TPM-Sniffing LUKS Keys on an Embedded Linux Device [CVE-2026-0714]
3 hours ago
- #Embedded
- #TPM
- #Security
- Demonstration of a TPM-sniffing attack on the Moxa UC-1222A Secure Edition, revealing LUKS decryption keys transmitted unencrypted over SPI.
- The attack leverages passive monitoring of the SPI bus between the SoC and TPM 2.0 during boot, exploiting TPM2_NV_Read operations.
- Moxa acknowledged the vulnerability, assigning it CVE-2026-0714, highlighting risks in embedded Linux devices using TPM for disk encryption.
- Comparison with previous TPM sniffing attacks on BitLocker systems, noting the novelty of targeting TPM2_NV_Read in this context.
- Detailed methodology including firmware analysis, hardware setup with a Logic Analyzer, and successful key extraction and validation.
- Discussion on mitigations suggested by TCG, emphasizing encrypted sessions for protecting TPM communications against sniffing.
- References to prior research and tools, underlining the broader implications for devices relying on TPM for security.