In November 2020, Microsoft introduced Pluton, a security processor designed by the company to prevent some forms of sophisticated hacker attacks. On Tuesday, AMD said it will integrate this chip into upcoming Ryzen CPUs for use on Lenovo’s ThinkPad Z laptop line.
Microsoft already uses Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks through physical access by unboxing and hacking into the hardware to bypass attacks. protection class. Such attacks are often carried out by owners to trick the machine’s software into installing programs or games illegally.
Pluton will now be used to secure PCs against physical hacks designed to install malware or steal encryption keys and other sensitive information. While many other device systems already have protection modules such as Intel’s Software Guard Extension to secure data, confidential data is still very vulnerable to such attacks.
One such type of physical attack involves placing wires between the TPM chip and other devices in order to extract data as it is transmitted to the computer.
Last August, researchers discovered such an attack and it took only 30 minutes to obtain the BitLocker key from a Lenovo computer that was set up with TPM chip-protected drive encryption. password in BIOS and SecureBoot UEFI. The attack was carried out by eavesdropping on the connection between the TPM chip and the CMOS chip – which shows that it is not enough to lock the laptop code with the highest security layers today.
A new approach
Pluton was designed by Microsoft to fix those loopholes. It is integrated directly into the CPU, where it stores encryption keys and other confidential data in isolation from other system components. Microsoft says the data stored in it cannot be removed, even if an attacker installs malware or has full physical access to the PC.
One of the measures to protect these data is the Secure Hardware Cryptography Key or SHACK encryption key. It helps to ensure that encryption keys are not exposed outside of protected hardware, even to the Pluton firmware itself. Pluton will be updated firmware automatically through Windows Update. By tightly integrating hardware and software, Microsoft expects Pluton to install security patches seamlessly.
According to Joseph FitzPatrick, a hardware hacker and in-depth firmware security researcher at SecuringHardware.com, Pluton will prevent people from running modified software without the developer’s permission.
“Its benefit is to make x86 operating systems more secure and stable by using tighter barriers“However, FitzPatrick said: “Its downside is the usual complaints about these tight barriers.”
Currently, TPM security chips have a very basic limitation – they were never designed to resist physical attacks. Over time, Microsoft and others began to use BitLocker as a repository for BitLocker encryption keys and other tools. This approach is more secure than storing the encryption key on a disk, but as the researchers demonstrated, these chips are still not enough against today’s hackers.
Before Microsoft, Apple and Google took a similar approach with the T2 and Titan security chips. These chips provide some layer of protection against physical attacks, but essentially both are mounted on the system’s circuit boards. In contrast, Pluton is integrated directly onto the CPU, further improving data security.
According to Microsoft, the ThinkPad Z series laptops using Ryzen chips equipped with Pluton will start shipping in May this year. The Z13 and Z16 versions use Pluton as a TPM chip that will help protect Windows Hello logins by isolating them from hackers.
Refer to Arstechnica