Question What's the chance of inadvertently buying a fake/malicious TPM module?

PeterMuellerr

Commendable
Mar 29, 2021
105
19
1,585
Let's assume that you don't buy an ASUS TPM-M R2.0 module from an official retail seller of ASUS but, say, at a half of the price from an unknown seller on Amazon or eBay. What's the chance that you get a fake module, or, even worse, a malicious one? Would it hurt you if it says it's from ASUS but in reality from someone else? How can such a module be malicious, and would it hurt you if it is?
 

USAFRet

Titan
Moderator
Somewhere between 0% and 100%.
No way to predict from some unknown seller.

What might happen?
At the extreme end, the compromise of all your data. It is a device, with code, that runs on your system. And you would never know.
Is that likely? Absolutely not.
But it is a consideration.
 

PeterMuellerr

Commendable
Mar 29, 2021
105
19
1,585
It is a device, with code, that runs on your system.
I thought the module has a random-number generator, stores keys, and computes special mathematical functions.
Does the module actually have code that can access your data (and send them, say, over radio)? Or can the actions of the module evelate privileges of a less-trusted party, enabling someone else's less-trusted code to actually access more-private data?
 

USAFRet

Titan
Moderator
I thought the module has a random-number generator, stores keys, and computes special mathematical functions.
Does the module actually have code that can access your data (and send them, say, over radio)? Or can the actions of the module evelate privileges of a less-trusted party, enabling someone else's less-trusted code to actually access more-private data?
A chip that looks like a valid TPM module can do whatever it was coded to do.

Is that far out on the edge of unlikely? Yes.

But buying from some random fleabay account, a non-functional one if more likely.
 

PeterMuellerr

Commendable
Mar 29, 2021
105
19
1,585
A chip that looks like a valid TPM module can do whatever it was coded to do.

Is that far out on the edge of unlikely? Yes.

But buying from some random fleabay account, a non-functional one if more likely.
There are seldom reports of hardware attacks (e.g. https://www.bloomberg.com/news/feat...ny-chip-to-infiltrate-america-s-top-companies).
I believe that a tampered chip could also use your resources (e.g., mine bitcoins). It happens sometimes: e.g., if a Web site is slow, mining may be happening with Javascript in your Web browser. Some home appliances get malicious chips connecting to WiFi whenever they can and doing what they want (e.g., http://web.archive.org/web/20180423061935/https://hi-tech.mail.ru/news/iron-bugs ).
So while I do not believe that someone would like to harm me personally, I do believe that there is no free lunch: a new item for half a price can be a mousetrap and nothing costs more than something that's free.
 

sonofjesse

Distinguished
But that is my point in 2025, you will be buying a new PC anyway lol. That is what I'm saying........ a lot of people I feel like are worried about windows 11 for nothing, when the majority of people will just lifecycle it to solve the issue.
 

Karadjgne

Titan
Ambassador
That's a different topic; please see my other questions for this.

Good point, except that in 2025 the then-modern software is likely to cease to actually run on Windows 10.
Doubtful. Win11 uses the same kernel as Win10. Essentially the guts are the same, just the looks have changed. Same as there's not really any issue running stuff coded for Win7. It'd take a major platform change, like Vista was to DOS (Win98) to see functionality failures in software. You'll still be able to run Win7 stuff when Win11 is approaching EOL. Win12 or Win13 might see a departure from NTFS, but until then, it's all the same.
 

PeterMuellerr

Commendable
Mar 29, 2021
105
19
1,585
Doubtful. Win11 uses the same kernel as Win10. Essentially the guts are the same, just the looks have changed. Same as there's not really any issue running stuff coded for Win7. It'd take a major platform change, like Vista was to DOS (Win98) to see functionality failures in software. You'll still be able to run Win7 stuff when Win11 is approaching EOL. Win12 or Win13 might see a departure from NTFS, but until then, it's all the same.
Thx, good to know! I more though of software simply checking the version number of the OS itself or certain libraries or system-near software (e.g., DirectX) and refusing to run on an older system. After all, a software house usually saves some costs by removing support for old stuff (even MS itself does this — it has to support literally tens of thousands of various programs of its own).
Anyway, this discussion is off topic.
 
Last edited:

Karadjgne

Titan
Ambassador
Anyway, this discussion is off topic.
Sorta, kinda, Mebe not. Win10 having the same kernel as Win11 also means that the TPM and scheduler required by Win11 are also present. It's been basically included with every new mobo since 4th Gen Intel I believe. You'd need to be running Ivy-Bridge or older not to have access to the tech. Certainly anything modern like Ryzen or 10th Gen or newer already has the capability and should not require the purchase of a seperate hardware module.

Afaik, Microsoft has plans to activate the scheduler and TPM for use with Win10 based platforms in the future, as soon as Win11 and 12th Gen intel is more widely adopted and sales drop off. No freebies until they get their money back and can show a profit.