TEE.fail: New $1,000 Hardware Attack Bypasses Nvidia, AMD, & Intel Data Isolation
New research has revealed that even the most advanced hardware-based data isolation technologies from leading chip manufacturers—Nvidia Confidential Compute, AMD SEV-SNP, and Intel SGX/TDX—fail to withstand inexpensive physical attacks. These mechanisms, collectively known as Trusted Execution Environments (TEEs), have long been considered the cornerstone of confidential computing across cloud infrastructures, blockchain systems, AI platforms, and government networks. Their primary purpose is to ensure the invisibility and immutability of code and data, even in cases of full operating system compromise. Yet a new wave of attacks—most notably the one published this week under the name TEE.fail—calls into question the very notion of hardware trust.
Researchers demonstrated that the vulnerability allows complete bypass of every modern TEE within three minutes using a simple, low-cost device inserted between the memory slot and the motherboard. Once this intermediary module is installed and the OS kernel is compromised, the protections offered by Confidential Compute, SEV-SNP, and Intel TDX become effectively useless. Unlike earlier attacks such as Battering RAM and Wiretap, which worked only with DDR4, this new method targets DDR5-based systems, thereby affecting the latest generations of server processors and GPU accelerators.
Formally, physical attacks are excluded from the threat models of all three vendors, though most users remain unaware of this fact. Manufacturers publicly claim that TEEs can safeguard data even under conditions of physical access to the server—claims heavily promoted by major platforms including Cloudflare, Meta, Signal, and Anthropic. Many of these organizations have asserted that enclaves can prevent data theft in the event of hardware seizure. In reality, however, AMD, Intel, and Nvidia explicitly exclude such scenarios from their security guarantees.
According to RunZero, the situation epitomizes a “security illusion”: enterprises continue to treat TEEs as a panacea, even as physical attacks grow ever cheaper. The company notes that users of cloud services typically have no means to verify where their servers are located—or to ensure that the underlying hardware is not under an adversary’s control. Researcher Daniel Genkin, who participated in both the TEE.fail and Wiretap projects, remarked that clients cannot even be certain their servers reside in a secure facility rather than “someone else’s basement.”
Similar vulnerabilities have previously enabled the compromise of Secret Network and Crust, two blockchain platforms. In those cases, attackers were able to falsify cryptographic attestations, allowing them to claim their nodes operated in trusted environments while, in reality, computations occurred outside the enclave. As a result, sensitive data could be read or altered while maintaining the illusion of protection.
The root technical cause of all three attack families lies in the use of deterministic encryption, in which identical plaintext blocks always yield identical ciphertext. This design allows attackers to copy and reuse encrypted fragments in replay attacks. A more secure alternative—probabilistic encryption—has proven impractical for server-grade TEEs due to severe performance costs: servers must encrypt terabytes of RAM rather than the mere hundreds of megabytes found in consumer PCs.
Through TEE.fail, researchers succeeded in extracting attestation keys from Intel processors, enabling them to forge cryptographic proofs of a server’s “trustworthiness.” They similarly bypassed Nvidia Confidential Compute, which fails to bind attestation reports to specific virtual machines or GPUs—allowing attackers to masquerade unprotected GPU servers as secure ones, even while data was processed in plain text. In the case of AMD SEV-SNP, the attack reopened a leakage channel through which OpenSSL keys and other sensitive information could be exfiltrated.
The attack hardware costs under $1,000 and fits easily inside a 17-inch suitcase. Once the device is inserted and removed, TEE protections cannot be restored. During demonstrations, TEE.fail successfully deceived the infrastructures of BuilderNet, dstack, and Secret Network, confirming the feasibility of transaction tampering and data theft even in systems architecturally dependent on enclave trust.
Researchers propose provisional mitigations, such as adding random data to each memory block before encryption and binding attestation to the physical location of the server. Yet even these measures fail to resolve the fundamental problem—the discrepancy between the promised and actual guarantees of security.
Nvidia has acknowledged the research and plans to publish additional reports following its official release. Intel emphasized that physical memory attacks lie outside its threat model, noting that stronger countermeasures would significantly increase cost of ownership and reduce performance.
For now, TEE.fail, Wiretap, and Battering RAM remain tangible threats to anyone relying on standard implementations of hardware enclaves. The only reliable strategy, experts conclude, is to recognize their limitations and avoid using TEEs in environments where physical access to servers cannot be excluded. As Moore observes, major providers such as AWS and Google mitigate these risks through custom solutions like Nitro Card and Titanium, while for everyone else, enclaves remain a temporary compromise—a bandage over the deep wound of hardware trust.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
