Unfixable vulnerability found in Intel chipsets 'impossible' to detect
Positive Technologies has revealed a vulnerability in a widely distributed model of chipsets released by Intel, with most chipsets released in the last five years believed to contain the vulnerability.
The flaw CVE-2019-0090 can be exploited by attackers who can extract the chipset key stored on the PCH microchip and obtain access to data encrypted with the key.
Positive Technologies says it is ‘impossible’ to detect this kind of key breach, and no firmware updates can fix the vulnerability.
An attack could potentially pass off an attacker’s computer as the victim’s computer by forging its Enhanced Privacy ID (EPID) attestation, which is used in financial transactions and attestation on IoT deices.
Cyber attackers could also decrypt data stored on a target computer.
“The vulnerability resembles an error recently identified in the BootROM of Apple mobile platforms, but affects only Intel systems,” says Positive Technologies lead specialist of OS and hardware security Mark Ermolov.
“Both vulnerabilities allow extracting users' encrypted data. Here, attackers can obtain the key in many different ways.
“For example, they can extract it from a lost or stolen laptop in order to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key,” says Ermolov.
“In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack, or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub.”
Positive Technologies says data protection technologies that rely on hardware keys for encryption are most at risk, as the vulnerability could potentially compromise such keys. Some such affected technologies may include DRM, firmware TPM, and Intel Identity Protection.
Attackers with the Intel chipset can exploit the vulnerability on their own computers to bypass content DRM and make illegal copies.
In ROM, this vulnerability also allows for arbitrary code execution at the zero level of privilege of Intel CSME, and no firmware updates can fix the vulnerability, according to Positive Technologies.
Intel has recommended users of Intel CSME, Intel SPS, Intel TXE, Intel DAL, and Intel AMT contact their device or motherboard manufacturer for microchip or BIOS updates to address the vulnerability.
Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME-based encryption of data storage devices or considering migration to tenth-generation or later Intel CPUs.
In this context, retrospective detection of infrastructure compromise with the help of traffic analysis systems such as PT Network Attack Discovery becomes just as important, says Positive Technologies.