Skip to content

Security

The attacks we defeat — and the ones we name plainly.

Every threat we defend against has a stable ID, a cost tier, an explicit defense layer, and a residual-risk note. The threats we don't defend against are named just as plainly, with the layered defense that compensates.

Headline visualization

Threat × defense matrix

Each row is a threat; each column is one of our ten defense layers (L1–L10). A solid dot is a primary defense; a half-dot is contributory. Empty cells mean the threat is out-of-scope for that layer, not that the layer fails.

Threat × Defense primary partial· out-of-scope
ThreatTierL1L2L3L4L5L6L7L8L9L10
T-101VM-spawn-and-discard SybilT1
T-102Cloud-vTPM Sybil (NitroTPM / Azure / GCP)T1
T-103swtpm emulator SybilT1
T-104CAPTCHA solver-farm bot signupT1
T-105Anti-detect browser + residential proxyT1
T-106Email/phone churn signupT1
T-201TPM-Fail timing side-channelT2
T-202ROCA on Infineon RSAT2
T-203faulTPM voltage glitchingT2
T-204CVE-2025-2884 OOB read (Pluton/fTPM)T2
T-205TPM-Genie hardware interposerT2
T-301Refurb device farmT3
T-302Burner-phone-service farmT3
T-401TPM chip swap (discrete TPM only)T4
T-402Header-pin TPM module replacementT4
T-501Decapping / electron microscopyT5
T-601Cloud-cuckoo relayRelay
T-602Physical-cuckoo relayRelay
T-603Token replayRelay
T-604Session-binding bypassRelay
T-701Compensated-user Sybil ('device mercenaries')OOB
T-702Account-takeover post-enrollmentOOB
T-703Device theft / borrowed deviceOOB
T-704Supply-chain compromise of manufacturer CAOOB
T-705Insider threat (Root Herald operator)OOB
L1 Cert structure
EkCertificateValidator
L2 Chain to pinned roots
EkCertificateValidator + TrustAnchorSeeder
L3 TpmClass classification
TpmClassClassifier
L4 Cloud cross-validation
CloudEvidenceVerifier
L5 Quote + nonce binding
TpmQuoteValidator
L6 PCR + event log
EventLogParser
L7 AK ↔ EK binding
MakeCredentialService
L8 EKpub uniqueness
Device.EkPublicKey + deviceId HMAC
L9 Customer policy
PolicyResolver + PolicyAdminController
L10 Behavioral clustering
Audit log + EKpub-uniqueness signal

T1

Tier 1: Software-only attacks (the floor we displace)

The workhorse attacks. Stopped cryptographically at L2 / L3: the attestation doesn't validate.

T-101VM-spawn-and-discard Sybil$0.01–$0.10 · Infinite

MechanismRent cloud VMs, run signup with each as a fresh identity. Cost ~$0.005/hr per instance.

Defense layersL2, L3, L9

ResidualNone at the cryptographic layer. Attacker must escalate.

Real-worldLayerZero's 803K excluded wallets were largely cloud-VM clusters.

T-102Cloud-vTPM Sybil (NitroTPM / Azure / GCP)$0.01–$0.50 · Infinite

MechanismCloud VM has a real virtual-TPM 2.0 producing a structurally valid attestation. Bypasses naive 'did they have a TPM' checks.

Defense layersL2, L3, L4, L9

ResidualNone under strict-hardware. Under cloud-permissive policy, IID cross-validation closes it.

T-103swtpm emulator Sybil~$0 · Infinite

MechanismUserspace swtpm emulator produces TPM 2.0 commands and certs chaining to swtpm-localca.

Defense layersL2, L3, L9

ResidualNone.

Real-worldSUSE virt guide documents emulated TPM reports manufacturer 49424d00 regardless of host.

T-104CAPTCHA solver-farm bot signup$0.001–$0.005 · Infinite

MechanismSolver farms defeat CAPTCHA at $1–$3 / 1000 solves.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualOut-of-scope for Root Herald directly — but composes: solver-farm wins CAPTCHA, fails attestation.

T-105Anti-detect browser + residential proxy$0.20–$1 · Infinite

MechanismRotated browser fingerprints + residential IP egress. Defeats FingerprintJS / Castle / DataDome.

Defense layersL8 (partial), L10

ResidualNone when paired with attestation.

T-106Email/phone churn signup$0.05–$0.50 · Infinite

MechanismThrowaway emails, SIM farms, virtual-number services.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualOut-of-scope alone; composes with attestation.

T2

Tier 2: Firmware vulnerability exploitation

Bounded by the un-patched population. Root Herald ships no known-bad firmware deny-list; the compensating controls are change-detection against a customer's known-good PCR reference values plus dbx bootloader revocation.

T-201TPM-Fail timing side-channel~$0 · Bounded

MechanismTiming side-channel against Intel fTPM ECDSA. Recovers private keys in minutes locally.

Defense layersL8 (partial), L9

ResidualRoot Herald ships no known-bad firmware deny-list. The compensating controls are change-detection against a customer's known-good PCR reference values (a device whose measured boot no longer matches its allow-listed reference is flagged) plus dbx bootloader revocation.

Real-worldtpm.fail PoC; CVE-2019-11090.

T-202ROCA on Infineon RSAcompute only · Bounded

MechanismCoppersmith's attack on Infineon RSA generation flaw. ~760K still-vulnerable May 2025.

Defense layersL3 (partial), L8 (partial), L9

ResidualEstonian national ID recall (2017) — 750K cards re-keyed.

Real-worldCVE-2017-15361; weaponized PoCs exist.

T-203faulTPM voltage glitching$200 rig + hours · Bounded

MechanismVoltage-glitching against AMD fTPM on Zen 2/3. ~$200 hardware, hours per chip.

Defense layersL8 (partial), L9

ResidualRequires physical access; bounds to ≈ Tier 3.

Real-worldUSENIX / Black Hat USA 2023.

T-204CVE-2025-2884 OOB read (Pluton/fTPM)~$0 · Bounded

MechanismOOB read in TCG TPM 2.0 reference. Patched in AGESA 1.2.0.3e.

Defense layersL9

ResidualLarge unpatched OEM tail through 2026. There is no CVE/firmware-rev deny-list; the policy-layer control is change-detection against known-good PCR reference values plus dbx revocation.

T-205TPM-Genie hardware interposer$30 + skill · Bounded

MechanismHardware interposer on LPC bus intercepts and modifies commands.

Defense layersL7, L8

ResidualBounds to Tier 3 + labor; uneconomic for most use cases.

T3

Tier 3: Physical device farm

The honest cost floor. Chips are real; arithmetic at L8 (EKpub uniqueness) + customer-side clustering at L10 makes them detectable.

T-301Refurb device farm$30–$200 · Bounded

MechanismBuy hundreds of cheap real devices, each a unique valid attestable identity. Logistics-bound.

Defense layersL8, L10

ResidualThe honest cost floor: capital-bound and detectable, not impossible. Six-figure airdrops still clear this bar.

Real-worldSoutheast Asia click-farm operations photographed publicly.

T-302Burner-phone-service farm$40–$100 · Bounded

MechanismMany 'fresh' phones used briefly, then retired.

Defense layersL8, L10

ResidualSame as T-301.

T4

Tier 4: Hardware modification

Discrete TPMs only: ~70% of modern Windows uses unswappable in-CPU TPMs (Pluton/PTT/fTPM).

T-401TPM chip swap (discrete TPM only)$40–$200 · Bounded

MechanismDesolder existing discrete TPM, solder in a new $5 Infineon SLB 9672, mint fresh EKpub.

Defense layersL8, L10

ResidualOnly applies to discrete TPMs — ~70% of modern Windows uses in-CPU Pluton/PTT/fTPM.

T-402Header-pin TPM module replacement$20–$40 · Bounded

MechanismEnthusiast motherboards with TPM header pins allow swap without soldering.

Defense layersL8, L10

ResidualSame shape as T-401.

T5

Tier 5: Full key extraction

Nation-state-grade. Singular per-chip; out-of-scope for any commercial abuse case.

T-501Decapping / electron microscopy$50K–$200K · Singular

MechanismPhysical attacks against the TPM die.

Defense layersL8 (partial), L10

ResidualNot on the cost ladder for any commercial abuse case.

Relay

Relay-class: the cuckoo family

Cloud-cuckoo closed at L4 (cross-validation). Physical-cuckoo closed at L8 (EKpub arithmetic).

T-601Cloud-cuckoo relay~$0 · Infinite if it works

MechanismHarvest a real NitroTPM attestation from one EC2, replay from a different cloud instance.

Defense layersL4

ResidualNone when RequireCloudCrossValidation = true. Default for cloud-permissive policy.

T-602Physical-cuckoo relay~$0 · Infinite attempts, 1 identity

MechanismScript N fresh signup sessions, pipe each nonce to one real TPM, collect N quotes.

Defense layersL8

ResidualAttacker is pushed back to Tier 3 (acquire more real chips). The 'cheap relay shortcut' doesn't exist.

T-603Token replay$0 · Singular

MechanismCapture a valid attestation JWT, re-submit later.

Defense layersL5

ResidualNone within the quote-freshness window.

T-604Session-binding bypass$0 · Singular

MechanismUse a valid token in a context other than the one for which it was issued.

Defense layersL5, L9

ResidualDepends on RP integrating correctly; libraries get this right by default.

OOB

Out-of-band / non-cryptographic

Honest disclosure. Hardware attestation cannot solve compensated-user Sybil, account takeover, device theft, supply-chain compromise, or insider threat alone. Layered defenses apply.

T-701Compensated-user Sybil ('device mercenaries')$1–$50 · Bounded

MechanismPay N real users $X each to perform a real attestation from their real devices.

Defense layersL10

ResidualHonest disclosure. Hardware attestation alone cannot stop this. Layered defense (hardware floor + behavioral) is the strategy.

Real-worldDocumented in LayerZero's airdrop retrospective.

T-702Account-takeover post-enrollmentvariable · Bounded

MechanismCompromise a legitimate user's session post-enrollment.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualOut-of-scope; step-up MFA / CAEP / session-management is the customer's stack.

T-703Device theft / borrowed devicevaries · Singular

MechanismLegitimate hardware under attacker's physical control.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualA user can mark a device stolen; the per-tenant ban list then rejects further attestations from it.

T-704Supply-chain compromise of manufacturer CAnation-state · Singular

MechanismAttacker compromises an Infineon/ST/Nuvoton/Intel/AMD/Microsoft CA and mints arbitrary EK certs.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualDetection + response only.

T-705Insider threat (Root Herald operator)n/a · Singular

MechanismRoot Herald employee exfiltrates EKpub data or forges tokens.

Defense layersOut-of-scope at the cryptographic layer. See residual note.

ResidualSOC 2 controls (in progress, not yet certified); not protocol-level.

Explicitly out-of-scope

What we don't claim to solve

  • One-human-one-device with bad intent. We bind devices to identities; identity behavior is the customer's policy problem.
  • In-person social engineering. A real user, a real attestation, attacker-coached.
  • Account-takeover post-enrollment. Step-up MFA, CAEP, and session management belong in the customer's stack.
  • State-level adversaries with unlimited resources. Outside the threat model for any commercial SaaS.
  • Supply-chain compromise of manufacturer PKI. Detection / response only: same risk every PKI-based system carries.
  • Insider threat (Root Herald operator). SOC 2 controls (in progress), not protocol.