You know what they say: Timing is... everything
Trusted Platform Modules, specialized processors or firmware that protect the cryptographic keys used to secure operating systems, are not entirely trustworthy.
Boffins from the Worcester Polytechnic Institute and University of California, San Diego, in the US, and the University of Lübeck in Germany, have found that TPMs leak timing information that allows the recovery of the private keys used for cryptographic signatures.
In a paper [PDF] published on Tuesday, "TPM-FAIL: TPM meets Timing and Lattice Attacks," researchers Daniel Moghimi, Berk Sunar, Thomas Eisenbarth, and Nadia Heninger describes how they successfully conducted black-box timing analysis of TPM 2.0 devices to recover 256-bit private keys for ECDSA (Elliptic Curve Digital Signature Algorithm) and trust trusted platform module server private depending configuration
){kind=link}