Infineon Technology, a German semiconductor company, announced that its Trusted Platform Modules (TPMs) were generating insecure RSA keys. The main manufacturers that seem to have been affected by this are Lenovo, HP, and Fujitsu.
Updated firmware has already been released in the latest Windows patch bundle, but users will have to regenerate their keys in UEFI settings to replace the insecure keys with secure ones.
TPMs
A TPM is an international standard for a cryptoprocessor that comes with many of today's motherboards. When users encrypt their Windows computers, the keys stored in the TPM so that no Windows malware can extract them, because the operating system doesn’t have direct access to the TPM. The TPM can only be accessed from BIOS/UEFI.
TPMs can also store biometric and other authentication data that can’t be stolen by remote hackers or even through physical attacks (someone stealing your laptop and extracting the keys), although this may require additional anti-tampering enhancements from device manufacturers.
Infineon TPM’s Vulnerability
Infineon hasn’t given too many details, other than the fact that a vulnerability existed in its TPM firmware that led to the creation of RSA public keys for applications that were not secure. This means all software programs that may have used those RSA keys from the TPM are now vulnerable to attacks, unless users update to the latest Infineon firmware or get the latest October 10 Windows patches. Even so, the users will still need to manually clear their old TPMs keys in BIOS/UEFI after they’ve updated the firmware. If you clear the TPM keys your encrypted data will become unavailable, so you may want to either disable Bitlocker first or backup your data.
You can see which Lenovo, HP, and Fujitsu devices were affected on the companies’ respective support pages (Lenovo, HP, Fujitsu).
