back to article 'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

A slit in Intel's security – a tiny window of opportunity – has been discovered, and it's claimed the momentary weakness could be one day exploited to wreak "utter chaos." It is a fascinating vulnerability, though non-trivial to abuse in a practical sense. It cannot be fixed without replacing the silicon, only mitigated, it is …

Page:

  1. Anonymous Coward
    Anonymous Coward

    A backdoor ?

    Who could have possibly mandated that ?

    1. Julz Silver badge
      Black Helicopters

      Re: A backdoor ?

      I came here to write something similar. The bit of the article which jumps out is' "A single key is used for an entire generation of Intel chipsets". Now which agencies might have access to that key?

      1. Luiz Abdala
        Pirate

        Re: A backdoor ?

        "A single key is used for an entire generation of Intel chipsets".

        Replace Intel with Sony and Nintendo, and chipsets with Playstation, Switch, Wii U or whatever, and you will understand why it is so easy to get bootlegged games on some of these platforms.

        Entire ecosystems inside Nintendo were borked, DRM defeated, and finally, easily pirated because there was a hard-coded single key on the entire line of hardware.

        Not just Intel, but also entertainment products had this sloppy, lazy development aspect.

        One of them required a specific vendor CD-ROM used in the console, which the mateys found out and quickly procured to find the keys inside the firmware and explode any DRM schema out of the water before they were even loaded from the disc (a really convoluted roundabout way, but still).

        "Never blame maliciousness when simple stupidity can be the culprit" or something like that.

        (edit) Oh here it is:

        "Never attribute to malice that which is adequately explained by stupidity"

        Hanlon's razor.

        How about AMD?

        1. ShadowDragon8685

          Re: A backdoor ?

          I always feel the need to bring up Petey's Corollary whenever someone waves Hanlon's Razor around:

          "'Never attribute to Malice that which is adequately explained by Incompetence' is only good advice when there isn't Malice afoot."

    2. Anonymous Coward
      Anonymous Coward

      Re: A backdoor ?

      No-one Strikingly Asinine.

      1. A.P. Veening Silver badge

        Re: A backdoor ?

        How about No Such Agency?

        1. Anonymous Coward
          Anonymous Coward

          Re: A backdoor ?

          No Straight Answers.

        2. chroot

          Re: A backdoor ?

          I work for No Such Agency!

      2. Sandtitz Silver badge

        Re: A backdoor ?

        Flowers By Irene ?

        1. tip pc Silver badge

          Re: A backdoor ?

          Well above their pay grade

    3. Anonymous Coward
      Anonymous Coward

      Re: A backdoor ?

      I've no idea what you lot are on about, there's Nothing to See here At all...

    4. Anonymous Coward
      Anonymous Coward

      Re: A backdoor ?

      N efarious

      S ubversive

      A nti-democratic

      ?

    5. Anonymous Coward
      Anonymous Coward

      Getting security 100% right is hard

      Occam's Razor says this was unintentional.

      Especially since simply supplying the chipset key to the NSA would make way way more sense than leaving an exploit that among other things would open up DRM - the spooks don't care about that!

      1. Richocet

        Re: Getting security 100% right is hard

        I think previous commenters were suggesting that the keys might have been supplied to the NSA by Intel , not that the vulnerability was deliberately put there for the benefit of the NSA.

        1. NeilPost Silver badge

          Re: Getting security 100% right is hard

          It seems nonsensical that the default protection was off and enabled as part of the start-up routine.... allowing this pin-prick vulnerability.

          What were they thinking ???

          1. This post has been deleted by its author

          2. jelabarre59 Silver badge

            Re: Getting security 100% right is hard

            What were they thinking ???

            Ah, "thinking". That's where your logic falls apart.

      2. Tomato Krill

        Re: Getting security 100% right is hard

        But perhaps Occam works for the NSA?

        1. MrDamage

          Re: Getting security 100% right is hard

          Nah, but Hanlen left his razor in the company bathroom.

      3. Anonymous Coward
        Anonymous Coward

        Re: Getting security 100% right is hard

        "Occam's Razor" has never been applicable to humans, especially humans doing things they know they should not. Those who love secrets and lies delight in adding complexity and distraction in order to hide their nefarious actions. The way of the mountebank has many paths and all lead away from truth

    6. Scott 53

      Re: A backdoor ?

      I think if this was some agency's cunning plan, they would have ensured it wasn't described in the documentation. Surely.

      1. Anonymous Coward
        Anonymous Coward

        Re: A backdoor ?

        I hate it when people misspell my name!

        Shirley

      2. Tom Chiverton 1

        Re: A backdoor ?

        It's there but hidden to give plausible denyability.

    7. Anonymous Coward
      Anonymous Coward

      Re: A backdoor ?

      Huawei & China.

      Intel are obeying Beijing.

      Put them on the black list now!

      1. leenex

        Re: A backdoor ?

        Could be the Muslims Or The Gays, using this back door to Cause Floods and Destroy Western Civilization.

        1. MrDamage

          Re: A backdoor ?

          Of course it was put in by the gays. The more backdoors the better.

    8. Anonymous Coward
      Anonymous Coward

      Re: A backdoor ?

      'Twas the land of No Secrets Anymore, where even the shadows lie.

  2. Tom 7 Silver badge

    Pi's look sweeter by the day!

    Nom Nom!

    1. Anonymous Coward
      Anonymous Coward

      Re: Pi's look sweeter by the day!

      Well, up to the spectre vulnerable Pi4 anyway

      Oh on a related point, the Pi doesn't come with any firewall by default. Those that are concerned might consider UFW (available via apt-get and a doddle to configure but walk throughs are available online) and or turning off IP6 with the rest of the usual suspects when they are doing basic lock down after a fresh build.

    2. cowardly weasel

      Re: Pi's look sweeter by the day!

      That and Macs with T1 or T2 security chips (which load first) are also unaffected.

  3. Chairman of the Bored Silver badge

    Honest question...

    Is the system DMA controller in modern Intel chipsets baked into the CPU silicon and part of the HW trust boundary, or is this a separate chip?

    1. WorBlux

      Re: Honest question...

      From what I can tell, there is more than one DMA controller, and it's potentially the one of the PCH (chipset) that is leaking. However the request is going though the main IOMMU, which is brought online in a security disabled state.

  4. Anonymous Coward
    Anonymous Coward

    "maintain physical possession of their platform"

    Which is all very well, as long as no laptops or tablets use this chipset ...

    Personally, I'm not too bothered, since for about 20 plus years I have been banging on about not trusting anything you don't make - all the FOSS sparkle in the world can't hide the fact that we have no idea what the silicon below is up to.

    Assume all platforms are compromised and act accordingly. The problem with that approach is it means spending money, and we only get the security we are prepared to pay for.

    1. Tomato Krill

      Re: "maintain physical possession of their platform"

      Or desktops- unless you sleep with yours?

      1. YetAnotherLocksmith

        Re: "maintain physical possession of their platform"

        Nah, it's in the office, and no-one but the boss, your Cow-orkers, all previous employees until they change the code, HR subbies, security, oh, and the below minimum wage cleaners have keys or access. Impregnable!

        1. Anonymous Coward
          Anonymous Coward

          Re: "maintain physical possession of their platform"

          "[...] and the below minimum wage cleaners [...]"

          Like uniforms - that generic role makes the individual invisible in their access to all areas. Emptying office waste paper bins has long been a useful source of information. Apparently at one point a country's troops were short of toilet paper - so they used pages torn out of military equipment manuals. These could be retrieved from non-water latrines.

          1. Anonymous Coward
            Anonymous Coward

            Re: "maintain physical possession of their platform"

            I heard of that one, but seem to remember it being telex/teletype/radio transmission carbons?

            Either way, it's putting the "p" in espionage...

            1. Anonymous Coward
              Anonymous Coward

              Re: "maintain physical possession of their platform"

              "[...] but seem to remember it being telex/teletype/radio transmission carbons?"

              Apparently a Cold War Operation Tamarisk.

          2. zuckzuckgo Bronze badge

            Re: "maintain physical possession of their platform"

            > "These could be retrieved from non-water latrines."

            Thus the recommendation: "maintain physical possession of their platform"

      2. Chairman of the Bored Silver badge
        Joke

        Re: "maintain physical possession of their platform"

        At my age, maybe the only hard drive possible!

  5. batfink Silver badge

    "maintain physical possession of their platform"

    Wonderful advice thanks Intel. I'd never have thought of that. Should be easy to maintain physical possession in all circumstances, shouldn't it?

    1. Anonymous Coward
      Anonymous Coward

      Re: "maintain physical possession of their platform"

      Not entirely. A couple of good examples where the person in control of a machine may never once in their entire life have physical access to the server:

      - Dedicated Servers

      - VPS

      - Cloud

      Then there's the "it's our hardware, but we can't control who has physical access":

      - Co-location DCs

      This pretty much sums up the bulk of websites on the internet these days.

      Sadly, I'm also guilty of just renting dedi's instead of trying to run them from the office or home due to the UK's internet speeds (and if you want leased lines, which can be good enough, the price) and hardware costs. And in most cases a DC can offer better physical security than your house.

    2. Tom 7 Silver badge

      Re: "maintain physical possession of their platform"

      Assuming you make it at home yourself!

  6. Anonymous Coward
    Anonymous Coward

    Pointless, pointless, pointless....

    "However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. "

    Ah.

  7. Dan 55 Silver badge
    Black Helicopters

    That's what they want you to think

    Like a digital janitor, the CSME works behind the scenes, below the operating system, hypervisor, and firmware, performing lots of crucial low-level tasks, such as bringing up the computer, controlling power levels, starting the main processor chips, verifying and booting the motherboard firmware, and providing cryptographic functions.

    Google found they could delete most of the ME and UEFI. Maybe it'll be possible to wipe practically everything with this exploit.

  8. Pascal Monett Silver badge
    Coat

    And none of this is important

    unless the miscreant gains physical access to your PC. And if he gets physical access, it's game over anyway.

    Well, thank you for yet another method to cause chaos if some goon gets to my keyboard. I'm thrilled to know that there is yet another way he can trouble. Apart, obviously, from just ripping out the hard disk and chucking it into an external reader under a different platform allowing him to read everything.

    I'll file this under Hollywood Apocalypse Scenario #4622.

    1. adam 40 Bronze badge

      Re: And none of this is important

      I think you're missing the point. An attacker can own their own PC and refer it a gazillion times, each time leaking out a bit of the private key.

      Once they have the private key, it can be applied to _your_ computer, probably remotely too, to whatever API's or connections are exposed. And there are quite a few, from what I have read.

      1. Dan 55 Silver badge

        Re: And none of this is important

        Remotely via the ME which nobody particularly wanted in their computers anyway? Which malicious actor put that there?

      2. Anonymous Coward
        Anonymous Coward

        Re: And none of this is important

        And exactly how pray does a remote attacker get past the OS and any hypervisor and access the management layer without physical access to the machine?

        1. Anonymous Coward
          Anonymous Coward

          Re: And none of this is important

          Easy, by not needing to go via the OS or hypervisor to get to the management engine. This management layer is before any of that, even on the Ethernet port. It intercepts everything, remember the empty password AMT bug?

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021