what they've done."
You don't say.
Not only that but to anyone who complains about Apple, Sony et al being harsh (Apple for only allowing certain apps in their store for example) well - MS only allow certain controllers on their 360! What next? Sending your children off to Redmond to make them 360 compatible?
"In a statement sent to Infineon customers last week, the company noted the time and expense required for Tarnovsky to crack the chip."
Infineon's own engineers are surely well aware that they are playing a game with rules of "crack once and its cracked everywhere". Infineon's PR has probably been told as much, but (on the above evidence) don't want to admit it to customers.
So a qualified bloke had to work on it for some time, and needed a few hundred thousand dollars of kit. THEREFORE, if what you are trying to protect is worth more than (say) half a million, you'd be better off using some other device.
Or maybe change your business model? The real lesson here is for investors and shareholders. If a company uses this sort of technology, then there are real limits to how sucessful that company can be before it is worth someone else's time cracking it open. That someone else needn't be (and for legal reasons probably won't be) an actual competitor. It could be one of the company's customers, disgruntled at having to pay over the odds for a product and willing to publish anonymously in the hope that the competitors act on the info.
"Crack once and its cracked everywhere"
Yes, you can make the same attack against each chip - indeed, he had to fry quite a few to make it work, but he could presumably do it repeatedly now.
BUT the TPM has no global secrets. So for each additional device whose secrets you want to extract/clone, you have to repeat the attack. That means that the bottom hasn't suddenly dropped out of Infineon's market. The TPM design - and sensible systems based on it - always assumed that with "expensive physics lab equipment" you could break one.
Whether or not the XBox relies on any global secrets, though, I have no idea.
The other real casualty of this hack is the very notion of secure hardware. How many people have not bothered to try and crack these devices because they believed the line trotted out by the likes of IBM and the NSA that it was a very high up-front research cost with very low probability of success.
Now everyone *knows* this ain't true. Infineon may find that rather a lot of people have a go at their next offering. Consider what Ross Anderson's group have done with various crypto products over the years. Imagine if similarly motivated and resourced people decide that testing the strength of protected hardware is a legitimate research topic. After all, if these are going to be widely used to protect important secrets, there's a public interest in knowing whether they work.
There is typically one type of organization that is better-funded for such projects than universities. Of course, I'm talking governments. If someone with university funding can achieve this, imagine a state-sponsored effort, particularly the sponsorship of a hostile state.
I suspect similar people had already decided that testing the strength of TPMs is a suitable research topic. Remember, we don't know how many people tried *and failed* to crack this TPM - people don't report on that. We only have the report of one success. There could have been a dozen research teams in organizations both criminal and non-criminal attempting this, who each blew through 10x as much cash as this guy, while still failing. No conclusions can be drawn about success rates without knowing how many people tried.
The claims of high up-front cost and low probability of success seem to me to hold their validity in the light of this story. This was not a simple hack, and it did not seem to reveal any fundamental issues with the implementation (e.g. weak crypto), other than that the chip itself exists in the physical universe and is hence vulnerable to physical attack.
All it takes to 'crack' anything is time and cost plus the will and resolve to do it. Security only has to outlast attack attempts to be effective in most cases.
The more popular a security mechanism is the more the incentive to 'crack' it, so good security will often ultimately be defeated when far weaker security on other products can remain safely in place. The harder a system to 'crack' the more likely someone is to prove they can and show it all to be worthless; this is a fine case in point.
It's therefore a Catch-22; adding security encourages 'cracking'. By making security protection ubiquitous Microsoft and others ultimately undo themselves and everyone else. What they need to protect often falls when what they don't need to protect comes undone.
DMCA and the like are blunt and ultimately ineffective tools. They may discourage and punish but they don't prevent. No different really to security through obscurity. They don't event discourage or prevent if those involved can remain anonymous.
In true Matrix hacker style, Trinity took the cap off a 6801 MCU ROM (using nasty chemicals), photographed the surface using a microscope and decoded it to find the code for running Bubble Bobble, these particular chips have been cloned and bootlegged for years using many methods, imagine if you had governmental resources behind you.
Seriously, good work, but most of this stuff goes on in secret, this is the tip of the iceberg.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
