Intel is fixing a vulnerability that unauthorized people with physical access can exploit to install malicious firmware on a chip to defeat a variety of measures, including security provided by BitLocker, Trusted Platform Module, anti-copy restrictions and Others are included.
The vulnerability present in Pentium, Celeron and Atom CPUs on the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms allows skilled hackers to run in the debug and test modes used by firmware developers in possession of an affected chip. Intel and other chip makers go to great lengths to prevent such access by unauthorized people.
Once in developer mode, an attacker can extract the key used to encrypt the data stored in the TPM enclave and, if the TPM is being used to store the BitLocker key, the security of the latter. Defeat too. An adversary can also bypass code-signing restrictions that prevent unauthorized firmware from running. Intel Management Engine, a subsystem inside the vulnerable CPU, and from there backdoor the chip permanently.
master key cloning
Each Intel CPU has a unique key used to generate follow-on keys for things like Intel’s TPM, Enhanced Privacy ID, and other protections that rely on features built into Intel silicon. This unique key is known as the “fuse encryption key” or “chipset key fuse”, as used in the Intel graphic below:
“We found out that you can remove this key from the security fuse,” one of the researchers who discovered the vulnerability, Maxim Goryachi, told me. “Basically, this key is encrypted, but we also found a way to decrypt it, and it allows us to execute arbitrary code inside the management engine, extract BitLocker/TPM keys, etc.”
a blog post Published on Monday expands on the things hackers can use the exploit for. Mark Ermolov, one of the other researchers who discovered the vulnerability, wrote:
An example of a real threat is a lost or stolen laptop that contains confidential information in an encrypted form. Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. Bugs can also be exploited in targeted attacks in the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, fire Intel CSME [converged security and management engine] Deploy firmware keys and spyware that security software will not detect. This vulnerability is also dangerous because it allows the extraction of root encryption keys used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy ID) technologies in systems to protect digital content from illegal copying . For example, many Amazon e-book models use Intel EPID-based security for digital rights management. Using this vulnerability, an intruder can extract the root EPID key from a device (e-book), and then, compromising Intel EPID technology, download electronic content from providers in file form. may copy and distribute them.
bloated, complex tertiary system
Over the years, researchers have exploited a number of firmware and performance features in Intel products to help the company defeat basic security guarantees about its CPUs.
In October 2020, the same team of researchers extracted the secret key that encrypts updates to a classification of Intel CPUs. Having a decrypted copy of an update allows hackers to reverse-engineer it and learn exactly how to exploit its patching holes. The key could also allow parties other than Intel – a malicious hacker or an amateur – to update chips with their own microcode, although that optimized version would not survive a reboot.
In the past two years researchers have also uncovered at least four vulnerabilities in SGX, short for Software Guard Extension, which acts as an in-silicon digital vault to secure users’ most sensitive secrets. .
Intel also shipped a large number of CPUs with critical flaws in Boot Guard, which protects unauthorized people from running malicious firmware during the boot process. Researchers have also found untraceable holes in the Converged Security and Management Engine, which implements the Intel Trusted Platform module.
Intel has added features as a way to differentiate its CPUs from competitors. Concerns about cost, performance overhead, and unreliability of these features have been sent Google And many other organizations are looking for alternatives when creating so-called trusted computing bases to protect sensitive data.
“In my view, Intel’s record on delivering a worthy reliable compute base especially around ME [management engine] Disappointing, and it’s charitable,” security researcher Ken White wrote in an email. “This work further validates the decision of Google and other big tech companies 5+ years ago to bespoke about Intel’s decision to do so.” The underlying management separates the stack, dramatically skimming the TCB. When you don’t have the bloated to maintain and harden complex tertiary systems, you get the added benefit of no debugging path for an attacker to exploit that complexity.”
Since the beginning of 2018, Intel has also been besieged by a steady stream of variants of the attack classes known as Specter and Meltdown. Both attack classes abuse a performance enhancement known as speculative execution to allow hackers to access passwords, encryption keys, and other data that is known to be off-limits. While the bug has bitten many chip makers, Intel has been hit particularly hard by Specter and Meltdown because many of its chips rely more on speculative execution than competitors.
Intel recently published this advice, which rates the vulnerability’s severity as high. Updates come in a UEFI BIOS update that is available from OEMs or motherboard manufacturers. There is no evidence that the bug, tracked as CVE-2021-0146, has ever been actively exploited in the wild, and the difficulty of doing so leaves everyone except the most skilled hackers. will stop doing it.
“Users should keep systems updated with the latest firmware and guard systems against unauthorized physical access,” Intel officials said in a statement. “Systems where end-of-manufacture was done by OEMs and where Intel Firmware Version Control Technology (Hardware Anti-Rollback) was enabled are at very low risk.”
Such vulnerabilities are unlikely to be used in indiscriminate attacks, but could, at least theoretically, be used in cases where adversaries with considerable resources are pursuing high-value targets. By all means install the update on any affected machines, but don’t sweat it if you can’t find it for a week or two.