No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.
You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure.
You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data
in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.
I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)
My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Exactly the service the company offers
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
This is not a hot take at all!
Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required
And
Stealing the device without the user noticing
Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort
No. The TPM was not cracked. The communication was sniffed, which is unencrypted. This requires a Device to be modified and then successfully unlocked to get exploited also this does not affect devices where the tpm is integrated in the SoC.
You are right in a sense of: If the TPM holding the keys were itself encrypted with a strong password, this would be still be considered secure. You are wrong in the sense of: lenovo sells a device, tells its users its encrypted, their data is safe. None can steal their data
in reality the data can easily be accessed, which could be considered as “cracking the device/bypassing the encryption” because what lenovo prevent was someone ripping your ssd l, but not just decrypt it because the encryption was not implemented securely.
I don’t want to debate the security of a luks Linux volume or veracrypt windows laptop, (even though even those are in theory vulnerable to highly targeted and skilled things like cleverly exploiting e.g the logofail bug)
My point isn’t that there are no ways to have a secure system, my point is that the percentage of truly secure systems is low
The device needs to be physically accessed and modified and then unlocked in order to exploit it.
Yes it is a vulnerability but with those steps you could also just solder a keylogger to the keyboard.
Similar outcome.
Exactly the service the company offers
This is not a hot take at all!
Sure thing, it is equally hard to confiscate/steal a device (if the user notices you just shrug) and open it no user input required And Stealing the device without the user noticing Solder a keylogger, get it back to the user without them noticing and having them put in their password, then steal the device again so you can use said passwort
I totally agree