'Unfixable' boot ROM security flaw in millions of Intel chips could spell 'utter chaos' for DRM, file encryption, etc

Although exploitation is like shooting a lone fish in a tiny barrel 1,000 miles away

146 Got Tips?

A slit in Intel's security – a tiny window of opportunity – has been discovered, and it's claimed the momentary weakness could be one day exploited to wreak "utter chaos."

It is a fascinating vulnerability, though non-trivial to abuse in a practical sense. It cannot be fixed without replacing the silicon, only mitigated, it is claimed: the design flaw is baked into millions of Intel processor chipsets manufactured over the past five years. The problem revolves around cryptographic keys that, if obtained, can be used to break the root of trust in a system.

Buried deep inside modern Intel chipsets is what's called the Management Engine, or these days, the Converged Security and Manageability Engine (CSME). We've written about this a lot: it's a miniature computer within your computer. It has its own CPU, its own RAM, its own code in a boot ROM, and access to the rest of the machine.

More recently, the CSME's CPU core is 486-based, and its software is derived from the free microkernel operating system MINIX. You can find a deep dive into the technology behind it all, sometimes known as the Minute IA System Agent, here [PDF] by Peter Bosch.

Like a digital janitor, the CSME works behind the scenes, below the operating system, hypervisor, and firmware, performing lots of crucial low-level tasks, such as bringing up the computer, controlling power levels, starting the main processor chips, verifying and booting the motherboard firmware, and providing cryptographic functions. The engine is the first thing to run when a machine is switched on.

The exploit

One of the first things it does is set up memory protections on its own built-in RAM so that other hardware and software can't interfere with it. However, these protections are disabled by default, thus there is a tiny timing gap between a system turning on and the CSME executing the code in its boot ROM that installs those protections, which are in the form of input-output memory-management unit (IOMMU) data structures called page tables.

During that timing gap, other hardware – physically attached or present on the motherboard – that is able to fire off a DMA transfer into the CSME's private RAM may do so, overwriting variables and pointers and hijacking its execution. At that point, the CSME can be commandeered for malicious purposes, all out of view of the software running above it.

It's like a sniper taking a shot at a sliver of a target as it darts past small cracks in a wall. The DMA write race can be attempted when the machine is switched on, or wakes up from sleep, or otherwise when the CSME goes through a reset, which resets the IOMMU protections. You'll need local, if not physical, access to a box to exploit this.

Crucially, the boot ROM is read-only: it cannot be patched. The IOMMU's reset defaults can't be changed either without replacing the silicon. So, Intel chipsets out in people's computers are stuck with the vulnerability.

Who found it?

The weakness was spotted and reported to Intel by Positive Technologies, an infosec outfit that has previously prodded and poked Chipzilla's Management Engine. Although Positive announced its findings today, it is withholding the full technical details until a whitepaper about it all is ready. In a summary advisory, seen by The Register earlier this week, the team described the issue thus:

1. The vulnerability is present in both hardware and the firmware of the boot ROM. Most of the IOMMU mechanisms of MISA (Minute IA System Agent) providing access to SRAM (static memory) of Intel CSME for external DMA agents are disabled by default. We discovered this mistake by simply reading the documentation, as unimpressive as that may sound.

2. Intel CSME firmware in the boot ROM first initializes the page directory and starts page translation. IOMMU activates only later. Therefore, there is a period when SRAM is susceptible to external DMA writes (from DMA to CSME, not to the processor main memory), and initialized page tables for Intel CSME are already in the SRAM.

3. MISA IOMMU parameters are reset when Intel CSME is reset. After Intel CSME is reset, it again starts execution with the boot ROM.

Therefore, any platform device capable of performing DMA to Intel CSME static memory and resetting Intel CSME (or simply waiting for Intel CSME to come out of sleep mode) can modify system tables for Intel CSME pages, thereby seizing execution flow.

Intel attempted to mitigate the hole, designated CVE-2019-0090, last year with a software patch that prevented the chipset's Integrated Sensor Hub from attacking the CSME, though Positive today reckons there are other ways in. The team also said pretty much all Intel chip families available today, prior to tenth-generation processor parts, are vulnerable.

What's the impact?

The CSME provides, among other things, something called Enhanced Privacy ID, or EPID. This is used for things like providing anti-piracy DRM protections, and Internet-of-Things attestation. The engine also provides TPM functions, which allow applications and operating system software to securely store and manage digital keys for things like file-system encryption. At the heart of this cryptography is a Chipset Key that is encrypted by another key baked into the silicon, and you can't do too much damage, it seems, until you can decrypt the Chipset Key.

If someone manages to extract that hardware key, though, they can unlock the Chipset Key, and, with code execution within the CSME, they can undo Intel's root of trust on large swathes of products at once, we're told. Anything relying on the CSME, such as encryption and copy protection systems, can be subverted or broken, or the management engine could be turned on the user to silently spy on them.

"To fully compromise EPID, hackers would need to extract the hardware key used to encrypt the Chipset Key, which resides in Secure Key Storage (SKS)," explained Positive's Mark Ermolov.

"However, this key is not platform-specific. A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time.

"When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

Intel says folks should install the firmware-level mitigations, "maintain physical possession of their platform," and "adopt best security practices by installing updates as soon as they become available and being continually vigilant to detect and prevent intrusions and exploitations." ®

Sign up to our NewsletterGet IT in your inbox daily


Keep Reading

AWS creates a quantum computing cloud with classical testbed plus rentable qubits

If you think the quantum world is confusing, wait until you see the pricing

Quantum computing heats up down under as researchers reckon they know how to cut costs and improve stability

Boffins claim to have found path to 'real-world applications' by running hot

IBM cuts ribbon on quantum computing centre wherein a 53-qubit monster lurks

Can probably run Crysis

RAND report finds that, like fusion power and Half Life 3, quantum computing is still 15 years away

Has anyone told the Chinese?

'I give fusion power a higher chance of succeeding than quantum computing' says the R in the RSA crypto-algorithm

RSA Expert panel sesh turns heated on infosec conference's opening day

Japan starts work on global quantum crypto network

Toshiba leads effort that aspires to run 100 quantum cryptographic devices for 10,000 users by 2024

In the E in HPE stands for Eroding revenues... Intel chip shortage, hardware supplies, coronavirus punish IT titan

Management puts on a brave face for Wall Street

EFF off: Privacy Badger disables by default anti-tracking safeguard that can be abused to track you online

Google has a word with digital rights warriors

Microwave-tech-touting British upstart scores £3.6m to build 'large-scale quantum 'puters'

Brighton boffin says technology is a 'major engineering challenge' but does not rely on making major physics breakthrough

Bill Gates debunks 'coronavirus vaccine is my 5G mind control microchip implant' conspiracy theory

He would say that… because he's not an actual supervillain

Tech Resources

Zero trust strategies to zap ransomware peril

Join industry veteran and security pro Mike Wronski of Nutanix as he explains to Tim Phillips about zero trust strategies combined with HCI can improve your security posture, defend against threats, help prevent your business from being the next victim of ransomware.

Securing Virtual Workforces

Right now, many security teams are struggling to adjust to a virtual workforce and the new requirements that come along with that.

Breach and Attack Simulation For Dummies

This ebook covers attacks on your network. But not the ones you expect — these are actually coming from you.

IBM and Nvidia® Solutions Power Insights with the New AI

IBM is well-positioned to help organizations incorporate high-performance solutions for AI into the enterprise landscape.