Intel chips used in the past five years contain a flaw in read-only memory (ROM) hardware and firmware that may allow hackers to bypass encryption and install malware, according to Intel and security researchers.
No hacks have come to light using the flaw, but the potential for hacks exposing personal information or theft of company secrets exists.
The problem was first reported by Intel in May 2019 and hasn’t thus far, apparently, been a drag on Intel sales, having reached record levels for all last year, hitting $72 billion. The company has issued updates related to the problem. The vulnerability doesn’t apply to the latest Generation 10 Ice Point chipsets.
To take advantage of the vulnerability, a hacker must gain physical access to a machine or network, according to security analysts and Intel. Those factors limit its potential to cause harm, analysts said.
The flaw came to light again recently, on March 5, when Positive Technologies, a cyberthreat analysis company, blogged about the vulnerability in the ROM of Intel’s Converged Security and Management Engine (CSME). Early on, Intel had thanked Positive Technologies for finding and reporting the vulnerability in May 2019.
The latest blog, written by lead specialist of OS and hardware security Mark Ermolov, is apparently intended to once again emphasize the vulnerability and the seriousness it still can pose in advance of an upcoming white paper by Positive Technologies detailing the vulnerability.
“This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company’s platforms,” the blog says. “The problem is not only that it is impossible to fix firmware errors that are hard-coded in the Mask ROM of microprocessors and chipsets. The larger worry is that because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
The vulnerability exists in both hardware and firmware of the boot ROM, Positive Technologies noted. Intel CSME firmware in the boot ROM initializes the page directory and starts page translation later. That means there is a period when SRAM (Static Random-Access Memory) is susceptible.
Ermolov noted that the vulnerability resembles an Apple mobile platform error in the BootROM, but only affects Intel systems. However, both vulnerabilities allow extracting users’ encrypted data, he said.
Hackers can obtain an encryption key in different ways, including from a lost or stolen laptop, Ermolov said. “Unscrupulous suppliers, contractors or even employees with physical access to the computer can get hold of the key,” he said.
Intel’s latest support documentation for the vulnerability (Intel-SA-00213) includes a Feb. 11 update which Intel said is intended to emphasize previous guidance. One of the primary warnings is that “end users should maintain physical possession of the platform” and another is to install updates as soon as they become available.
In a statement provided to FierceElectronics, Intel largely reiterated what it has said online:
“Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an un-authorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products. Intel released mitigations and recommends keeping systems up-to-date.”
Leonard Lee, an analyst at NeXt-Curve, said the CSME vulnerability "is particularly troubling as it compromises the root of trust framework of Intel's portfolio of processors," he said. A key concern is that laptops, PCs and other devices will be more difficult to monitor, control and patch than servers and network equipment.
For enterprises it will be important to institute security measures beyond only firmware updates, Lee said. "It will take more than patches and firmware updates to rein in the risk," he said.
Two other industry analysts said that while the vulnerability itself could be serious, it can be limited by some of the Intel patches released in the last year.
“To take advantage of this exploit, you have to have physical control of the machine and be able to insert software via a bootable drive or disk,” said Jack Gold, an analyst at J. Gold Associates. “It can’t be spread in typical malware fashion from machine to machine, so it’s a physical attack, one machine at a time, and very difficult to do.”
Patrick Moorhead, analyst at Moor Insights & Strategy called the vulnerability a “high severity issue,” but added: “I think people are missing that this requires special equipment and physical acquisition of the device. Intel is doing everything they can, and Original Equipment Makers need to implement anti-rollback to make sure they are protected.”
A physical Anti Rollback (ARB) will mitigate the attack on new Intel systems and can be applied as part of a BIOS update for CSME 12 platforms
Gold also said the vulnerability has been somewhat overhyped, a position taken in a blog by Kelly Shortridge, vice president of product strategy at Capsule8, a company providing attack protection for Linux environments.