Security
The attacks we defeat — and the ones we name plainly.
Every threat we defend against has a stable ID, a cost tier, an explicit defense layer, and a residual-risk note. The threats we don't defend against are named just as plainly, with the layered defense that compensates.
Headline visualization
Threat × defense matrix
Each row is a threat; each column is one of our ten defense layers (L1–L10). A solid dot is a primary defense; a half-dot is contributory. Empty cells mean the threat is out-of-scope for that layer, not that the layer fails.
| Threat | Tier | L1 | L2 | L3 | L4 | L5 | L6 | L7 | L8 | L9 | L10 |
|---|---|---|---|---|---|---|---|---|---|---|---|
| T-101VM-spawn-and-discard Sybil | T1 | ● | ● | ● | |||||||
| T-102Cloud-vTPM Sybil (NitroTPM / Azure / GCP) | T1 | ● | ● | ● | ● | ||||||
| T-103swtpm emulator Sybil | T1 | ● | ● | ● | |||||||
| T-104CAPTCHA solver-farm bot signup | T1 | ||||||||||
| T-105Anti-detect browser + residential proxy | T1 | ◐ | ● | ||||||||
| T-106Email/phone churn signup | T1 | ||||||||||
| T-201TPM-Fail timing side-channel | T2 | ◐ | ● | ||||||||
| T-202ROCA on Infineon RSA | T2 | ◐ | ◐ | ● | |||||||
| T-203faulTPM voltage glitching | T2 | ◐ | ● | ||||||||
| T-204CVE-2025-2884 OOB read (Pluton/fTPM) | T2 | ● | |||||||||
| T-205TPM-Genie hardware interposer | T2 | ● | ● | ||||||||
| T-301Refurb device farm | T3 | ● | ● | ||||||||
| T-302Burner-phone-service farm | T3 | ● | ● | ||||||||
| T-401TPM chip swap (discrete TPM only) | T4 | ● | ● | ||||||||
| T-402Header-pin TPM module replacement | T4 | ● | ● | ||||||||
| T-501Decapping / electron microscopy | T5 | ◐ | ● | ||||||||
| T-601Cloud-cuckoo relay | Relay | ● | |||||||||
| T-602Physical-cuckoo relay | Relay | ● | |||||||||
| T-603Token replay | Relay | ● | |||||||||
| T-604Session-binding bypass | Relay | ● | ● | ||||||||
| T-701Compensated-user Sybil ('device mercenaries') | OOB | ● | |||||||||
| T-702Account-takeover post-enrollment | OOB | ||||||||||
| T-703Device theft / borrowed device | OOB | ||||||||||
| T-704Supply-chain compromise of manufacturer CA | OOB | ||||||||||
| T-705Insider threat (Root Herald operator) | OOB |
T1
Tier 1: Software-only attacks (the floor we displace)
The workhorse attacks. Stopped cryptographically at L2 / L3: the attestation doesn't validate.
T-101VM-spawn-and-discard Sybil$0.01–$0.10 · Infinite
MechanismRent cloud VMs, run signup with each as a fresh identity. Cost ~$0.005/hr per instance.
Defense layersL2, L3, L9
ResidualNone at the cryptographic layer. Attacker must escalate.
Real-worldLayerZero's 803K excluded wallets were largely cloud-VM clusters.
T-102Cloud-vTPM Sybil (NitroTPM / Azure / GCP)$0.01–$0.50 · Infinite
MechanismCloud VM has a real virtual-TPM 2.0 producing a structurally valid attestation. Bypasses naive 'did they have a TPM' checks.
Defense layersL2, L3, L4, L9
ResidualNone under strict-hardware. Under cloud-permissive policy, IID cross-validation closes it.
T-103swtpm emulator Sybil~$0 · Infinite
MechanismUserspace swtpm emulator produces TPM 2.0 commands and certs chaining to swtpm-localca.
Defense layersL2, L3, L9
ResidualNone.
Real-worldSUSE virt guide documents emulated TPM reports manufacturer 49424d00 regardless of host.
T-104CAPTCHA solver-farm bot signup$0.001–$0.005 · Infinite
MechanismSolver farms defeat CAPTCHA at $1–$3 / 1000 solves.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualOut-of-scope for Root Herald directly — but composes: solver-farm wins CAPTCHA, fails attestation.
T-105Anti-detect browser + residential proxy$0.20–$1 · Infinite
MechanismRotated browser fingerprints + residential IP egress. Defeats FingerprintJS / Castle / DataDome.
Defense layersL8 (partial), L10
ResidualNone when paired with attestation.
T-106Email/phone churn signup$0.05–$0.50 · Infinite
MechanismThrowaway emails, SIM farms, virtual-number services.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualOut-of-scope alone; composes with attestation.
T2
Tier 2: Firmware vulnerability exploitation
Bounded by the un-patched population. Root Herald ships no known-bad firmware deny-list; the compensating controls are change-detection against a customer's known-good PCR reference values plus dbx bootloader revocation.
T-201TPM-Fail timing side-channel~$0 · Bounded
MechanismTiming side-channel against Intel fTPM ECDSA. Recovers private keys in minutes locally.
Defense layersL8 (partial), L9
ResidualRoot Herald ships no known-bad firmware deny-list. The compensating controls are change-detection against a customer's known-good PCR reference values (a device whose measured boot no longer matches its allow-listed reference is flagged) plus dbx bootloader revocation.
Real-worldtpm.fail PoC; CVE-2019-11090.
T-202ROCA on Infineon RSAcompute only · Bounded
MechanismCoppersmith's attack on Infineon RSA generation flaw. ~760K still-vulnerable May 2025.
Defense layersL3 (partial), L8 (partial), L9
ResidualEstonian national ID recall (2017) — 750K cards re-keyed.
Real-worldCVE-2017-15361; weaponized PoCs exist.
T-203faulTPM voltage glitching$200 rig + hours · Bounded
MechanismVoltage-glitching against AMD fTPM on Zen 2/3. ~$200 hardware, hours per chip.
Defense layersL8 (partial), L9
ResidualRequires physical access; bounds to ≈ Tier 3.
Real-worldUSENIX / Black Hat USA 2023.
T-204CVE-2025-2884 OOB read (Pluton/fTPM)~$0 · Bounded
MechanismOOB read in TCG TPM 2.0 reference. Patched in AGESA 1.2.0.3e.
Defense layersL9
ResidualLarge unpatched OEM tail through 2026. There is no CVE/firmware-rev deny-list; the policy-layer control is change-detection against known-good PCR reference values plus dbx revocation.
T-205TPM-Genie hardware interposer$30 + skill · Bounded
MechanismHardware interposer on LPC bus intercepts and modifies commands.
Defense layersL7, L8
ResidualBounds to Tier 3 + labor; uneconomic for most use cases.
T3
Tier 3: Physical device farm
The honest cost floor. Chips are real; arithmetic at L8 (EKpub uniqueness) + customer-side clustering at L10 makes them detectable.
T-301Refurb device farm$30–$200 · Bounded
MechanismBuy hundreds of cheap real devices, each a unique valid attestable identity. Logistics-bound.
Defense layersL8, L10
ResidualThe honest cost floor: capital-bound and detectable, not impossible. Six-figure airdrops still clear this bar.
Real-worldSoutheast Asia click-farm operations photographed publicly.
T-302Burner-phone-service farm$40–$100 · Bounded
MechanismMany 'fresh' phones used briefly, then retired.
Defense layersL8, L10
ResidualSame as T-301.
T4
Tier 4: Hardware modification
Discrete TPMs only: ~70% of modern Windows uses unswappable in-CPU TPMs (Pluton/PTT/fTPM).
T-401TPM chip swap (discrete TPM only)$40–$200 · Bounded
MechanismDesolder existing discrete TPM, solder in a new $5 Infineon SLB 9672, mint fresh EKpub.
Defense layersL8, L10
ResidualOnly applies to discrete TPMs — ~70% of modern Windows uses in-CPU Pluton/PTT/fTPM.
T-402Header-pin TPM module replacement$20–$40 · Bounded
MechanismEnthusiast motherboards with TPM header pins allow swap without soldering.
Defense layersL8, L10
ResidualSame shape as T-401.
T5
Tier 5: Full key extraction
Nation-state-grade. Singular per-chip; out-of-scope for any commercial abuse case.
T-501Decapping / electron microscopy$50K–$200K · Singular
MechanismPhysical attacks against the TPM die.
Defense layersL8 (partial), L10
ResidualNot on the cost ladder for any commercial abuse case.
Relay
Relay-class: the cuckoo family
Cloud-cuckoo closed at L4 (cross-validation). Physical-cuckoo closed at L8 (EKpub arithmetic).
T-601Cloud-cuckoo relay~$0 · Infinite if it works
MechanismHarvest a real NitroTPM attestation from one EC2, replay from a different cloud instance.
Defense layersL4
ResidualNone when RequireCloudCrossValidation = true. Default for cloud-permissive policy.
T-602Physical-cuckoo relay~$0 · Infinite attempts, 1 identity
MechanismScript N fresh signup sessions, pipe each nonce to one real TPM, collect N quotes.
Defense layersL8
ResidualAttacker is pushed back to Tier 3 (acquire more real chips). The 'cheap relay shortcut' doesn't exist.
T-603Token replay$0 · Singular
MechanismCapture a valid attestation JWT, re-submit later.
Defense layersL5
ResidualNone within the quote-freshness window.
T-604Session-binding bypass$0 · Singular
MechanismUse a valid token in a context other than the one for which it was issued.
Defense layersL5, L9
ResidualDepends on RP integrating correctly; libraries get this right by default.
OOB
Out-of-band / non-cryptographic
Honest disclosure. Hardware attestation cannot solve compensated-user Sybil, account takeover, device theft, supply-chain compromise, or insider threat alone. Layered defenses apply.
T-701Compensated-user Sybil ('device mercenaries')$1–$50 · Bounded
MechanismPay N real users $X each to perform a real attestation from their real devices.
Defense layersL10
ResidualHonest disclosure. Hardware attestation alone cannot stop this. Layered defense (hardware floor + behavioral) is the strategy.
Real-worldDocumented in LayerZero's airdrop retrospective.
T-702Account-takeover post-enrollmentvariable · Bounded
MechanismCompromise a legitimate user's session post-enrollment.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualOut-of-scope; step-up MFA / CAEP / session-management is the customer's stack.
T-703Device theft / borrowed devicevaries · Singular
MechanismLegitimate hardware under attacker's physical control.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualA user can mark a device stolen; the per-tenant ban list then rejects further attestations from it.
T-704Supply-chain compromise of manufacturer CAnation-state · Singular
MechanismAttacker compromises an Infineon/ST/Nuvoton/Intel/AMD/Microsoft CA and mints arbitrary EK certs.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualDetection + response only.
T-705Insider threat (Root Herald operator)n/a · Singular
MechanismRoot Herald employee exfiltrates EKpub data or forges tokens.
Defense layersOut-of-scope at the cryptographic layer. See residual note.
ResidualSOC 2 controls (in progress, not yet certified); not protocol-level.
Explicitly out-of-scope
What we don't claim to solve
- One-human-one-device with bad intent. We bind devices to identities; identity behavior is the customer's policy problem.
- In-person social engineering. A real user, a real attestation, attacker-coached.
- Account-takeover post-enrollment. Step-up MFA, CAEP, and session management belong in the customer's stack.
- State-level adversaries with unlimited resources. Outside the threat model for any commercial SaaS.
- Supply-chain compromise of manufacturer PKI. Detection / response only: same risk every PKI-based system carries.
- Insider threat (Root Herald operator). SOC 2 controls (in progress), not protocol.