Microsoft’s Ambitious Plan to Secure Windows 10 From Physical Vulnerabilities

When it comes to security, the list of ways that attackers can steal information from your environment is growing at a rate faster than researchers can plug the holes. If you need any proof of this, take a look at how frequently Microsoft is patching Windows.

It’s not completely fair to call out Microsoft in this way, every piece of software that is used in the enterprise is frequently patched or worse, left open and exposed. It is the nature of the beast, we need more complex software to run operations efficiently but that complexity and integration creates more potential weaknesses for attackers to exploit.

But one of the evergreen challenges is that securing software and hardware from remote attacks has been easier to manage but when an attacker has physical access to a device, keeping it secure is nearly impossible. That’s the task that Microsoft taking on with Pluton and they are working with AMD, Intel, and Qualcomm to bring it to market.

Image #1 Expand
Microsoft Pluton 1200x600 1
Image Credit: Microsoft

Up to today, for Windows, TPM has been the hardware component utilized in modern devices to securely store keys and data that verify the integrity of the system. But the downside to TPM setups is that when an attacker has physical access to a device, attackers can target the communication BUS between the TPM and the CPU.

To resolve this issue, Microsoft says that Pluton will remove the communication channel and build the security hardware directly into the CPU. At first, Pluton architecture will emulate a TPM to work with existing APIs and Windows will use the security processor to “protect credentials, user identities, encryption keys, and personal data”.

This is where Microsoft gets confident as the company says “none of this information can be removed from Pluton even if an attacker has installed malware or has complete physical possession of the PC” – that’s a big claim and if it holds up, will be a significant enhancement for security on Windows devices.

Microsoft first started deploying this type of solution with the Xbox One in 2013 and more recently with Azure Sphere. But the big question is when will it arrive for new devices and that timeline is a bit unclear. The company says that AMD, Intel, and Qualcomm will introduce this technology starting with ‘future’ chips which means late next year is likely the first chance but for wide-scale adoption, think years, not months.