Modern TPM Sniffing and Multi-Factor Authentication
Although the TPM sniffing attack has been known and utilised for nearly five years, it has evolved significantly since its introduction. The attack process has become simpler and more generalised, resulting in increased speed and reliability. This presentation will first share insights gained from using this attack on dozens of machines over the years, highlighting key factors that can enhance its execution. The reduction in complexity and attack time now makes it possible to compromise a machine in just a few minutes, infect it, and then restore it before the owner even realises it was gone. Secondly, the presentation will explore the multi-factor authentication provided by BitLocker. While multi-factor authentication is crucial for maintaining a baseline level of security, various attack scenarios remain possible even with this configuration. For instance, a malicious user could use TPM sniffing to escalate privileges on a machine if they know the second authentication factor. Although this possibility has been discussed in several publications, Microsoft’s documentation on BitLocker is only partial, and some mechanisms remain unexplored. No existing tool has been able to execute this attack when BitLocker is not in transparent mode. This part of the presentation will delve into the operating system’s inner workings, examining the Windows bootloader and its interactions with the TPM. The goal is to understand how multi-factor authentication works and how it might be bypassed, enabling to decrypt the disk and gain highly privileged access to the operating system.
About the speaker
Julien Oberson
Read more …