BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Mike, I saw your tip on the Trusted Platform Module and was wondering what your reaction is to various reports...
that the German government does not trust the latest version of TPM in combination with Windows 8? Particularly, it suggests that the inability to turn off TPM may allow someone to establish a backdoor into a system. Should enterprises be concerned about this issue?
Ask the Expert
Do you have an application security or platform security question for Michael Cobb? Submit it now via email (All questions are anonymous
The Trusted Platform Module (TPM) is a chip that uses its own internal firmware and logic circuits to provide hardware-based cryptographic and security-related functions to an enterprise, such as system integrity checks, disk encryption and key management. TPM can also control which software executes and runs on a computer, providing strong protection against malicious code. Microsoft is pushing for the adoption of TPM and in order to be Windows 8.1 certified, devices must support TPM version 2.0. The main difference between TPM 2.0 and version 1.0 is that users can no longer choose to opt in or out of using TPM. In version 2.0, TPM is controlled by the operating system and is always on.
According to leaked internal documents seen by the German newspaper Die Zeit, IT experts from the German Federal Office for Information Security (BSI) have raised concerns about their ability to deliver on their security objectives of ensuring confidentiality and integrity for computers with Windows 8 and TPM 2.0. With TPM 2.0 always on, ultimate control of the machine is taken away from the user and given to Windows 8 and, by proxy, Microsoft. Another concern has to do with knowing who has access to the endorsement key -- which is at the heart of TPM security -- prior to it being burned into the TPM hardware.
The debate as to whether the combination of Windows 8 and TPM 2.0 creates a backdoor to systems for the NSA will no doubt continue for a long time, and enterprises will likely never know the full extent of the NSA's surveillance activities. However, RSA's recent advisory to some of its customers urging them to stop using a cryptographic component shows that the BSI's concern of the potential privacy issues regarding TPM may be justified.
The BSI responded to the reports citing the leaked documents by stating that specific user groups may well increase security by using Windows 8 in conjunction with TPM. However, the lack of a conscious opt-in and inability to opt-out means a loss of control over the operating system and the hardware. Errors -- either accidental or intentional -- create new risks for users and could lead to a situation where hardware and software is practically or even permanently unusable. This would certainly not be acceptable for federal personnel or computers running critical infrastructure.
The Internet today is chock full of conspiracy theories, freshly fueled by revelations about U.S. surveillance in the documents leaked by Edward Snowden. Current paranoia is definitely clouding the benefits of TPM 2.0. It is designed to be on by default with no user interaction needed, because requiring the user to enable the TPM would lead to many systems, if not most, being less secure by default.
It is possible for original equipment manufacturers to turn off the TPM in x86 machines, so it should still be possible to purchase machines with TPMs disabled. The downside to this option, of course, is that the many security benefits of TPM would be unavailable.
While the potential of a backdoor is not impossible, the threat of hackers should be of greater concern. Microsoft has made a fundamental commitment to trustworthy hardware, and TPM 2.0 is a key component of this initiative. For the majority of users, the security benefits of TPM will far outweigh any "loss of control" of their PC. Given a choice, I would prefer to lose control to Microsoft rather than to an unknown hacker.