Initial Tiger Team Report on Potential TPM Vulnerability, and Mitigation Plan
Team Members: Peter Leight / Richard Hammer
June 2, 2006
Executive Summary:
TPM Defined:
TPM, Trusted Platform Module, is a hardware chip built into newer laptops to store passwords, encryption keys, and digital certificates. Storing this authentication data on the chip, instead of on a computer hard drive, increases the security of encrypted data.
Issue:
Dell D820 laptops, in production on our network, were found to have TPM software that might be attempting to contact a site outside the company. The software also appeared to be exposing the laptops to potential compromise.
Research Summary:
D820 laptops were attempting to update their software by contacting a vendor website.
The laptops were also open for contact by vendor software in order to function properly.
Both potential vulnerabilities pose no threat to our environment since we build our laptops from scratch without including the Dell software. Our personal firewall software policy prevents applications that are not specifically approved from initiating or receiving connections. Our perimeter firewall policies, VPN configuration policies, and intrusion detection software add defense-in-depth which would still protect us in the event that a factory configured laptop was accidentally deployed on the network.
Tactical Plan:
Current defense-in-depth measures provide solid protection. It is recommended that we add 2 rules to our intrusion detection system to ensure this behavior is not occurring despite our strong defensive posture.
Strategic Plan:
Potential loss of revenue and consumer confidence, civil and criminal liabilities, and the dynamic regulatory environment demand that we pursue protection of data, both at rest, and in motion. It is recommended that we evaluate “best-of-breed” disk encryption systems while following up with the vendors of this software as they patch their product.
This should help us to select a cost-effective solution that will protect data on our mobile laptops. Additionally, it is recommended that a similar evaluation be performed for email encryption solutions leveraging the same technology.
Summary: Current network security posture vs. potential TPM vulnerability is strong.
IDS rules to regularly confirm this should be implemented. Encryption solutions need to be evaluated for hard drives and e-mail.

Technical Report on Possible TPM Vulnerability and Suggested Corrective Actions
“The TPM is a microcontroller that stores keys, passwords and digital certificates. It typically is affixed to the motherboard of a PC. It potentially can be used in any computing device that requires these functions. The nature of this silicon ensures that the information stored there is made more secure from external software attack and physical theft. Security processes, such as digital signature and key exchange, are protected through the secure TCG subsystem. Access to data and secrets in a platform could be denied if the boot sequence is not as expected. Critical applications and capabilities such as secure email, secure web access and local protection of data are thereby made much more secure…. Systems with TPMs offer improved, hardware-based security in numerous applications, such as file and folder encryption, local password management,
S-MIME e-mail, VPN and PKI authentication and wireless authentication for 802.1x and
LEAP.”
-- https://www.trustedcomputinggroup.org/faq/TPMFAQ/
Potential problems with the Dell D820 laptop deployment of TPM have recently been identified by James Philput of the SANS Institute. In a SANS advisory board posting,
Mr. Philput explained that he had witnessed outbound DNS queries for www.wave.com coming from the laptops. Additionally, he observed that TCP port 10001 was open and listening on the laptops. This port was identified as connected to a service named tcsd_win32.exe running as the system user. – paraphrased from an e-mail from Stephen
Northcutt to SANS advisory board – posted Wed, 24 May 2006 02:40:54 -0400 to advisory-board@lists.sans.org
The Dell 820 Laptop implementation of TPM runs Wave Systems Corporation’s
Embassy Trust Suite (ETS) packaged for Dell Laptops. Drivers/software are located at http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid
=R120905&SystemID=LATITUDE%20D820&os=WW1&osl=en&deviceid=11468&de vlib=0&typecnt=1&vercnt=2&formatcnt=1&libid=27&fileid=161050
We contacted Joe with the Technical Support Group at Wave to discuss the software product in question:
It was explained that queries for recent updates to the ETS software are launched automatically on the laptops. This auto-update feature is installed by default, and performs a DNS query to find the IP address for www.wave.com. We were informed that Wave is in the development phase on a new Enterprise Update Server that will reside locally on the client network, eliminating the necessity for internet- bound update requests. In the meantime, we would recommend that the auto-update feature be disabled per Wave’s recommendations below:
“The DNS queries you have noted are due to the Secure Update feature of Embassy Trust Suite checking the Wave Systems site for software updates. The file responsible for this is C:\Program Files\Wave

Systems Corp\Services Manager\Secure Update\AutoUpdate.exe
You can disable this behavior by removing the 'EMBASSY Trust Suite
Secure Update' from the Startup folder under All Users.”
– Received via e-mail from support@wavesys.com
to summarize the phone conversation with Joe from Wave Systems.
Discussion continued regarding the listening TCP port (10001) and Wave indicated that it should be disabled after the auto-update feature was turned off, and that we should contact the encryption vendor, NTRU, if it remained open.
The following was received via e-mail from support@wavesys.com
to summarize the phone conversation with Joe fromWave Systems:
“The TCSD_Win32.EXE file is the executable for the NTRU Hybrid TSS service which provides PKCS services to the system. Port 10001 is the standard TCP/UDP port for the
Secure Copy Protocol(SCP) which utilizes a Secure Shell (SSH) tunnel for secure file transfer. If the service does not stop listening on this port after disabling the Secure
Update Service and rebooting, you will need to contact Ntru Cryptosystems
(www.ntru.com) for more information about the service.”
Believing that there were two separate factors at work and that the fix provided by Wave would not resolved the listening port issue, we immediately initiated attempts to contact
NTRU.
After some research and persistent effort, we were able to speak with Dr. Mark Etzel, the
Director of Engineering for NTRU.The following is a summary of our conversation.
NTRU will be following up with a document summarizing this issue next week:
The Trusted Computing Group (TCG) foresaw that applications might need to run with system privileges to manage TPM on remote machines. Therefore, the open stack specifications from TCG required remote connectivity to TCS which ran with system privileges. (TCS is the lower layer of the Trusted Software Stack (TSS) that talks to the
TPM chipset. TSP is the upper layer component of TSS, which Wave uses to dynamically link with the TSS stack). NTRU’s implementation opened TCP port 10001 to enable remote connectivity to the TCS layer. The new revision of the TCG specification calls for remote access to be disabled by default. NTRU has released a patch to Wave for testing that turns off remote access to TCS. TCS specs have a system key store which is accessible to all users and user key stores that grant restricted user access. This forced
NTRU to run the service with system privileges. NTRU is currently testing with Vista to allow the software to run with lesser privileges.
The information in the above paragraph has not been verified independently. It is a summary of information provided by NTRU. However, regardless of the technical process by which TPM works, we would recommend that the NTRU TCS service be

disabled until stable patches are available and the operation of the software and its services are understood more thoroughly.
The only Dell products running on out network are D820 laptops. Unfortunately, we were unable to pull one from production as they were all out in the field today. Testing has been scheduled for next week.
We were able to test a Dell D610 laptop, which is no longer in production in our environment. TPM hardware was present and disabled in the BIOS. No TPM software was present. We were able to load the appropriate software, and activate TPM in the
BIOS. A sniffer was attached, and traffic was monitored for 30 minutes. No irregular outgoing traffic was detected. Port scans detected TCP/UDP ports 10001 closed, and no other abnormal ports were open for connection. Software was obtained via Dell’s support web site at: http://support.dell.com/support/downloads/download.aspx?c=us&l=en&s=gen&releaseid
=R99394&SystemID=LAT_PNT_PM_D610&os=WW1&osl=en&deviceid=8341&devli b=0&typecnt=1&vercnt=2&formatcnt=1&libid=27&fileid=128686
Tactical Action Plan:
Investigation revealed that this particular Wave/NTRU software package is utilized by
Dell D620, D820, M65, and M90 laptops. Of these, only D820 laptops are present in our environment.
Since all of our D820 laptops received a clean installation image free of any
Dell/Wave/NTRU software, we are not exposed to any potential threats from this issue.
Recommendations above are for informational purposes should any laptops be found that are not using company images, if circumstances prevent immediate imaging of the machine.
Additionally, we are running CheckPoint Integrity software (Zone Alarm enterprise firewall software). Per policy, this is currently configured to prevent unknown applications from intitiating outbound connections. Additionally, per policy, inbound connection attempts are blocked unless specifically permitted. Integrity SecureClient for
VPN users is configured, per policy, to the same specifications used for internal use. Per our VPN policy, configuration prohibits local LAN access when VPN is connected. This adds an additional layer of defense, since the perimeter firewall no longer adds an extra layer of defense for VPN users. As a result, the Wave auto-update attempts and connection attempts to unapproved NTRU TCP port 10001 would fail, even if the software was present on the machine. Perimeter security policy prevents any outbound connection attempts, except those through the proxy server with a destination port of 80,
8080, or 443. If information obtained from the SANS’ posting is correct, connection attempts are targeted to the www.wave.com
server. Since port 80 is utilized as the main http page on this server, it seems likely that a port other than 80,8080, or 443 is being used. Unfortunately, this has not yet been confirmed.

Inbound filtering would prevent any connection from the internet to TCP Port 10001 on our network, further reducing exposure.
To ensure that this software is not present and evading our defenses,we recommend implementation of an IDS rule searching for TCP and UDP traffic with a destination port of 10001. Although we found no other indication that UDP traffic was utilized by this software, Wave’s e-mail pooled TCP and UDP 10001 together. This, in our eyes, justifies the inclusion of UDP port 10001 in our IDS rule. Another rule, keying on UDP and TCP queries for the domain wave.com
should be added to detect auto-update attempts. At least temporarily, the added protection should outway false postives for attempts to access the www.wave.com
web site.
Our defense-in-depth, including clean images, personal firewalls, perimeter security policy, and intrusion detecting monitoring leaves us well defended against this potential vulnerability.
Strategic Action Plan:
Currently, our mobile workers have no encryption on their hard drives. Wave’s software offers some exciting possibilities for disk encryption, multiple factor authentication utilizing biometrics and tokens, and RSA acceleration.
Current events highlight the dangers of unencrypted data, either at rest or in motion.
Since the TPM chip and Wave software is available at no additional cost on our D820 laptops, our recommendation is to research our future options for deployment. Any production implementation would be dependent on clear, substantiated evidence that we are not exposing our data to any unnecessary risks.
Product analysis and trial testing should begin for should be conducted for current “bestof-breed” solutions for disk encryption and multiple- factor authentication to determine whether other solutions might provide the same or increased protection without the potential additional risks associated with Dell’s current solution.
Follow-up discussions should be held with Dell, Wave, and NTRU to monitor the new patch, and any future software revisions.
A cost-benefit analysis should be performed to determine which solution currently makes the most sense for the enterprise. Our recommendation is to begin implementation of a disk encryption solution within the next 90 days.
Constant vigilance must be maintained while testing new products prior to deployment, since TPM technology is being deployed by vendors industry-wide.