Researchers Discover and Abuse New Undocumented Feature in Intel Chipsets

At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

Someone forgot to blow the fuse

[davidwr]

Since these features are meant for use on the assembly line you can't just remove them.

But you can design them to be permanently disabled as one of the last steps before the chip leaves the manufacturing plant.

Re:Someone forgot to blow the fuse

[DickBreath]

Why would the NSA want a feature like this to be disabled when the chip leaves the manufacturing line?

Re:Someone forgot to blow the fuse

[sjames]

What they forgot is who owns the damned computer. Many devices have all of the same capabilities, usable for testing, diagnostics, and debugging new firmware, but most of them aren't as stupid as Intel about it. They require you to physically plug in to a JTAG interface.

Back in "the old days", you could "de-brick" a WRT54 using a simple hand made adapter to connect a PCs parallel port to the JTAG connection on the board and running a simple utility that would re-flash the WRT through JTAG.

In a world where the consumer that forks over the cash actually owns the device, all devices should expose a JTAG port, and none should be so stupid as to connect it to a Management Engine running secret signed and encrypted firmware that the rightful owner can't change.

So it has an official name

[the_skywise]

and it has an official purpose (and they have a plan!)

Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines.

How is that "undocumented" other than Intel only provides the docs to paying developers?

Re:Requires physical access

[dfghjk]

Says an Intel spokesman. That is, however, not true.

Physical access is required of systems that have taken actions to require it, namely physical access required to update certain flash data. For systems that haven't done this, physical access isn't required.

Re:Requires physical access

[Gravis+Zero]

This exploit requires physical access.

No, it doesn't. You took the word of an Intel spokesperson over a hackers, seriously?

You should have kept reading:

"Customers who have applied those mitigations are protected from known vectors," the company said.

However, in an online discussion after his Black Hat talk, Ermolov said the Intel-SA-00086 fixes are not enough, as Intel firmware can be downgraded to vulnerable versions where the attackers can take over Intel ME and later enable VISA.

Furthermore, Ermolov said that there are three other ways to enable Intel VISA, methods that will become public when Black Hat organizers will publish the duo's presentation slides in the coming days.