Billions of PCs and other devices vulnerable to newly discovered TPM 2.0 flaws
Flaws could allow hackers to steal cryptographic keys and other sensitive data
Despite the fact that the Trusted Platform Module (TPM) 2.0 chips found in newer PCs are designed to improve their security, two new vulnerabilities could put billions of devices running Windows 11 at risk.
PC makers have been adding TPM 2.0 chips to their motherboards since 2016 and these chips are used to generate and store cryptographic keys and other sensitive data. This is why any vulnerability in TPM 2.0 is certainly a cause for concern.
With the release of Windows 11 back in 2021, Microsoft caused quite a stir by making TPM 2.0 a requirement for its latest operating system. The move was intended to make Windows 11 more secure than its predecessor as TPM 2.0 is used for the security measures that take place when a PC first boots up as well as for providing authentication for Windows Hello face recognition.
According to BleepingComputer though, TPM is required for some Windows security features like Measured Boot, Device Encryption, Windows Defender System Guard (DRTM), and Device Health Attestation but it isn’t required for some commonly used features. When TPM is available though, the security features in Windows are enhanced and are better able to protect sensitive information and encrypt data.
New TPM 2.0 vulnerabilities
These new TPM 2.0 flaws are buffer overflow vulnerabilities discovered by Francisco Falcon and Ivan Arce from Quarkslab who are warning that they could impact billions of devices.
The vulnerabilities in question (tracked as CVE 2023-1017 and CVE-2023-1018) could be exploited by an attacker to escalate privileges and steal sensitive data from vulnerable devices. This would completely negate the added security that TPM 2.0 chips were designed to add to Windows 11 in the first place.
To make matters worse, the CERT Coordination Center at Carnegie Mellon University published an alert in which it warned that an exploit leveraging these vulnerabilities would be essentially “undetectable” by the devices themselves as well as the best antivirus software.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Here at Tom’s Guide our expert editors are committed to bringing you the best news, reviews and guides to help you stay informed and ahead of the curve!
Fortunately, the Trusted Computing Group (TCG) has come up with a fix for now in a new security bulletin (PDF). Basically, it involves vendors moving to a fixed version of the Trusted Platform Module specification, more specifically either of the ones listed below:
- TMP 2.0 v1.59 Errata version 1.4 or higher
- TMP 2.0 v1.38 Errata version 1.13 or higher
- TMP 2.0 v1.16 Errata version 1.6 or higher
How to protect your Windows 11 PC
Although there is a workaround to protect vulnerable PCs from these flaws, so far, only Lenovo has released a security advisory about them in which it warns that some of its systems running Nuvoton TPM 2.0 chips are vulnerable to CVE-2023-1017.
We’ll likely see other PC makers address these flaws soon but in the meantime, it’s recommended that Windows 11 users limit physical access to their devices, only use signed software from reputable vendors and apply any firmware updates as soon as they become available.
It’s also worth noting that malware could be used to exploit these flaws so you’ll want to make sure that Microsoft Defender is updated and enabled. However, you might also want to consider one of the best Windows 11 antivirus software solutions for additional protection.
More from Tom's Guide
Anthony Spadafora is the managing editor for security and home office furniture at Tom’s Guide where he covers everything from data breaches to password managers and the best way to cover your whole home or business with Wi-Fi. He also reviews standing desks, office chairs and other home office accessories with a penchant for building desk setups. Before joining the team, Anthony wrote for ITProPortal while living in Korea and later for TechRadar Pro after moving back to the US. Based in Houston, Texas, when he’s not writing Anthony can be found tinkering with PCs and game consoles, managing cables and upgrading his smart home.