Why Old TPM Attacks Are Still Relevant and Why You Should Care

Recently, a video surfaced on LinkedIn demonstrating a physical attack on the pins of a TPM v1.0 module. The attack showed how an attacker with physical access could manipulate the communication between the TPM chip and the motherboard to extract sensitive data. One respected peer suggested that newer systems no longer rely on discrete TPM chips but instead use firmware-based TPM (fTPM) solutions integrated into the CPU. This is an important evolution in system security architecture, as fTPM eliminates the need for a separate physical chip and the associated vulnerabilities of physical tampering or pin-based attacks that could compromise discrete TPMs.

While it’s true that modern hardware, particularly Windows 11-compliant systems, relies on TPM 2.0 and often fTPM, this doesn't mean old attacks are irrelevant. Many businesses worldwide still use older laptops and systems that depend on earlier versions of TPM, such as TPM 1.0 and 1.2, which remain vulnerable to the same hardware-based attacks. Moreover, even modern implementations such as Intel PTT, TPM 2.0, and fTPM are not immune to emerging threats like voltage fault injection attacks, side-channel exploits, and vulnerabilities targeting multi-tenant cloud environments. This is where Common Criteria Protection Profiles and CVE references play a crucial role, as they define the security requirements necessary to protect these technologies from advanced attack vectors.

In my experience, I’ve seen older machines with legacy TPMs being actively used in accredited scientific labs. In many of these environments, the results from scientific instruments are internationally accepted only if the systems remain in a specific configuration state, which often includes legacy hardware like older TPM versions. This reliance on outdated hardware leaves these systems vulnerable to old attack vectors, like pin-based physical attacks on TPM 1.0 and 1.2.

This is why the Information Security Manual (ISM) control 1809 stresses the need for compensating controls when systems rely on legacy hardware no longer supported by vendors but cannot be immediately replaced.

Additionally, as an IRAP Assessor, I have conducted Cloud IRAP Assessments for major platforms such as Google GCP and AWS, where ISM controls call for robust system integrity measurements relating to key creation and usage. This is highly relevant to the security of multi-tenant cloud environments, where side-channel attacks or cross-tenant vulnerabilities can compromise sensitive cryptographic operations. Both older and newer implementations of TPM, fTPM, Intel PTT, and TEEs are critical in ensuring the security of these environments, particularly as key creation and integrity are foundational to secure operations across tenants.

This is why Google and AWS ensure they align with ISM-1745.?This calls for enabling Secure Boot and Measured Boot to validate the firmware running fTPM during startup, ensuring that unauthorised modifications cannot compromise the system. I have validated this for both vendors.

Recent Alert: Compromise of Routers and IoT Devices by State-Sponsored Actors

As highlighted by a recent ASD cybersecurity alert, the People’s Republic of China-linked actors have recently been linked to compromising routers and IoT devices for botnet operations. These devices often lack proper firmware updates or advanced security features, making them easy targets for malicious actors. IoT devices, especially those in critical infrastructure, rely heavily on TPM, fTPM, Intel PTT, and TEEs for secure boot, key management, and communication. This alert emphasises the importance of maintaining secure configurations and applying patches to IoT devices that rely on these security modules to prevent large-scale compromises, such as botnet participation or system manipulation.

Old Systems, Old Vulnerabilities: The Reality of Corporate IT

One of the most significant oversights in security planning is assuming that because new technology exists, old threats are obsolete. However, many sectors—manufacturing, finance, and government—often have extended hardware refresh cycles due to budget constraints or regulatory requirements.

For instance, when I was recently in Japan and was travelling on the Shinkansen bullet train, I noticed that some passengers were using older corporate laptops that still relied on TPM 1.2 chips. These systems are vulnerable to pin-based attacks, where attackers physically tap into the communication lines between the TPM chip and the CPU, extracting cryptographic keys or bypassing secure boot processes. Your attack surface is wide open if any part of your IT infrastructure still relies on legacy systems.

This is why ISM-1903 requires patches, updates, or other vendor mitigations for firmware vulnerabilities to be applied within 48 hours of being assessed as critical.

Why are TPM 1.0 and 1.2 Still Vulnerable?

1. Discrete TPM Chips with Physical Pins: TPM 1.0 and 1.2 chips are vulnerable because they rely on physical pins that can be intercepted. Attackers can use specialised tools to access the data transferred between the CPU and the TPM.
2. Lack of Firmware Updates: Older systems using TPM 1.0 or 1.2 rarely receive firmware updates that could address vulnerabilities. This creates a security gap, especially in environments where secure boot and cryptographic key generation are critical. This is why ISM Control: ISM-1406 highlights the critical role of maintaining secure firmware configurations to mitigate such vulnerabilities.
3. Security through Obsolescence is a Fallacy: Old systems may still function but present a significant security risk. Attackers often target such systems, knowing they lack modern protections. If attackers can compromise legacy machines, they may gain a foothold in the broader network.

Real-World Examples of TPM, fTPM, Intel PTT, and TEE Breaches

TPM-FAIL Vulnerability

In 2019, the TPM-FAIL vulnerability was discovered, affecting Intel’s fTPM and STMicroelectronics’ TPM chips. Researchers demonstrated a side-channel attack on the cryptographic signature generation process, allowing them to recover cryptographic keys. This attack had major implications for IoT devices and systems in critical infrastructure such as smart cities, connected vehicles, and healthcare systems. TPM-based authentication and secure communications are essential for operational security.

This is why ISM-0280 advises selecting Common Criteria-certified products evaluated for resilience against such vulnerabilities.

faulTPM (Voltage Fault Injection Attack)

The faulTPM attack was a breakthrough in 2021, targeting AMD’s fTPM. Researchers could extract sensitive cryptographic keys stored within the fTPM using voltage fault injection. This breach allowed the compromise of BitLocker encryption and other security mechanisms relying on TPM. The attack demonstrated how voltage manipulation could expose keys that should have been securely stored, potentially impacting critical systems using industrial IoT devices or connected healthcare equipment reliant on AMD’s architecture.

This is why ISM-0380 requires disabling unnecessary system features, such as voltage control, which could prevent voltage fault injection attacks that target firmware vulnerabilities.

Intel CSME Flaw

In 2020, a significant flaw was discovered in Intel’s Converged Security and Manageability Engine (CSME), which underpins Intel PTT. This flaw could compromise cryptographic keys and allow unauthorised access to sensitive data in industrial control systems, smart grid management tools, and connected medical devices that use Intel-based security. Although challenging to exploit, this vulnerability raised serious concerns about the safety of critical infrastructure systems reliant on Intel technology.

TPM 2.0: Improved Security, But Not Invulnerable

While TPM 2.0, required for Windows 11, provides more robust security mechanisms, vulnerabilities still exist. High-profile weaknesses such as faulTPM and Plundervolt demonstrate that even modern systems require regular updates and security evaluations to mitigate emerging risks.

fTPM (Firmware-Based TPM) and TPM 2.0: What's the Difference?

fTPM’s Firmware-Based Architecture:

fTPM provides the same functions as discrete TPM 2.0 but is integrated into the CPU’s firmware. While this removes physical tampering risks, it opens new avenues for firmware-based attacks.

• Relevant ISM Control: ISM-1745: Enabling Secure Boot and Measured Boot ensures that the firmware running fTPM is validated during startup, preventing unauthorised modifications that could compromise the system.
• Common Criteria PP: Evaluated products with Protection Profiles, such as the Cryptographic Modules PP (PP-0112) and Security IC Platform PP (PP-0084), are crucial in mitigating risks associated with fTPM’s firmware-based architecture. These profiles ensure that firmware-based security measures like Secure Boot and Measured Boot are implemented to validate the integrity of fTPM firmware during startup, preventing unauthorised modifications. Additionally, they enforce strong protections against firmware-level attacks, including tamper detection, secure firmware updates, and resilience to side-channel and fault injection attacks, ensuring the secure operation of fTPM within the CPU.

Security Trade-offs in TEEs:

Trusted Execution Environments (TEEs) like Intel SGX or ARM TrustZone are designed to handle sensitive data securely. However, attacks like Plundervolt and Spectre/Meltdown have exposed weaknesses in these environments.

• Relevant ISM Control: ISM-1406: Consistent patch management, as outlined in the ACSC ISM System Management Chapter, is critical for protecting systems like Intel PTT and TEEs. These technologies must be updated regularly to mitigate speculative execution vulnerabilities.
• Common Criteria PP: Evaluated products with relevant Protection Profiles (PPs), such as the Cryptographic Modules PP (PP-0112) and the Security IC Platform PP (PP-0084), are essential for defending against attacks like Plundervolt and Spectre/Meltdown because they ensure rigorous security testing of hardware and firmware. These profiles enforce countermeasures against physical and logical attacks, such as voltage manipulation and speculative execution vulnerabilities, by implementing tamper detection, error correction, and constant-time cryptographic operations. They also require secure firmware, microcode updates, and side-channel attack resistance, providing organisations with certified and trusted hardware that meets high-security standards.

Voltage Fault Injection: faulTPM and Plundervolt Attacks

faulTPM: AMD’s fTPM Vulnerability

The faulTPM vulnerability exploited voltage fault injection to disrupt cryptographic operations in AMD’s fTPM, allowing attackers to extract encryption keys stored in the TPM. Researchers bypassed security mechanisms such as BitLocker by manipulating the CPU's voltage.

• Relevant CVE: CVE-2021-26362 is relevant because it describes a vulnerability in AMD's fTPM (firmware-based Trusted Platform Module) that can be exploited through voltage fault injection attacks. This attack allows an adversary to manipulate the CPU’s voltage to bypass security mechanisms and extract sensitive cryptographic keys stored in the fTPM. The faulTPM vulnerability specifically demonstrates how voltage manipulation can compromise the cryptographic operations that fTPM is designed to protect, potentially impacting systems that rely on fTPM for secure boot, data encryption (such as BitLocker), and other security-critical operations.
• This vulnerability is particularly significant for systems that use firmware-based TPM because it highlights the risks of firmware-level attacks, even in environments where physical tampering is mitigated. The vulnerability stresses the importance of firmware updates, voltage monitoring, and robust hardware protections, as outlined in security frameworks like Common Criteria Protection Profiles (e.g., PP-0112).
• Relevant ISM Control: ISM-1903 requires patches, updates, or other vendor mitigations for firmware vulnerabilities to be applied within 48 hours when they are assessed as critical. This control is crucial in mitigating vulnerabilities like faulTPM by ensuring timely updates and mitigations are implemented to protect against hardware-level attacks.
• Common Criteria PP: The Cryptographic Modules PP (PP-0112) ensures that cryptographic operations resist voltage manipulation and similar physical attacks.

Plundervolt: Undermining Intel SGX

The Plundervolt attack targeted Intel SGX, a prominent TEE implementation. By reducing CPU voltage, attackers could induce faults in secure enclave operations, potentially allowing them to access sensitive data.

• Relevant CVE: CVE-2019-11157 is relevant to the Plundervolt attack because it describes a vulnerability in Intel SGX (Software Guard Extensions) that allows attackers to exploit undervolting techniques to undermine the security of trusted execution environments (TEEs). By manipulating the CPU's voltage, attackers can induce faults in Intel SGX's secure enclave operations, potentially allowing them to extract sensitive data or bypass protections within the secure enclave.
• This vulnerability highlights the risks of voltage fault injection attacks, where altering the CPU’s power supply compromises the integrity of cryptographic computations and other security-critical operations in TEEs. CVE-2019-11157 specifically points to the need for Intel's microcode updates to mitigate this vulnerability, making timely firmware and microcode updates critical for preventing such attacks.
• Relevant ISM Control: ISM-1903 mandates that patches, updates, or other vendor mitigations for firmware vulnerabilities must be applied within 48 hours when the vulnerabilities are assessed as critical. This is particularly important for addressing vulnerabilities like Plundervolt, an undervolting attack targeting hardware like Intel's SGX. Systems can mitigate attacks that exploit firmware-level weaknesses by promptly applying Intel’s microcode updates. Strong patch management is crucial to maintaining system integrity and preventing the exploitation of vulnerabilities that could otherwise compromise trusted execution environments (TEEs) or cryptographic operations.
• Common Criteria PP: Common Criteria Protection Profiles (PPs) are crucial for mitigating Plundervolt attacks on Intel SGX. They provide a standardised framework for evaluating hardware security, including resilience to voltage fault injection attacks. These PPs, such as the Cryptographic Modules PP (PP-0112), enforce rigorous hardware testing against vulnerabilities like Plundervolt and require secure mechanisms like firmware validation, Secure Boot, and tamper resistance. They also mandate protections for firmware updates and ensure that error detection mechanisms, such as Error Detection and Correction (EDAC), are in place to prevent attackers from exploiting voltage manipulation to compromise sensitive data within secure enclaves.

Defending Against Voltage Fault Injection Attacks

Voltage fault injection attacks, such as those seen in faulTPM and Plundervolt, exploit weaknesses in how systems handle power and voltage management. These attacks can compromise sensitive data, particularly cryptographic keys. Multiple defensive strategies must be implemented at the hardware and firmware levels to protect systems from these attacks.

1. Firmware and Microcode Updates

• Regularly updating firmware and applying microcode updates from hardware vendors are critical defences against voltage manipulation attacks. For example, Intel’s microcode update to address CVE-2019-11157 mitigated Plundervolt by disabling undervolting via software controls. Similarly, applying firmware patches to AMD’s fTPM protects systems from CVE-2021-26362.
• Relevant ISM Control: ISM-1903: Requires robust patch management to promptly apply firmware and security updates, protecting systems from known vulnerabilities like voltage attacks.

2. Lockdown of Power Management Features

• A key defence against voltage attacks is to lock down access to power management features that can be exploited. In some cases, undervolting features can be disabled through the BIOS or system settings to prevent malicious manipulation.
• Relevant ISM Control: ISM-0380: Disabling unnecessary system features, including access to voltage control, helps mitigate the risk of voltage manipulation.

3. Error Detection and Correction (EDAC)

• Implementing error detection and correction mechanisms can detect when a fault injection attack occurs. These mechanisms can monitor for errors in cryptographic computations and take action, such as halting the operation or locking down the system if an anomaly is detected.
• Common Criteria PP: The Cryptographic Modules PP (PP-0112) includes requirements for error detection to ensure that cryptographic operations are resilient against hardware faults caused by voltage manipulation.

4. Physical Security and Tamper Detection

• While fTPM is embedded in firmware and thus not subject to the same physical tampering risks as discrete TPM chips, physical tamper detection mechanisms in hardware components can still help defend against attacks. For instance, tamper-evident designs can help secure discrete TPM modules from physical attacks that could introduce voltage faults.
• Relevant ISM Control: Physical security controls in the ISM are essential for preventing tampering and unauthorised access to sensitive systems like TPMs and cryptographic equipment. Key controls include ISM-0810, requiring systems to be in secure zones, and ISM-1053 and ISM-1530, which mandate that servers, network devices, and cryptographic equipment be stored in secure rooms or containers. Additionally, ISM-1296 enforces physical protection for network devices in public areas to prevent damage or tampering.

5. Constant-Time Cryptographic Implementations

• Cryptographic algorithms implemented in constant time prevent attackers from inferring sensitive information based on the timing of operations. By ensuring that cryptographic operations always take the same amount of time, regardless of input, these implementations reduce the risk of timing attacks that could be combined with voltage manipulation to leak keys.
• Common Criteria PP: Constant-time cryptographic operations are part of the requirements in the Cryptographic Modules PP (PP-0112), ensuring that cryptographic modules resist timing-based attacks.

6. Certified Hardware

• Certified hardware evaluated under Common Criteria Protection Profiles ensures that security modules, like TPM and TEEs, have been rigorously tested for resistance to physical attacks, including voltage fault injection. This certification verifies that hardware meets a high protection standard against tampering, unauthorised manipulation of CPU voltage, and other physical vulnerabilities. Certified devices implement critical protections such as constant-time cryptographic operations, tamper detection, and secure firmware updates, making them more resilient to emerging threats and ensuring system integrity.
• Relevant ISM Control: ISM-0280: Recommends using certified products evaluated against Common Criteria Protection Profiles to mitigate hardware and firmware vulnerabilities.

7. Monitoring and Auditing

• Implement continuous monitoring and auditing tools that can detect anomalies in system behaviour. For instance, monitoring power usage patterns or performance discrepancies could alert system administrators to an ongoing voltage fault injection attack.
• Relevant ISM Control: ISM-0580 emphasises developing an event logging policy, which is critical for detecting anomalies caused by fault injection attacks

What Should Businesses Do?

1. Vulnerability Scan Your Hardware

• Identify systems using TPM, fTPM, or Intel PTT. To ensure compliance with modern security standards, legacy hardware should be replaced with?Common Criteria-evaluated products.
• Relevant ISM Control: ISM-1900 is important because it ensures that firmware vulnerabilities are identified and addressed promptly. By requiring a vulnerability scanner to be used fortnightly, organisations can quickly detect missing patches or updates for firmware, reducing the risk of attacks that exploit unpatched vulnerabilities, such as Plundervolt or faulTPM, which target critical system components. Regular scanning helps maintain the security and integrity of systems that rely on firmware, like TPMs and TEEs.

2. Apply Firmware Updates

• Please ensure that all systems using TPM 2.0, fTPM, PTT, or TEEs are current with the latest firmware patches. Regularly scanning for vulnerabilities and applying patches promptly is crucial to mitigate known risks such as Plundervolt and faulTPM.
• Relevant ISM Control: ISM-1903: Patch management processes must be in place to prevent the exploitation of firmware and software vulnerabilities. This includes ensuring that security updates and firmware patches are consistently applied.

3. Select Evaluated Products

• Always prefer products assessed against relevant Common Criteria Protection Profiles, as this ensures the product has been rigorously tested against vulnerabilities that affect TPM, fTPM, PTT, and TEE technologies.
• Relevant ISM Control: ISM-0280: The Evaluated Products Chapter advises selecting Common Criteria-certified products, as these have been validated through comprehensive security assessments, assuring that the product meets high standards for mitigating hardware and software vulnerabilities.

4. Harden Systems

• Implement system hardening practices such as enabling Secure Boot, Measured Boot, and Trusted Boot to protect critical firmware and prevent unauthorised modifications. Additionally, disable unnecessary services that could increase the attack surface.
• Relevant ISM Control: ISM-0380: Ensures that all systems, including those using TPM or PTT, are hardened and unnecessary features are disabled to limit potential attack exposure.

Conclusion: Old Attacks Are Still Relevant, and New Ones Are Evolving

Real-world vulnerabilities like TPM-FAIL, faulTPM, and Intel CSME flaws demonstrate that even the latest security technologies in critical infrastructure and IoT devices remain vulnerable to emerging attack vectors. These breaches can have devastating consequences, from data theft in connected vehicles to operational failures in industrial control systems and smart grid infrastructure.

Organisations must take proactive steps to ensure their TPM, fTPM, Intel PTT, and TEE implementations are updated, hardened, and evaluated against Common Criteria Protection Profiles. By doing so, they can mitigate both old and new risks in critical systems, safeguarding sensitive operations from the next generation of attacks.

In light of recent attacks, such as botnet operations targeting IoT devices, organisations must understand that adversaries continuously adapt and exploit outdated and emerging vulnerabilities. Adhering to ISM controls and leveraging Common Criteria-certified products are essential to ensure system resilience in an ever-evolving threat landscape.

The Essential Eight ISM controls that are relevant to mitigating attacks like Plundervolt and faulTPM include:

1. ISM-1903 requires patches for critical firmware vulnerabilities to be applied within 48 hours, essential for mitigating voltage manipulation attacks.
2. ISM-1701/1703: Vulnerability scanning for missing patches or updates for operating systems and firmware.
3. ISM-1406: Robust patch management for addressing firmware-related vulnerabilities.

These controls ensure timely identification and remediation of vulnerabilities that such attacks could exploit.

Author Bio

Nathan Joy is a seasoned cybersecurity professional with over two decades of experience safeguarding Australian Government agencies and cloud vendors. As the first IT security manager in the Australian Government to implement the ASD Top 4 controls, Nathan played a pivotal role in pioneering robust cybersecurity practices within our nation. His dedication to innovation was recognised by the prestigious SANS Cyber Security Innovation Award, and he even had the honour of briefing the Whitehouse, Homeland Security, and the NSA on Australia's groundbreaking approach. Nathan's expertise extends to all cloud deployment models (IaaS, PaaS, SaaS) and is further validated by his IRAP assessor endorsement from the Australian Signals Directorate (ASD) since 2011. The views and opinions expressed in this article are Nathan's own and do not reflect the official position of the ASD or the Australian Cyber Security Centre (ACSC).