reader comments
39 with 35 posters participating
In November 2020, Microsoft unveiled Pluton, a security processor that the company designed to thwart some of the most sophisticated types of hack attacks. On Tuesday, AMD said it would integrate the chip into its upcoming Ryzen CPUs for use in Lenovo’s ThinkPad Z Series of laptops.
Microsoft already used Pluton to secure Xbox Ones and Azure Sphere microcontrollers against attacks that involve people with physical access opening device cases and performing hardware hacks that bypass security protections. Such hacks are usually carried out by device owners who want to run unauthorized games or programs for cheating.
Now, Pluton is evolving to secure PCs against malicious physical hacks designed to install malware or steal cryptographic keys or other sensitive secrets. While many systems already have trusted platform modules or protections such as Intel’s Software Guard Extensions to secure such data, the secrets remain vulnerable to several types of attacks.
One such physical attack involves placing wires that tap the connection between a TPM and other device components and extract the secrets that pass between the machines. Last August, researchers disclosed an attack that took only 30 minutes to obtain the BitLocker key from a new Lenovo computer preconfigured to use full-disk encryption with a TPM, password-protected BIOS settings, and UEFI SecureBoot. The hack—which worked by sniffing the connection between the TPM and the CMOS chip—showed that locking down a laptop with the latest defenses isn’t always enough.
A similar attack unveiled three months later showed it was possible to exploit a vulnerability (now fixed) in Intel CPUs to defeat a variety of security measures, including those provided by BitLocker, TPMs, and anti-copying restrictions. Attacks known as Spectre and Meltdown have also repeatedly underscored the threat of malicious code pulling secrets directly out of a CPU, even when the secrets are stored in Intel’s SGX.
A new approach
Pluton is designed to fix all of that. It’s integrated directly into a CPU die, where it stores crypto keys and other secrets in a walled-off garden that is completely isolated from other system components. Microsoft has said that the data stored there can’t be removed, even when an attacker has installed malware or has full physical possession of the PC.
begin shipping in May. Microsoft said
ThinkPad Z13 and Z16 models that use Pluton as a TPM will help protect Windows Hello credentials by further isolating the credentials from attackers.