New unfixable security flaw found in Intel CPU's

It seems that the way that Intel has made their ‘Boot Rom’ has the potential for unfixable security breach in millions of Intel CPU’s in the future.

The problem comes when switching on an Intel system with a few milliseconds and it all comes down to the ‘Management Engine’ or known as CSME.

This is a mini computer within an Intel CPU, comprising of a 486 processor (latest version found in newer chips), RAM, it’s own code in boot ROM and full access to the rest of the machine. It’s basically a tiny computer that does background stuff for the whole system.

It works beneath the Operating System so it doesn’t even see it or acknowledge it. This small computer does ultra low stuff such as:

1. Bringing up the Computer.
2. Controlling power levels.
3. Starting the main computer chips, CPU, chipset and any cores within them.
4. Booting and Verifying the Motherboard firmware
5. Runnning any DRM, Cryptographic functions.

The Exploit:

The exploit is based on one ‘Master Key’ that is hardcoded into each Intel CPU,. hence the unfixable status as it would require new silicon to close this exploit.

One of the first things when starting up the machine is the small computer has to set up memory protections in it’s built in RAM, so there is a tiny window of being vulnerable to attack. This is because the CSME has to install these protections in the form of IOMMU (In/Out Memory Module Unit.)

During this time though, any hardware on said motherboard, physically attached and/or present on the motherboard can fire a DMA transfer into the CSME’s private RAM if it wants to. Which brings about the issue of the exploit.

Since there is only an hardcoded ‘master key’ to open up the CSME, someone could figure out this ‘master key’ over time by attacking by sniping that tiny window where the CPU is preparing it’s security. Those willing to do that can do so on CPU’s that they own and chipsets on their own motherboards.

Once again the IOMMU is read only and cannot be patched. So once this is worked out and cracked, the system is pretty much non-secure. The CSME even allows incoming traffic through the various input/output connectors such as USB, WiFi, Ethernet so potentially anyone with said ‘master key’ can gain control of a system/server.

What damage could be done:

Pretty much anything.

Decrypting files, deleting/modifying files, uploading/downloading file content, modifying/deleting UEFI and so on. All without knowledge of the owner of said machine as once again the CSME is ultra low level stuff and the OS and Kernel can’t see it or control it.

The weakness was found and reported to Intel by Positive Technologies who have prodded and poked the CSME for a while now since Meltdown was detected.

Intel attempted to patch this with CVE-2019-0090 but Positive reckon there are other ways in.

For now, systems are secure but the vulnerablity is still there. This is a case of when hackers will be able to get through to find the ‘master key’ which is a single key used across a current chipset. 3rd Gen, 4th Gen, 5th Gen up to 9th Gen. (How they thought one unchangable ‘master key’ was a good idea I don’t know)

For full control of EPID they would need to:

1. Extract hardware key during period it is stored in unprotected memory.
2. The Hardware Key is used to decrypt the Chipset Key aka the CPU.
3. The Hardware Key is hardcoded and cannot be patched or changed.
4. The Chipset Key resides in Secure Key Storage (SKS)

Extracting the Hardware key is only a matter of time, due to this being unpatchable.

Should you worry:

No, not really, it is a concern and something to be looked on if this affects other longer term hardare such as Xeons which are used in servers. It is also unknown if Intel will have an actual fix in later CPU’s such as 10th Gen but would require a new way of securing such parts of the CPU that cannot be accessed in such ways.

Intel has said, install latest security patches, make sure your hardware is maintained physically by the owners. Which is good advice but considering no one needs access to your machine to do this and can figure it out with another 9th Gen intel system.

For now it’s safe. The key’s haven’t been hacked yet and we don’t even know if someone is working on trying to extract said key. But it is something to keep an eye on developments and of course see how newer CPU’s come out from Intel have worked progressively to close this security hole up in future.

But that takes a new design of their silicon and a complete redesign of their CSME.

Would post a link to news story on this but not enough points so, go find it on theregister co uk site.

Another example of why you need to keep ALL your code up to date… hardware OR software.

The thing is, this one won’t matter and it’s poorly design on both Intel and AMD that uses another cpu inside the processor which sets things up within the first second or so on first boot up.

Can update anything you like but once said master key is cracked and shared about online. Hackers can just bypass everything and do whatever to whatever system they want.

Pretty much affects Intel i processors and Xeons. And also AMD64, FX, Ryzens, Threadrippers and Epyc processors.

But not sure if AMD did the right thing and made their boot section at least proected flashable and not ROM. And if ROM then flashable at best.

But interesting that CPU’s these days has another computer within their dies with their own ram and bios also.

Right now, Intel ME as it’s called is a i486 with 1.5mb ram and runs a custom Minix OS. The Boot ROM is basically it’s BiOS.

It’s that computer that is at the moment insecure due to unchangable master encryption key. Seems people are slowly hacking it to get it. Going to cause problems once servers become wide open.

That’s the security that has to update now from hardware manufacturers and pushed by from companies as having another computer inside a processor open suddenly to gain access to business details, bank details and other private information. These little processors can decrpyt stuff on computers as they make the encryption keys in the first place.

Really hoping Intel changes their CPU design to make this harder in their new cpu’s and stop cutting curners just to get more speed out of them.

Rather a slightly slower CPU with fewer FPS and more secure than as fast as you can go and forego security as they’ve clearly been doing for over a decade or more.

And yet, AMD processors are made with same sub cpu inside each of their own so how secure those are is unknown but wouldn’t be surprised if open to same attacks.

Hate to break it to you but those “unfixable” “security flaws” in intel chipsets are there for a good reason.

How do you think the Five Eye intel agencies get their information?

lol @ fixing a hardware flaw they put in with intention. This isn’t a CT either.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.