![[H]ard|Forum](/styles/hardforum/xenforo/logo_dark.png){kind=logo}
So does pregnancy…
The Windows 11 TPM requirement isn't for this sort of attack. This is something against Bitlocker, which is not enabled by default. The Windows 11 TPM requirement is for secure boot, to keep malware from fucking with the bootloader.
Poor and wrong clickbait.
It’s not exactly hacking it when you take a system not using it then physically replace the hardware module with a compromised one so that when it is later enabled it is rendered ineffective.
Well it is something that hopefully vendors will clean up in the implementation. The hope with a TPM is that even if a bad actor gets their hands on a system physically, and has unrestricted access to it, they still can't get at the data the TPM protects, which would include the HDD if encrypted using the TPM to hold the key. So it would be good if even this kind of attack were able to be engineered against in the future. However that's a hardware issues, not software. It is also true that you really should look at it more as a device to deter more casual attackers and assume if a targeted, dedicated attacker steals a system they will get in.
The bigger issue is what if they intercept it while it’s new in box being delivered to you. Say CompanyX orders 200 laptops and they get intercepted from the OEM. The bad actors use a team and swap out the TPM modules, rebuild the image, repackage them and send them on their way with barely a blip in the tracking. CompanyX get and deploys them all, possibly even turning on all the correct features to match their deployment image but by that stage it’s all for not. That is the real use for this attack, it might take longer than 30 min, but an IT department probably isn’t going to be concerned if a pallet or two of laptops shows up a day later than originally estimated assuming they got an estimate on the delivery at all. Once things get passed off to a freight company all bets are usually off.
Then you are screwed. There is no such thing as perfect security, you have to figure out what your level of risk to attack is and respond accordingly. For most companies, this is a totally unrealistic risk. An attacker as well equipped and motivated as that might just instead decide to bribe or kidnap the sysadmin who has full access to everything. I mean if someone puts a gun to my head and tells me to let them in to work systems, I'm doing it, I'm not going to die for my job.
Well the article describes a scenario where a courier diverts the configured laptop on its way to the employee where the hackers then have unrestricted physical access to it for some period of time to compromise it. It’s not that big of a stretch, the only difference is I’ve proposed it from the other side of the supply chain, which is not only easier to compromise but also has far more hand offs and fewer tracking measures.
This happens every day already, and is why there are solutions from some of the larger OEMs to guard against this, but it costs more money.
If you really think you can hire people who are willing to die to protect your company's data, you have another thing coming to you.
It was also unused until Microsoft announced that Windows 11 now requires it. So naturally people are going to try and hack it.
TPM for drive encryption has been heavily used on the enterprise/corporate side for a while now.
Like I said, it was unused. The amount of people that will need it for Windows 11 vs the enterprise is so large that the enterprise use of it might as well be nothing. The amount of people who want it defeated are going to be orders of magnitude larger. How well has it worked when zero day exploits still compromise enterprise servers and demand ransomware?
If I take the Ethernet cable with me, I would have the best online security that nobody can match.