"Both the 4758 CCA and the TPM can be coaxed into revealing their private keys.[4,5] These attacks do not break the underlying cryptography, but are instead API-level attacks —sequences of valid API commands. In fact, the attacks on both systems use analogous command sequences. First, the attacker loads a subverted “migration” key onto the device. Then, the device is asked to “wrap” (encrypt) the private key in it for migration.
IBM eliminated this attack in subsequent versions of the CCA, and the TPM specification now provides equivalent functionality that’s not susceptible to this attack. However, the fundamental problem remains: the interfaces for trusted cryptographic subsystems are complex, and complexity always carries with it the potential for insecurity. Before using these devices to protect our vital infrastructures, we must develop methods for security API analysis and, using those methods, ensure that the actually provide the necessary security guarantees."
In Jonathan Herzog, "Applying Protocol Analysis to Security Device Interfaces," IEEE Security and Privacy, vol. 04, no. 4, pp. 84-87, Jul/Aug, 2006.