Not exactly surprising; unless you establish some type of shared secret between the TPM and CPU (e.g. by burning it into fuses in both devices, or through some signature scheme), the bus connecting the two will always be a problem…
Also not exactly surprising: It requires direct physical access to the hardware, if an attacker has that level of control you're a goner no matter what you do. In any case since Moxa devices have historically been riddled with buffer overflows and XSS and RCEs and similar vulns, no attacker will ever need to use this attack because there's much, much easier ways to get in that don't require that you travel to where the device is, get past the physical security at the site, remove the device, dismantle it, and attach probes to internal buses.
I've thought about it but haven't checked too hard: can they not do a key exchange? In my existing research I've found no reason they can't, just that they don't.
I guess we only see the ones that don't in the news. Makes sense. I have yet to see one of these where the data is encrypted and they M'dITM to get it, but I'm sure it's happened.
Exactly this. Burning in a shared secret works; alternatively you could do something with private keys burned into each device, signed with some PKI scheme whose public keys are known to the other entity.
Notably both of these turn it into a 'microscope' problem, alternatively if the key leaks somewhere…
At the end of the day, if the system is to process the data, it needs to access it. (Homomorphic encryption nonwithstanding.)
I thought security chips put (extra?) metallization over top the logic to prevent the microscope problem. Do they not or can that still be defeated? I guess if you're careful enough you can strip off that extra layer
People are very creative in defeating those mechanisms. It's mostly a question of time. Also doesn't help if there's some side channel or software leak.
The only "truly" 'safe-ish' thing is active battery powered intrusion detection. It's done for high end HSMs… which easily sell for 5 or 6 digit prices.
Relevant: https://lkml.org/lkml/2025/8/14/1583, https://lore.kernel.org/linux-integrity/20250825203223.62951... (Disables TCG_TPM2_HMAC by default)
Not exactly surprising; unless you establish some type of shared secret between the TPM and CPU (e.g. by burning it into fuses in both devices, or through some signature scheme), the bus connecting the two will always be a problem…
Also not exactly surprising: It requires direct physical access to the hardware, if an attacker has that level of control you're a goner no matter what you do. In any case since Moxa devices have historically been riddled with buffer overflows and XSS and RCEs and similar vulns, no attacker will ever need to use this attack because there's much, much easier ways to get in that don't require that you travel to where the device is, get past the physical security at the site, remove the device, dismantle it, and attach probes to internal buses.
I've thought about it but haven't checked too hard: can they not do a key exchange? In my existing research I've found no reason they can't, just that they don't.
They often do, but it can be MITM'd without some sort of authentication, which generally requires something to be installed in the factory.
I guess we only see the ones that don't in the news. Makes sense. I have yet to see one of these where the data is encrypted and they M'dITM to get it, but I'm sure it's happened.
Exactly this. Burning in a shared secret works; alternatively you could do something with private keys burned into each device, signed with some PKI scheme whose public keys are known to the other entity.
Notably both of these turn it into a 'microscope' problem, alternatively if the key leaks somewhere…
At the end of the day, if the system is to process the data, it needs to access it. (Homomorphic encryption nonwithstanding.)
I thought security chips put (extra?) metallization over top the logic to prevent the microscope problem. Do they not or can that still be defeated? I guess if you're careful enough you can strip off that extra layer
People are very creative in defeating those mechanisms. It's mostly a question of time. Also doesn't help if there's some side channel or software leak.
The only "truly" 'safe-ish' thing is active battery powered intrusion detection. It's done for high end HSMs… which easily sell for 5 or 6 digit prices.