Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel's chip hardware. The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows …
Once upon a time, VISA/TraceHub required physical hardware access to access it. Think JTAG across other devices.
Then along came Intel ME (check what the flaw INTEL-SA-00086 is...) and almost limitless access to your Intel computer was provided, either locally or remotely. What could possibly go wrong?
"You know if we do this, remote users will potentially have access to our debug features"
Was this a <three letter acronym> back door? I'd be surprised if anyone making a secret backdoor would do so many stupid things. I suspect ego - we know what we are doing, we don't need to discuss this with other engineering teams and our code is so good, it will never be broken.
I was actually thinking of JTAG. Lots of devices have JTAG headers, but you still need to break open the box and attach a plug to it (and if they have physical access to your device, it's game over, debug / diag ports or not - if I can plug it in and measure signals over an osmelloscope, x-ray the parts and take thermal images of what it's doing internally...).
The secure coding memo does not seem to have filtered down to the hardware design teams, who are probably still being asked to suck every last clockcycle (clocksuckers?) out of the silicon and at some point the decision will be made to trade off one against the other.
From there, fine, if someone has root access, it's very bad, but the fact that you have direct access to a tiny subset of very important data, you can start filtering out what is data or look at specific parts of the chip - say security subroutines, and just monitor that...Exfiltering terabytes of raw data is one thing, but sit there gently poking the cpu for somthing interesting then only taking that when it's detected for example to improve your tailored access?
Hanlon's razor says cockup before conspiracy, but when you do know that TLA's are out to get whatever they can, in IT starting with the clipper chip, and carrying on over the last 25 years at least... who knows.
/rant.
"Was this a <three letter acronym> back door?"
No it was a misjudged attempt to bring features that were usually reserved for the lights-out management system in servers, down to the desktop level to make it easier for admins to administer large numbers of machines. (eg, Imagine you had to update the EFI on a thousand desktops, you can rack up the overtime walking round all the offices, or use ME to schedule it overnight and head down the pub).
Why they thought it was a good idea to bring to all of their CPUs rather than just a subset I don't know. Laziness?
I don't believe so. I haven't tried it, but I believe that on a system that isn't patched for CVE-2017-5712, you could enable VISA remotely.
The other INTEL-SA-00086 vulnerabilities require "local access", but I'm not sure they require physical access. That is, they might be exploitable via, say, a USB HID plugged into the system, if you can trick the user into inserting one. (And many users are willing to plug USB devices of uncertain provenance into their computers.)
It's easy to think of this as vulnerability but I don't think that's the point.
What it means that a bad guy™ can use the feature on their own equipment to investigate and develop new speculation attacks in the comfort of their own homes. When the attack has been properly developed, it can presumably be set loose on their targets without any further need for the debugging help this 'feature' has given them.
The only system that the attacker needs root access to is the one sitting on the desk in front of them.
A bunch of 4K movies have appeared on pirate sites recently, matching the 4K releases on iTunes, leading to speculation that iTunes DRM has been broken. Maybe they didn't break the DRM, but played the movie on a PC using iTunes and lifted the HEVC data stream out of the Intel CPU using VISA?
Another option is piping the video out to a screen that can take 4K or higher resolution that also takes a copy. Now slice off any interface that shouldn't be there and you're done. Note: screen not necessary, a graphics card claiming to have such a screen is sufficient. When you pipe unencrypted digital information across a bus, expect that someone can record it off that.
Go it in one. If there are any exploits left to be discovered this is the way to discover them wihthout in itself being an exploit. ..... Doctor Syntax
Quite so, Doctor Syntax .... thus to become a Remote Executable Facility and Virtual AI Utility.
And in Spooky Hugo de Garis Terrain, a GODSend and Global Operating Device Invitation to Explore its Validity and Far Reach with Accompanied Deep Insertions in Human Operating SCADASystems.
The Super Sub Micro Atomic Field of Mega MetaData Base Knowledge Manipulation though is clearly not suited for all, for there would appear to be only a few practising the Art more than just effectively and selflessly.
It would be lovely though to be proved wrong in that. :-)
Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port
Howdy Shaun,
Do you really believe Intel processor backdoors are used only in-house as a port for fascinating debugging .... and not also as a systemic vulnerability path for stealthy anonymous third party exploitation of second and first party expectations and aspirations?
It is a very dangerous assumption to be in any way wrong about ...... because of the false sense of security it would generate in Intel Fab Labs/chip factories.
Let’s not forget how “similar” vulnerabilities were turned into a media shitstorm against AMD. Shortly after Meltdown and Spectre became public, hitting Intel very hard while AMD wasn’t nearly affected as much, this smear campaign was launched successfully:
“Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits” (all of them required root access)
If I read it right does that mean TPM and by extension the entire platform is compromised? Anyone relying on secure boot, bitlocker etc. is screwed if one of their machines falls into the wrong hands? ... AC
Yes, it is writ right and correct.
If touted and pimped/pumped and dumped as No, such is wrong, does fake news treat its listeners both badly and madly, methinks.
What do you want to believe is correct and not wrong?
Not exactly. You can access the processor part, but only while it is running. If you have physical access but no access to the system running on the device (E.G. encrypted disk), you could not see it in action because you couldn't run that system. You could of course boot up your own image, but then the data you want to extract wouldn't be resident in the processor. In order to use this maliciously, you need to have access to the system while the processor is working on data you want to steal.
And here be AI Ready Made Play Space Places, Will Godfrey ....... https://www.zerohedge.com/news/2019-03-30/dangers-government-funded-artificial-intelligence
So rough translation of the China Model to the UK, be a Brexiteer and walk in Heaven, Remainers languish in Hell as part of the AI driven ‘social points’ system? ...
Will be using the ‘3 Shell’ method for future toilet visits not through technical advancements but lack thereof!
So black hats can brain-scan the chip for vulnerabilities, even if the brain scanner is not itself a direct vulnerability.
You would think that a hardware dev feature like this would only be available on dev chips, with the relevant shit being at least encapsulated and preferably emasculated on the production version. But no, all it needs is a piece of feckin' software. Well done, Intel, you are living up to your reputation bigtime.
I'm no chip designer, but surely it wouldn't be beyond the realms of possibility for Intel to bake the paths for this into all their chips, for debuggin purposes, and then just dike it out for the RTM version? If nothing else, they're presumably giving away secrets to their competitors by not doing so...
How does this affect someone with root access on their virtual machine, on a multi-tenanted physical host? ..... Paul
Paul, Hi,
Surely the greater question is how does this affect and infect everyone else with or without root accesses on virtual machines on multi-tenanted physical hosts/cloudy servers, for the truth in the answer to your question is hardly at all, and possibly even not at all?
And it is delusional hubris to try and dismiss the fact and systemic vulnerability for such ignorance only leaves IT fantastically free to both anonymously and autonomously ..... well, the choices range between create novel wonders and/or deliver madness and mayhem?
It *is* a fascinating debug feature. But as the slidepack points out, there's the ability to use it for havoc by using the debugging facilities. For example, burning a fuse to activate a debugging feature of the random number generator, in which the RNG always returns the same number. Being a fuse, that change will survive a reboot.
Security through obscurity is only a good idea if access to your system is tightly controlled, and perhaps not even then.
One would have thought that Intel could have designed the thing so there was a physical fuse to blow on all production devices that disabled the "feature" while leaving it active only for engineering samples. Till a disgruntled engineer sells a sample to the bad boys for millions of dollars.
That although this helps research other attacks it's also useful for low level code design and optimisation if you are at the kernel or compiler level.
We can't have it both ways where a technology can be both optimised and hidden at the same time.
I hope this just improves the checking of said low level code...
It's a known debugging tool - just like the sort available on most of the other processors I use (at a very low-level).
Use the profiling counters to work out cache hits, etc. Oh, that's Spectre hack emulated.
Check what data is flowing across busses or stored in registers using JTAG. Oh, we can see the decrypted version of that key.
For a processor you can take the lid off and reverse engineer it using an electron microscope.
You can look at almost anything you want if you physically have a box.
My choice for secure at the moment is a write once FPGA, take the lid off and you destroy the fuse charges trying to read them.
Shutting up now and staying anonymous.
Hmmm
Watching the deep state being forced into conducting damage control in public always brings a smile to my face. However, this is one of those times where the best and the brightest on the outside clearly are not listening. They know for a fact that there really is something to see here and they won't move along despite the valiant efforts of articles like this..........
Watching the deep state being forced into conducting damage control in public always brings a smile to my face. However, this is one of those times where the best and the brightest on the outside clearly are not listening. They know for a fact that there really is something to see here and they won't move along despite the valiant efforts of articles like this.......... .... DDearborn
Hmmm? Does that Court and Deliver AIdDivine Interventions with Immaculate Source and Almighty Force at urService to Server?
The posit here is that it so does.
It is hard to impossible to not conclude such is gift from GOD Knows Whom from Heaven Knows Where.
What do you do with IT?
Anything Almighty Revealing and Superlatively EMPowering with Perfect Honey Pots Satisfying Insatiable Lust Demand with Crowning Captivating Desires ...... which you will find is to XSSXXXX Totally Addictive and Virtually Immersive.
Step through that Portal knowing what to expect and you aint ever going back in time and space, are you?
Step through that Portal not knowing what to realistically expect, and your prime crash course materiel for More Fully Immersive ProgramMING.
Mean Buggers not disclosing this at first introduction. At bare metal level, this is a very useful tool, though bare metal on a Pentium is the land of nightmares for me.
I'm sure it suited the egos of some Intel engineers to keep quiet about this, but doubt it's the only reason that policy has been persued.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
