ROCA: Infineon TPM and Secure Element RSA Vulnerability Guidance

A security flaw has been identified in the software library utilized by Infineon TPMs and SEs for RSA private key generation. This flaw allows attackers to derive an RSA private key from its public counterpart with significantly less effort than previously assumed, making it possible for them to compromise data and services that rely on those keys.

Estimates indicate that in devices affected by this vulnerability, the cost to break a single 2048-bit RSA key is around $20,000, while a 1024-bit RSA key can be compromised for roughly $40. Thus, engaging in targeted attacks against specific keys may now be worth the investment for various threat actors targeting multiple objectives.

This vulnerability does not apply to other types of keys generated by Infineon TPMs and SEs.

Trusted Platform Modules (TPMs) and Secure Elements (SEs) are integrated into a wide range of devices and utilized in various applications by both operating systems and third-party software, making it challenging to provide exhaustive guidance.

Trusted Platform Modules are mainly found in enterprise desktops and laptops, but they also exist in servers, certain consumer devices, and many Chrome OS machines. They are utilized in several embedded applications and play crucial roles in securing cryptographic operations.

These modules help protect sensitive data in case of mobile device theft and facilitate the storage and management of keys used for:

• authentication (for devices and users)
• email encryption (such as S/MIME and PGP)
• Virtual Private Networks (VPNs)
• TLS and SSH connections
• certificate issuers
• software verification

Secure Elements serve as secure storage and processing areas in embedded devices like smart cards, security tokens, and some mobile devices. Similar to TPMs, they create a secure environment for executing cryptographic procedures.

To Determine Your Risk, Check:

• If your device contains an affected TPM or Secure Element
• If the TPM or Secure Element runs a vulnerable firmware version
• If you’re utilizing features configured for RSA Key Generation through the affected TPM or Secure Element

As of now, Microsoft, Google (Chrome OS), Yubico, Gemalto, and several PC manufacturers have acknowledged the impact on their products. Further announcements from additional vendors are anticipated in the near future. Users are encouraged to stay updated on advisories from their respective vendors and this page will be revised with additional information as it becomes available.

• Windows users should review Microsoft’s advisory
• Chrome OS users should refer to Google’s advisory
• Yubikey users should check Yubico’s advisory
• Gemalto IDPrime.Net product users should seek Gemalto’s advisory

If your device or software is unlisted and you still have concerns, please reach out directly to your vendor or retailer.

In case you cannot determine whether your device(s) are impacted, the researchers who uncovered the vulnerability have provided test tools that help assess if your RSA public keys are at risk.

Given the wide range of potential applications, providing exhaustive guidance on this issue is not feasible. However, we summarize the consequences on significant affected platforms below.

Affected Windows End-User Devices

The NCSC security guidance for Windows end-user devices incorporates the use of TPMs for a variety of functionalities. If you possess a vulnerable device and are adhering to NCSC guidelines, you will need to undertake corrective measures. The affected features may have significantly reduced security:

• BitLocker (when utilizing TPM 1.2)
• Credential Guard/DPAPI/Windows Information Protection systems
• Device Health Attestation Service (DHA)
• Virtual Smart Cards (VSC)
• Windows Hello for Business and Azure Active Directory
• Windows Hello and Microsoft Accounts (MSA)

To comprehend the complete impact concerning each feature, please refer to this link. Typically, home users of Windows are less likely to be vulnerable, as the main feature they may use the TPM for appears to be Device Encryption on Windows 8 and later, which does not depend on RSA keys produced by the TPM.

Windows Server Implications

Below are Windows Server functionalities that are susceptible if running on hardware with a vulnerable TPM:

• Active Directory Certificate Services (ADCS)
• Active Directory Domain Services (ADDS)
• Public key authentication for Windows Server 2016 Domain-joined devices

For the detailed effect of the vulnerability on these functionalities, refer to this advisory.

Chrome OS Devices

Chrome OS devices are vulnerable under their default settings. The security features at risk include:

• User data encryption
• Network authentications using certificates for services including WPA2-EAP and HTTPS
• Chrome OS Verified Access

Comprehensive details of affected features can be found here. Users can inspect for certificates backed by TPM via chrome://settings/certificates.

Embedded Devices, Smart Cards, and Third-Party Security Software

For specific information about impacts regarding this vulnerability, please consult your device manufacturer or software provider.

Considering the nuances of this vulnerability, we recommend the following strategies:

1. Focus first on critical services, including public-facing network services, Certificate Authorities, Hardware Security Modules, VPNs, and software signing.
2. Adhere to manufacturer guidelines to assess device vulnerability.
3. Apply available updates to mitigate the root cause of the issue.
4. Follow manufacturer or software vendor advice to replace keys generated with the compromised component.

It’s essential to note that even if you have several affected devices, it may be possible to manage the risk without immediate comprehensive patching. For instance, breaking an RSA key safeguarding BitLocker would still require physical access, and it would cost an estimated $20,000 per device (for 2048-bit keys). While this cost may decrease over time, organizations might choose to initiate a gradual remediation process rather than immediate device recalls.

Important: Additional Steps Needed

Simply applying updates is insufficient for many of the ROCA vulnerability resolutions. Manual actions are required to revoke weak keys and generate stronger ones. In cases where hardware or firmware updates are not available, software alternatives may enhance security.

For example, devices utilizing BitLocker in conjunction with TPM or TPM+PIN as protectors will need to reapply those protections without needing to decrypt and re-encrypt the entire disk. Details regarding remedial actions can be found on the websites of these vendors:

• Microsoft: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV170012
• Google: https://sites.google.com/a/chromium.org/dev/chromium-os/tpm_firmware_update

Firmware updates for affected devices can be obtained through the device’s OEM. Relevant links are provided in the following section.