Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Discover and Abuse New Undocumented Feature in Intel Chipsets (zdnet.com)

Posted by msmash on from the security-woes dept.

At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets. From a report: Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines. VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer. According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH -- and later the main CPU. Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level. But despite its extremely intrusive nature, very little is known about this new technology.

12 of 102 comments (clear)

  1. Overheard in the Intel marketing department by Anonymous Coward · · Score: 5, Funny

    "I'm just spitballing here, but I've read that a lot of computers have rootkits on them. What if we baked a root kit right into the hardware so everyone could have one without having to go through the trouble of installing one?"

  2. Overheard later in the Intel development departmen by Narcocide · · Score: 5, Funny

    "No, one rootkit is no good. Make sure we bake in a few of different types in case something goes wrong with one. Redundancy is the key to reliability."

  3. Someone forgot to blow the fuse by davidwr · · Score: 5, Insightful

    Since these features are meant for use on the assembly line you can't just remove them.

    But you can design them to be permanently disabled as one of the last steps before the chip leaves the manufacturing plant.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Someone forgot to blow the fuse by DickBreath · · Score: 3, Insightful

      Why would the NSA want a feature like this to be disabled when the chip leaves the manufacturing line?

      --

      I'll see your senator, and I'll raise you two judges.
    2. Re:Someone forgot to blow the fuse by sjames · · Score: 3, Insightful

      What they forgot is who owns the damned computer. Many devices have all of the same capabilities, usable for testing, diagnostics, and debugging new firmware, but most of them aren't as stupid as Intel about it. They require you to physically plug in to a JTAG interface.

      Back in "the old days", you could "de-brick" a WRT54 using a simple hand made adapter to connect a PCs parallel port to the JTAG connection on the board and running a simple utility that would re-flash the WRT through JTAG.

      In a world where the consumer that forks over the cash actually owns the device, all devices should expose a JTAG port, and none should be so stupid as to connect it to a Management Engine running secret signed and encrypted firmware that the rightful owner can't change.

  4. So it has an official name by the_skywise · · Score: 3, Insightful
    and it has an official purpose (and they have a plan!)

    Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines.

    How is that "undocumented" other than Intel only provides the docs to paying developers?

  5. Re:I'm shocked by Anonymous Coward · · Score: 4, Funny

    "Intel Inside" has been a mandatory warning label for many years already.

  6. Re:Requires physical access by Gravis+Zero · · Score: 5, Insightful

    This exploit requires physical access.

    No, it doesn't. You took the word of an Intel spokesperson over a hackers, seriously?

    You should have kept reading:

    "Customers who have applied those mitigations are protected from known vectors," the company said.

    However, in an online discussion after his Black Hat talk, Ermolov said the Intel-SA-00086 fixes are not enough, as Intel firmware can be downgraded to vulnerable versions where the attackers can take over Intel ME and later enable VISA.

    Furthermore, Ermolov said that there are three other ways to enable Intel VISA, methods that will become public when Black Hat organizers will publish the duo's presentation slides in the coming days.

    --
    Anons need not reply. Questions end with a question mark.
  7. done by jmccue · · Score: 3, Funny

    That is it, I am done. Now where is my 286 ?

  8. Re:Requires physical access by sjames · · Score: 4, Informative

    Sorry, no. As long as the ME continues to exist and is not exclusively under the control of the machine's owner, the risk of remote exploit exists.

  9. These are not new features, they've been there by GregMmm · · Score: 4, Interesting

    Maybe Intel VISA is a newly coined phrase, but there have been access to the PCH has been around for along time. In my experience (at Intel, on dev teams) This is used firstly for debug at development time and then at manufacturing time for passing certain test. Both used to have a physical device to do this, so just doing it remotely wouldn't work. Also, all features were available at dev time for obvious reasons. By manufacturing time, it should be mostly locked down and before it goes out the door, totally locked.

    What I'm afraid of is security has become lax enough to allow remote access to this. Like a lazy engineer/architect (ever had one of those?) didn't want to walk his butt into the secure lab so they just put some back door in with telling anyone. Or worse after by off from the development team.

    Also, yes these are undocumented because they are never meant for outside use (Intel, OEMs, etc) Just debug and optimization. No one else would really want access, but nefarious peeps would.

    This could be a big issue if there really is something here. I'm hoping Intel didn't get lazy, but who knows.

  10. Re:Requires physical access by Rick+Schumann · · Score: 3, Interesting

    ..no, you're mistaken. I've personally worked with Intel silicon and you have to physically connect to debug ports (that are marked on Production silicon datasheets as 'N/C' or similar) to utilize these debug features. At worst for 'closed box' debugging you need to plug Intel-specific, proprietary debug hardware into on-board USB ports. There is another requirement to enable it that I won't discuss here. You can't access this over the internet.