Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Discover and Abuse New Undocumented Feature in Intel Chipsets (zdnet.com)

Posted by msmash on from the security-woes dept.

At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

53 of 102 comments (clear)

  1. Overheard in the Intel marketing department by Anonymous Coward · · Score: 5, Funny

    "I'm just spitballing here, but I've read that a lot of computers have rootkits on them. What if we baked a root kit right into the hardware so everyone could have one without having to go through the trouble of installing one?"

    1. Re: Overheard in the Intel marketing department by ChrisMaple · · Score: 1

      UEFI is a rootkit.

      --
      Contribute to civilization: ari.aynrand.org/donate
  2. Overheard later in the Intel development departmen by Narcocide · · Score: 5, Funny

    "No, one rootkit is no good. Make sure we bake in a few of different types in case something goes wrong with one. Redundancy is the key to reliability."

  3. I'm shocked by Anonymous Coward · · Score: 1

    No really, I am. Who woulda thunk it.

    It's getting to the point where Intel CPUs having another vulnerability is about as newsworthy as Trump tweeting something stupid: it happens far too often and no one wants to think about it.

    1. Re:I'm shocked by Anonymous Coward · · Score: 4, Funny

      "Intel Inside" has been a mandatory warning label for many years already.

  4. Someone forgot to blow the fuse by davidwr · · Score: 5, Insightful

    Since these features are meant for use on the assembly line you can't just remove them.

    But you can design them to be permanently disabled as one of the last steps before the chip leaves the manufacturing plant.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Someone forgot to blow the fuse by DickBreath · · Score: 3, Insightful

      Why would the NSA want a feature like this to be disabled when the chip leaves the manufacturing line?

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:Someone forgot to blow the fuse by aliquis · · Score: 2

      It's almost like there's a bunch of those features built in to make sure someone can get access ...

    3. Re:Someone forgot to blow the fuse by AmiMoJo · · Score: 1

      Would be fascinating to know if the NSA did actually tell them not to disable it, when Intel wanted to. My money is on simple incompetence though.

      Intel doesn't understand security and doesn't even really think about it. They just assume that because they didn't publish the docs it's a secret and no-one will be able to abuse it.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    4. Re:Someone forgot to blow the fuse by sjames · · Score: 3, Insightful

      What they forgot is who owns the damned computer. Many devices have all of the same capabilities, usable for testing, diagnostics, and debugging new firmware, but most of them aren't as stupid as Intel about it. They require you to physically plug in to a JTAG interface.

      Back in "the old days", you could "de-brick" a WRT54 using a simple hand made adapter to connect a PCs parallel port to the JTAG connection on the board and running a simple utility that would re-flash the WRT through JTAG.

      In a world where the consumer that forks over the cash actually owns the device, all devices should expose a JTAG port, and none should be so stupid as to connect it to a Management Engine running secret signed and encrypted firmware that the rightful owner can't change.

    5. Re:Someone forgot to blow the fuse by DickBreath · · Score: 1

      Remember Scooby Doo? If it weren't for these pesky researchers, the NSA might have gotten away with it and the Russians would never have known.

      --

      I'll see your senator, and I'll raise you two judges.
    6. Re:Someone forgot to blow the fuse by Rick+Schumann · · Score: 2

      Correct. For Production silicon, certain one-time-programmable bits ('fuses') are supposed to be programmed, disabling the internal debug features.
      However there are ways to re-enable it on a per-boot-cycle basis; you just have to know how. This capability is included and allowed so that 'closed box' debugging can be done by Intel if there is a problem an OEM is having that requires Intel to assist with it. Think of it as a 'backdoor' into the debugging infrastructure of the silicon. The ways and means of temporarily re-enabling the debug features are supposed to be a top secret, because allowing them would make reverse engineering the silicon so much easier, but as with all 'backdoors' if someone has the skills and determination they just might be able to find it on their own.

    7. Re:Someone forgot to blow the fuse by davidwr · · Score: 1

      However there are ways to re-enable it on a per-boot-cycle basis; you just have to know how. This capability is included and allowed so that 'closed box' debugging can be done by Intel if there is a problem an OEM is having that requires Intel to assist with it.

      Okay, fine, but compromise a bit on the "closed box" and require that a pin on the CPU be jumpered to something during boot to enable this, so it cannot be enabled without physical access.

      --
      Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    8. Re:Someone forgot to blow the fuse by sjames · · Score: 1

      You seem to be confused a bit. The Intel ME firmware is the locked down part. I was NOT talking about EFI, UEFI, BIOS, PCI boot ROMS, or even applying a vendor created and signed update.

    9. Re:Someone forgot to blow the fuse by sjames · · Score: 1

      Perhaps you should read that link yourself.

      If you ran something on it, it was using a scripted exploit that Intel did not intend to work. So, what did you run and how did you get it on there?

    10. Re:Someone forgot to blow the fuse by radarskiy · · Score: 1

      Full debug access back as far as Broadwell has required a cryptographic key which is dowloaded every time you power up the device.

  5. Re:Requires physical access by SurenEnfiajyan · · Score: 1
    From the article:

    However, the two researchers said they found several methods of enabling VISA and abusing it to sniff data that passes through the CPU, and even through the secretive Intel Management Engine (ME), which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.

    I think not only with physical access.

  6. So it has an official name by the_skywise · · Score: 3, Insightful
    and it has an official purpose (and they have a plan!)

    Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines.

    How is that "undocumented" other than Intel only provides the docs to paying developers?

    1. Re:So it has an official name by SurenEnfiajyan · · Score: 1

      I think Intel should switch its employees' PCs/laptops to AMD.

    2. Re:So it has an official name by Gravis+Zero · · Score: 1

      How is that "undocumented" other than Intel only provides the docs to paying developers?

      Any documentation about it is only available to under NDA and only for motherboard manufacturers. As such, information about it is unable to enter the public sphere so much so that even OS developers are unaware of it's very existence. It seems to be tightly coiled with IME so the only thing more secret than Intel VISA (that we know of) is the CPU microcode.

      --
      Anons need not reply. Questions end with a question mark.
    3. Re:So it has an official name by thereddaikon · · Score: 2

      Its undocumented to anyone who isn't an Intel partner clearly. The motherboard manufacturers obviously know about it because its made for them. But its existent was kept under NDA so anyone who did know about it wasn't talking. The reasoning there is kind of obvious, if it really is a full logic analyzer then you could learn a lot about Intel hardware with this thing. Would be very useful for competitors to reverse engineer Intel's products without much effort. What doesn't make sense is why it isn't permanently disabled before leaving the factory. Security through obscurity is not valid.

    4. Re:So it has an official name by DNS-and-BIND · · Score: 2

      The name for this policy is "security through obscurity".

      --
      Shutting down free speech with violence isn't fighting fascism. It IS fascism!
    5. Re:So it has an official name by DigiShaman · · Score: 1

      Since it's not needed for the consumer, I wonder if it can be permanently disabled with some application; hopefully provided by Intel publicly. Bonus if rolled into a Microsoft KB patch on Update Tuesday.

      --
      Life is not for the lazy.
    6. Re:So it has an official name by sjames · · Score: 1

      That doesn't make much sense either. Anyone big enough to go into the chip business for themselves can already reverse engineer Intel's products without much effort.

    7. Re:So it has an official name by Rick+Schumann · · Score: 1

      It's very high on the list of 'important intellectual property' because being able to freely access it would be a great help in reverse-engineering the silicon for purposes of stealing the designs.

  7. Re:Requires physical access by dfghjk · · Score: 2, Insightful

    Says an Intel spokesman. That is, however, not true.

    Physical access is required of systems that have taken actions to require it, namely physical access required to update certain flash data. For systems that haven't done this, physical access isn't required.

  8. Re:Requires physical access by Gravis+Zero · · Score: 5, Insightful

    This exploit requires physical access.

    No, it doesn't. You took the word of an Intel spokesperson over a hackers, seriously?

    You should have kept reading:

    "Customers who have applied those mitigations are protected from known vectors," the company said.

    However, in an online discussion after his Black Hat talk, Ermolov said the Intel-SA-00086 fixes are not enough, as Intel firmware can be downgraded to vulnerable versions where the attackers can take over Intel ME and later enable VISA.

    Furthermore, Ermolov said that there are three other ways to enable Intel VISA, methods that will become public when Black Hat organizers will publish the duo's presentation slides in the coming days.

    --
    Anons need not reply. Questions end with a question mark.
  9. done by jmccue · · Score: 3, Funny

    That is it, I am done. Now where is my 286 ?

    1. Re:done by DickBreath · · Score: 1

      Can a modern ARM chip give you as good performance or better than a 286?

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:done by somenickname · · Score: 1

      Rather than try to coax a 286 to life, you should look into OpenPOWER based systems like Raptor Computing Systems POWER9 machines (https://www.raptorcs.com/). They are just about to release their microATX form factor boards that are still expensive but not too crazy. These are very open machines, performance competitive with Intel/AMD based systems and can run a number of popular Linux distros. I'm looking forward to ditching Intel once my Blackbird motherboard arrives.

    3. Re:done by currently_awake · · Score: 1

      The Arm chip has a much higher clock rate than the (old) Intel chip. The Intel chip requires fewer clock cycles per instruction, but not enough to make up the difference. The Arm chip can probably emulate the Intel chip at full speed.

    4. Re:done by DamnOregonian · · Score: 1

      Na. Very much na.
      The last time I used qemu-i386 on an ARM, it took just over 10 minutes to boot a kernel.

    5. Re:done by Required+Snark · · Score: 1

      You can get a Hex Driver for the POWER9 HSF for only $12.50 plus S&H!

      --
      Why is Snark Required?
    6. Re:done by K.+S.+Kyosuke · · Score: 1

      Sounds like a reasonable time for an i386 to boot a kernel, why are you complaining?

      --
      Ezekiel 23:20
    7. Re:done by DamnOregonian · · Score: 1

      Can't tell if kidding. If not... No, no it is not.

  10. Re:Requires physical access by sjames · · Score: 4, Informative

    Sorry, no. As long as the ME continues to exist and is not exclusively under the control of the machine's owner, the risk of remote exploit exists.

  11. Let's talk... by higuita · · Score: 1

    ...NSA here, please ignore that little feature, nothing to see here!

    https://media.giphy.com/media/...
    https://tenor.com/view/fizzer1...

    --
    Higuita
  12. These are not new features, they've been there by GregMmm · · Score: 4, Interesting

    Maybe Intel VISA is a newly coined phrase, but there have been access to the PCH has been around for along time. In my experience (at Intel, on dev teams) This is used firstly for debug at development time and then at manufacturing time for passing certain test. Both used to have a physical device to do this, so just doing it remotely wouldn't work. Also, all features were available at dev time for obvious reasons. By manufacturing time, it should be mostly locked down and before it goes out the door, totally locked.

    What I'm afraid of is security has become lax enough to allow remote access to this. Like a lazy engineer/architect (ever had one of those?) didn't want to walk his butt into the secure lab so they just put some back door in with telling anyone. Or worse after by off from the development team.

    Also, yes these are undocumented because they are never meant for outside use (Intel, OEMs, etc) Just debug and optimization. No one else would really want access, but nefarious peeps would.

    This could be a big issue if there really is something here. I'm hoping Intel didn't get lazy, but who knows.

    1. Re:These are not new features, they've been there by radarskiy · · Score: 1

      There are certain levels of debug access that are left open for the system integrators (e.g. Dell) to do debug on their own systems. It is then their responsibility to disable this on production systems.

  13. Okay, that's it by Red_Forman · · Score: 1

    Enough with all the dumbass stuff from Intel, Microsoft and Apple.

    My next laptop will be a freakin' Raspberry Pi 3 running a non-systemD Linux distro of some sort.

    1. Re:Okay, that's it by DamnOregonian · · Score: 1

      Christ, I can't wait to go back to the awesome experience of running slackware on a Pentium 2.

    2. Re:Okay, that's it by K.+S.+Kyosuke · · Score: 1

      You could try ODROID instead.

      --
      Ezekiel 23:20
  14. Only 'abuse' is by Intel by schwit1 · · Score: 2

    Intel put the features in, failed to document them, failed to disable them and KNOWS researchers will be looking for them.

    The only abuse is Intel not taking responsibility for its incompetence.

  15. remember the Clipper chip? by epine · · Score: 2

    Who else remembers the Clipper chip saga from the first light of eternal September?

    The Clipper chip was a chipset that was developed and promoted by the NSA as an encryption device that secured "voice and data messages" with a built-in backdoor. Each clipper chip had a unique serial number and a secret unit key programmed into the chip when manufactured.

    It was part of a Clinton Administration program to "allow Federal, State, and local law enforcement officials the ability to decode intercepted voice and data transmissions."

    It was announced in 1993 and by 1996 was entirely defunct.

    Bruce Schneier's Applied Cryptography (1994) had just come out, and it was a glorious rip in the kimono of the grotesquely secretive surveillance state. (At one point, in the institution's formative adolescence, even the NSA's name was hard to find out.)

    In those glorious, turbulent years of eternal onset we—the open source greybeards of minimal middle—managed to score some surprising victories over the rather clumsy NSA, clearly dazed by those first insistent rays of sunshine, now stumbling around in the public sphere like John Oliver fresh out of bed, blinded by paparazzi flashbulbs en route to his underwear drawer.

    I enjoyed this comedic spectacle while it was happening to the power of ten.

    Meanwhile, another part of my brain was going "they'll be baaack". If you catch Rommel with his pants down at 06:00, enjoy it while you can; by 0:900 you'll wish you hadn't. Clearly the hard-boiled eggheads of this imperious and paranoid institution weren't going to consume their crumpets of crow quavering cadaverously. Now there's so much crepuscular silicon—how shall we best phrase this?—of mixed utility that you need avail yourself of the extended edition of Hogwart's Almanac merely to decode the confounding acronyms.

    Clinton's Clipper comeuppance was the most glorious greybeard insurgency I've ever witnessed, but with a teeny, tiny fly embedded in the silver lining: we basically started a land war in Asia we could not ultimately win. Not even a historic Snowden dump changed matters much at the end of the day. With the persistence of the North Vietnamese (augmented by Mexican mechanization) minions of the NSA have cunningly scrabbled subsoil, stealth supply lines all the way to Moscow's front door.

    This story is a somewhat different offensive than Operation Typhoon. They don't want to conquer Moscow, they want to become Moscow, under cover of ubiquitous onion domes, now tinier than anyone had once imagined, shrouded in RF-transparent Mandelbrot onion skin: you are in a maze of twisty little passages, all alike.

    All said and done—and duly intercepted—the moral of starting a land war in Asia remains mostly the same.

  16. Re:Build a wall! by Anonymous Coward · · Score: 1

    Make AMD pay for it!

  17. Re:Overheard later in the Intel development depart by Rick+Schumann · · Score: 1

    Not a 'rootkit'. Sheesh, I'm naturally paranoid, and I'm the one saying this. See: https://it.slashdot.org/commen...

  18. Re:Requires physical access by Rick+Schumann · · Score: 3, Interesting

    ..no, you're mistaken. I've personally worked with Intel silicon and you have to physically connect to debug ports (that are marked on Production silicon datasheets as 'N/C' or similar) to utilize these debug features. At worst for 'closed box' debugging you need to plug Intel-specific, proprietary debug hardware into on-board USB ports. There is another requirement to enable it that I won't discuss here. You can't access this over the internet.

  19. Re:Prove you have a home/job etc. ok? by pslytely+psycho · · Score: 1

    Jesus, Seek Professional Help.
    Seriously, before you hurt yourself with a butter knife.
    No one stalks you, you are the stalker.
    You reply to yourself, make irrational statements continuously and are a boor and intensely spinning out of control.
    Fuck it, you're a lost cause, here's a butter knife.....

    --
    Donald Trump, on a crusade to make Nixon look respectable
  20. Re: Requires physical access by Rick+Schumann · · Score: 1

    "Trolling is a art"

    Back in the day, trolling required some artistry, some intelligence, some understanding of the subject at hand, in order to craft a troll-comment that would actually get in someone's head. These days? Any two-bit script-kiddie or room-temperature-IQ ne'er-do-well with a smartphone and too much time on their hands posts nonsensical garbage, then when they get a confused reply to the effect of 'lolwut?', they reflexively post 'ha ha u mad!' as if they accomplished something.
    Sad, sad, sad.

  21. Hmmm by Big+Bipper · · Score: 1

    Huawei is looking to ditch Intel chips in favor of its own chips. I wonder if this is why Washington is so trying to keep Huawei out of new telecom ( they want to ensure Intel IS in new telecom ). It might also explain why the Europeans can't find evidence of Huawei spying. Washington just doesn't want to lose access to Merkel's ( and everyone else's ) phone.

    --
    You live and learn, or you don't learn much.
    1. Re: Hmmm by astrofurter · · Score: 1

      Intel snoops for Uncle Sam. Huawei snoops for Emperor Xi. Everybody knows it.

  22. Re:Requires physical access by radarskiy · · Score: 1

    It requires physical access to the pin that you are now shoving a 4 GHz signal out of, assuming you could figure how to set the muxes to get the signal there in the first place.

  23. Re: Requires physical access by astrofurter · · Score: 1

    I assume it would be illegal to sell a CPU in Soviet America that isn't factory p0wned.