You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Many AMD processors (Zen 2 & 3 architectures; 3000, 5000 series...) use a firmware implementation of the TPM, the fTPM (equivalent to Intel's "Platform Trust Technology", but slightly different). Researchers have just found new attacks against this form of implementation, which make it possible to completely break the fTPM and reveal its internal state. Interestingly, using a fairly complex password means you can still maintain an adequate level of security, even with a cracked fTPM. As shown in the paper (p.11), with a compromised fTPM, a 10-character PIN will only last 34 minutes against a brute-force attack:
As 10 characters is the minimum length currently requested by the script, I propose to lengthen it a bit. The researchers conclude (p.13):
Our case study shows that FDE implementations must employ standalone anti-brute-force measures beyond the sealed TPM object as BitLocker does (5.3.2). If the TPM is compromised, this upholds the protector’s confidentiality to a degree a (non-TPM) PIN/password-only protector can achieve. The security of such a method dramatically depends on the length and complexity of the PIN or password, so strong requirements regarding its length and character set should be considered.
The text was updated successfully, but these errors were encountered:
Hi,
Unless there is a reliable way to detect AMD CPU generations between 3000-5000 so that the script can apply different policies for them (haven't found any yet), I think increasing the PIN's minimum length requirement can potentially discourage people from using it in the first place 🫤
Since the attack needs physical access to the device, imo users considered high value targets and susceptible to this attack should consider upgrading their hardware to AMD 7th gen CPU or an Intel CPU that doesn't have this vulnerability, or better yet, get a secured-core PC
Edit:
AMD users with vulnerable CPUs can of course still set a long complex PIN to stay secure, it's just the script doesn't enforce it by default on everyone.
Many AMD processors (Zen 2 & 3 architectures; 3000, 5000 series...) use a firmware implementation of the TPM, the fTPM (equivalent to Intel's "Platform Trust Technology", but slightly different). Researchers have just found new attacks against this form of implementation, which make it possible to completely break the fTPM and reveal its internal state. Interestingly, using a fairly complex password means you can still maintain an adequate level of security, even with a cracked fTPM. As shown in the paper (p.11), with a compromised fTPM, a 10-character PIN will only last 34 minutes against a brute-force attack:
As 10 characters is the minimum length currently requested by the script, I propose to lengthen it a bit. The researchers conclude (p.13):
The text was updated successfully, but these errors were encountered: