Security researcher Christopher Tarnovsky has successfully subverted an Infineon SLE 66 microcontroller—a hardware component that implements the Trusted Platform Module (TPM) specification. His method of attack, which requires physical access to the hardware, was presented at the Black Hat conference.
TPM chips can be used for a variety of purposes, but are principally employed for data encryption or DRM. Infineon is a well-known TPM manufacturer whose components are shipped in mainstream computing and consumer electronics products including the Xbox 360 and many modern Apple computers. The basic concept behind a TPM is that it has "write-only" memory. A cryptographic key is baked into the chip when it is manufactured. This key can be used to decrypt data, but is only accessible to the chip itself and can't be read.
Infineon integrates relatively sophisticated security mechanisms into the hardware in order to repel a wide range of conceivable physical attacks, thus preventing a third party from reading the embedded key. The SLE 66 is designed to protect against EM snooping, various kinds of side channel attacks, and pretty much any other conventional approach that you can think of.
In order to circumvent the SLE 66's security, Tarnovsky used an electron microscope and needles. After nine months of intricate work, he managed to pull out the "write-only" data. He says that he has reported his findings to Infineon and the Trusted Computing Group, the organization that devised the TPM standard.
