Trusted Platform Modules (TPM 2.0) are widely used to protect storage encryption keys and provide hardware backed attestation. While TPM bus sniffing attacks against Windows systems with BitLocker are well documented, less research has focused on non-BitLocker targets such as embedded Linux devices using LUKS. In this work, we demonstrate that the Moxa UC-1222A Secure Edition releases its full LUKS device decryption key in plaintext during boot via aTPM2_NV_Readoperation bound to PCR policy. Although the TPM enforces authorization correctly, the returned key material is transmitted unencrypted over the SPI interface. By passively monitoring the SPI bus between the SoC and the discrete TPM 2.0 device, the LUKS decryption key can be recovered and used to decrypt the encrypted storage. The issue has been acknowledged by Moxa and assigned CVE-2026-0714. In October 2025, we performed a security assessment of the ARM-based Moxa UC-1222A Secure Edition industrial computer. The UC-1200A series is described by the vendor as follows: The UC-1200A computing platform is designed for embedded data-acquisition applications. [...] With flexible interfacing options, this tiny embedded computer is a reliable and secure gateway for data acquisition and processing at field sites as well as a useful communications platform for many other large-scale deployments. The device is marketed as a hardened platform and supports full disk encryption backed by a discrete TPM 2.0 chip. We assumed that an adversary had physical access to the device, under conditions where they are able to use specialized hardware tools to probe and tamper with the device. Given the use of a discrete TPM connected over SPI, we evaluated whether passive bus monitoring during the boot process could expose sensitive key material. Passive bus sniffing attacks against TPM 2.0 have been demonstrated in multiple contexts, particularly against BitLocker-enabled Windows systems123. These attacks typically target the BitLocker Volume Master Key, which is released by the TPM during the boot process and used to decrypt the protected volume. There have also been successful TPM sniffing attacks against non-BitLocker targets. Jos Wetzels demonstrated that Linux devices using Clevis with a discrete TPM to unlock LUKS-encrypted disks are vulnerable to SPI sniffing, allowing an attacker with physical access to extract a JWK from TPM SPI traffic and reconstruct the device decryption secret.4 However, little public research has examined whether the same attack class applies to embedded and industrial Linux systems. Such devices may rely on vendor specific initramfs hooks and custom provisioning logic rather than using solutions like Clevis. It is not clear how or if key material is exposed over the TPM bus for such devices. Furthermore, for embedded devices deployed in unmonitored or in remote environments, prolonged physical access by an adversary may be more likely than for example a client laptop. With this research, we hope to demonstrate what a successful TPM sniffing attack on an embedded device may look like. The Moxa UC-1222A Secure Edition employs a discrete TPM 2.0 device as both a root of trust for attestation and as a protection mechanism for storage decryption keys. The TPM maintains persistent root secrets within its internal non-volatile memory, including seeds that form the basis of its key hierarchies, as described in the TCG TPM 2.0 Library Specification (Part 1)5. Rather than storing the device decryption key directly in system storage, the key is generated during provisioning of the device and then protected by the TPM under authorization policies. The TPM's internal root secrets never leave the chip. Instead, they are used to enforce policy and protect TPM objects such as the device decryption key. During boot on the Moxa UC-1222, the host SoC issues TPM commands to read the contents of this protected NV index as part of the TPM's structured command–response protocol. If the authorization policy is satisfied, the TPM returns the key material, which we will refer to as the LUKS disk key, to unlock the encrypted partition. More generally, passive TPM bus sniffing attacks exploit this pattern: The Serial Peripheral Interface (SPI) is a synchronous serial communication bus used for communication between the discrete TPM and the ARM SoC. The SoC operates as the SPI master, while the TPM functions as an SPI slave. SPI communication is based on four primary signals: The Moxa firmware image is publicly available from the vendor at the followinglink. We extracted the first partition, which contains an initrd image, and examined the startup scripts located undermoxa-initrd-init/hooks.d/to identify TPM-related operations executed during early boot.