A security research firm has found that Intel chipsets used in computers over the past five years have a major flaw that allows hackers to bypass encryption codes and quietly install malware such as keyloggers.
The worse news: There is no complete fix for the problem.
The security firm Positive Technologies announced late last week that the vulnerability, hard-coded in the boot ROM, exposes millions of devices using Intel architecture to industrial espionage and leaks of sensitive information that cannot be detected as they happen.
Because the flaw occurs at the hardware level, it cannot be patched.
They also noted that one barrier to attack is an encrypted chipset key inside the one-time programmable (OTP) memory, although the unit that initiates such encryption is itself open to attack.
Researchers made it clear the threat is a serious one.
“Since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism … is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this [encryption] key is only a matter of time,” Positive Technologies researchers said.
“When this happens, utter chaos will reign.”
They warned of forged hardware IDs, extracted digital content and decryption of data on hard drives.
Intel has confirmed that it is aware of the discovery in its CSME and that it affects most Intel chipsets released in the last five years—other than Ice Point (Generation 10). Other products include:
- Intel CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
- Intel Server Platform Services prior to version SPS_E3_05.00.04.027.0
- Intel Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15
The company has advised that anyone affected by this vulnerability should contact their system or motherboard manufacturer to obtain a firmware or BIOS update. Intel has confirmed that it can’t provide updates for systems or motherboards from other manufacturers.
The vulnerability – known as CVE-2019-0090 – allows a local attacker to extract the chipset key stored on the Intel Platform Controller Hub microchip and obtain access to encrypted data. According to Positive Technologies, this sort of breach is impossible to detect, making the potential threat more concerning.
Intel, which acknowledged it was aware of the problem last fall, issued a patch last Thursday that partially addresses the problem.
A spokesman for the company explained that while they cannot secure hardcoded ROM in existing computers, they are trying to devise patches that will quarantine all potential system attack targets.
The flaw is located in Intel’s Converged Security Management Engine (CSME), which handles security for firmware on all Intel-powered machines.
“With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation or in other words, pass off an attacker computer as the victim’s computer,” states a Positive Technologies the press release.
EPID is used in Digital Rights Management (DRM), financial transactions, and the processes around verifying remote devices. For example, attackers can exploit the vulnerability to bypass content DRM and make illegal copies.
“Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or consider migration to tenth-generation or later Intel CPUs,” explains the press release.
Founder of World Privacy Forum, Pam Dixon, believes that while the vulnerability could potentially be exploited in the future, it would require a combination “extraordinary skill, time, and physical access to the affected device.”
“Yes, it’s a serious flaw that could someday enable bypassing DRM and other protections, but it appears that there are questions as to how it could be scaled to widespread use at this time,” she told Newsweek. “An attacker would need to go through multiple very difficult steps to unlock the Chipset Key, and that requires physical access.
“Something that may factor into a risk analysis at the consumer level is the growing use of iPads and other iOS devices to create and access content. iOS devices do not have this vulnerability and could blunt potential impact, possibly significantly.
“Also, not all laptop models have the older chips with this vulnerability. At the enterprise level, as time goes on and the affected devices are replaced by new devices without this vulnerability, the risk will continue to decrease. However, that being said, protecting physical access to affected devices at the enterprise level just became even more important,” said Dixon.
In recent years, Intel has confronted a few serious security flaws such as the Meltdown and Spectre processor vulnerabilities and the CacheOut attack.
The latest crisis comes at a time of increasing fierce competition with AMD, developer of the popular Ryzen chip.
But perhaps the most serious blow is to Intel’s longstanding reputation of excellence. The latest flaw, according to Mark Ermolov, lead specialist of OS and hardware security at Positive Technologies, strikes at the heart of Intel’s most vital asset: trust.
“The scenario that Intel system architects, engineers, and security specialists perhaps feared most is now a reality,” Ermolov said. “This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms.”
How can I check if I’m affected by this security vulnerability?
According to Intel, anyone concerned about potentially being affected by the vulnerability should reboot their system and access the system BIOS.
For Windows PC users, the BIOS key is set by the manufacturer—normally F10, F2, F12, F1 or DEL. Intel ME/Intel CSME firmware information might be available in the BIOS information screens, but if it isn’t available in the system BIOS, contact the system manufacturer for assistance.
Mike Jennings, a technology expert and writer, told Newsweek: “Intel has always had security vulnerabilities—it’s hard for them to keep up when hackers always move goalposts. Meltdown and Spectre are two of the highest-profile vulnerabilities of recent years, although they’ve both been fixed since.
“If people keep hold of their computers, have decent security software installed and keep their computers updated, they’ll be fine.”
Newsweek contacted Intel for comment and was provided with the following statement: “Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products. Intel released mitigations and recommends keeping systems up-to-date.
More details of Intel’s efforts to address the vulnerability can be found on the company’s support page: https://www.intel.com/content/www/us/en/support/articles/000033416/technologies.html