Trusted Execution Environments (TEEs) have become a cornerstone technology in securing sensitive computations across a wide range of industries. From blockchain networks and cloud computing to artificial intelligence, finance, and defense sectors, TEEs are widely deployed to protect confidential data and ensure the integrity of computation, even when the underlying operating system (OS) kernel is compromised. Major chipmakers like Nvidia, AMD, and Intel provide popular TEE implementations—Nvidia’s Confidential Compute, AMD’s SEV-SNP, and Intel’s SGX and TDX—that promise robust security guarantees. However, recent research exposes critical vulnerabilities in these TEEs, particularly when physical access to the hardware is possible, challenging long-held assumptions about their security.
### The Emergence of TEE.fail and Its Impact
On Tuesday, researchers unveiled a new attack named TEE.fail that breaks the latest TEE protections from all three major chip manufacturers. Unlike previous attacks such as Battering RAM and Wiretap—which were limited to CPUs using DDR4 memory—TEE.fail works against the latest DDR5 memory, thereby affecting the most current TEE implementations. The attack requires three conditions: the attacker must have physical access to place a small, inexpensive hardware device between a memory chip and its motherboard slot; the attacker must also have compromised the system’s OS kernel; and the attack itself takes only about three minutes to complete.
Once executed, TEE.fail completely undermines the security assurances of Nvidia’s Confidential Compute, AMD’s SEV-SNP, and Intel’s TDX/SGX TEEs. This means that confidential data and secure computations, which these TEEs are supposed to protect—even if the server’s OS is fully compromised—can be viewed or tampered with by the attacker. This revelation is particularly alarming because all three chipmakers explicitly exclude physical attacks from their threat models. Their security guarantees are framed only against software-level compromises, not against attackers with physical hardware access, a caveat that is rarely made prominent and often misunderstood or overlooked by users.
### Misconceptions and Overstatements in the Industry
The security community and industry insiders have long warned about the limitations of TEEs, but many organizations and service providers continue to make misleading or inaccurate claims about what these environments can protect. Some vendors promote TEEs as suitable for protecting servers at the network edge—locations that are often physically exposed and thus vulnerable to attack—without adequately acknowledging the risks posed by physical compromise.
HD Moore, a veteran security researcher and CEO of runZero, highlights this problem: “These features keep getting broken, but that doesn’t stop vendors from selling them for these use cases—and people keep believing them and spending time using them.” Moore points out that customers often do not receive clear information about the scope of TEE protections, especially regarding physical attacks, which Intel and AMD explicitly consider out of scope. This disconnect leaves many users under the false impression that TEEs can secure “private computing” even in untrusted data centers—a notion that these new attacks decisively disprove.
The confusion extends beyond chipmakers to cloud providers, AI platforms, blockchain projects, and other users of TEEs, many of whom publicly state security assurances that are incomplete or outright incorrect. In some cases, even large organizations with high stakes rely on TEEs without fully understanding their limitations. For instance, blockchain services such as Secret Network and Crust have had to reassess their security models after learning that physical attacks could allow untrusted users to spoof cryptographic attestations, undermining the trustworthiness of their networks.
### The Root Cause: Deterministic Encryption
At the heart of these physical attack vulnerabilities lies the use of deterministic encryption in TEE designs. Deterministic encryption produces the same ciphertext each time the same plaintext is encrypted with the same key. This predictability enables attackers to perform replay attacks by copying ciphertext strings. In contrast, probabilistic encryption—where the same plaintext can encrypt to many different ciphertexts randomly—is more resistant to such attacks but comes with significant performance and scalability challenges.
When Intel first introduced SGX, it was deployed in client CPUs with limited memory (up to 256MB) and could employ probabilistic encryption. However, server-grade TEEs, which may need to protect terabytes of RAM, rely on deterministic encryption because probabilistic encryption does not scale well to such sizes without severe performance penalties. This trade-off between security and scalability has created a fundamental weakness that attackers can exploit.
### Technical Details and Broader Implications
TEE.fail is not