Androidpolice reports that security researchers recently discovered a bug in the Infineon TPM firmware which allows hackers to potentially brute-force your Chromebook to obtain the encrypted data on the device. This bug potentially affects all Chromebooks using the newest Infineon TPM chip. The problem here is, the way the TPM module works, it requires you to wipe the computer in order to update the firmware which means you need to wipe really all data on it.

Chromebook

Affected Devices

How to check the TPM firmware?

In case you use one of the mentioned devices, go to chrome://system and search for ‘TPM’ in the page (via CTRL + F) and click the Expand button next to TPM Version. The following versions are vulnerable:

Backup your Data!

If you use the Cloud to backup your App Data, ensure it was synced before you upgrade your firmware, if you do offline backups, try to backup app data only (not the main data because it can cause some conflicts).

Some users reporting already that a ‘full backup’ doesn’t backup the most important thing, the app data, this is by design because it might causes conflicts in case you installed another App version, the only workaround here is to manually backup those data.

Missing firmware update check

Sync, cloud and all the things but in 2018 we have no firmware update check mechanism, this not only affects Google/Chromebooks such essential function should in my opinion implemented in all devices to ensure you automatically or manually can easily configure firmware update checks how you want, because if you not aware of it you might never upgrade your firmware and stay vulnerable even access ROM updates, this is a no-go for me and I really expect that we finally get an answer to the ‘firmware’ question this year because this affects billion of devices like Laptops, Smartphones, external peripherie and literally everyting which uses a firmware.

Conclusion

Another day and another story about vulnerable devices, that’s nothing new anymore and we need to deal with it, but instead of really going to fix the problems for everyone we still are depending on articles which make us aware that there is a security hole - because there simply is no automatic process to fix this. Millions of millions of devices will stay vulnerable because the users don’t even know that there is an update or a security problem, this is unacceptable in so many ways.

Google is only partially to blame here because they’re not the only one which are unable to handle the firmware update question, this needs to be addressed directly by the government to force hardware manufacturers or/and software developers to provide an interface or information how long devices getting security updates + a method to ensure that the devices really getting the updates and this only can be done by some kind of automatic update mechanism.