Some of the biggest tech giants in the industry are warning customers of a very serious vulnerability affecting TPM chips produced by Infineon Technologies. The vulnerability itself is created by a flaw in the Trusted Platform Module (TPM), which is designed to protect cryptographic devices within integrated hardware. Protections provided by the TPM include : encrypted key storage, certificates, sensitive data, disk encryption, passwords, authentication tokens, S-MIME/PGP email encryption, and more. TPM provides these protections on the hardware level.

The vulnerability is a product of the method in which RSA encryption keys are generated by the TPM module, AKA: Fast Prime. To put it simply: Fast Prime is an algorithm that accelerates the TPM modules ability to generate RSA key pairs.

Once an attacker gains access to the Public RSA key of a device with an affected Infineon TPM module, they will be able to compute the private key through factorization. Due to the amount of resources required to compute these keys, it is unlikely that the individual user has much to worry about. Current factorization estimates show 2 hours of CPU time for a 512 bit key, and the 2048 bit RSA key taking 140.8 years of CPU time. Due to these resource requirements, attacks are restricted to very dedicated attackers with significant resources at their exposure. Even still… In this day and age, anything can happen.

At this time the following vendors are utilizing Infineon chipsets:


ASUS
Acer
Lenovo
HP
Toshiba
Samsung
LG
Chromebook


If you are in possession of a device made by one of these vendors you should check to see if any firmware has been released for your device. Microsoft and Google have also released updates for their operating systems, however, these will not be as effective as a firmware update. Many thanks to SCHTASK for the writeup!

Discussion

Source: [H]ardOCP – Cryptographic Flaw Within Infineon TPM Chips Announced