An new vulnerability has been discovered in Intel CPU chipsets, purportedly unfixable, which could threaten enterprise users and content rights holders across the globe using chipsets released in the last five years.
The exploit targets already known vulnerabilities in the Intel Converged Security and Management Engine, which is responsible for the initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms.
Researchers at enterprise security firm Positive Technologies discovered that this vulnerability could allow hackers to compromise platform encryption keys and steal sensitive information, adding the "unfixable vulnerability in Intel chipsets threatens users and content rightsholders."
Encryption is a process that translates plain text data into something that is random and meaningless, also known as ciphertext. Decryption is converting this random text back to readable information.
Mark Ermolov, the lead specialist of OS and hardware security and one of the researchers involved in the discovery, explained: "Attackers can obtain the key in many different ways. For example, they can extract it from a lost or stolen laptop to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key.
"In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub."
Intel has confirmed that it is aware of the discovery in its CSME and that it affects most Intel chipsets released in the last five years—other than Ice Point (Generation 10). Other products include:
Intel CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
Intel Server Platform Services prior to version SPS_E3_05.00.04.027.0
Intel Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15
The company has advised that anyone affected by this vulnerability should contact their system or motherboard manufacturer to obtain a firmware or BIOS update. Intel has confirmed that it can't provide updates for systems or motherboards from other manufacturers.
The vulnerability—known as CVE-2019-0090—allows a local attacker to extract the chipset key stored on the Intel Platform Controller Hub microchip and obtain access to encrypted data. According to Positive Technologies, this sort of breach is impossible to detect, making the potential threat more concerning.
"With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation or in other words, pass off an attacker computer as the victim's computer," states a Positive Technologies the press release.
EPID is used in Digital Rights Management (DRM), financial transactions, and the processes around verifying remote devices. For example, attackers can exploit the vulnerability to bypass content DRM and make illegal copies.
"Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or consider migration to tenth-generation or later Intel CPUs," explains the press release.
How can I check if I'm affected by this security vulnerability?
According to Intel, anyone concerned about potentially being affected by the vulnerability should reboot their system and access the system BIOS.
For Windows PC users, the BIOS key is set by the manufacturer—normally F10, F2, F12, F1 or DEL. Intel ME/Intel CSME firmware information might be available in the BIOS information screens, but if it isn't available in the system BIOS, contact the system manufacturer for assistance.
Mike Jennings, a technology expert and writer, told Newsweek: "Intel has always had security vulnerabilities—it's hard for them to keep up when hackers always move goalposts. Meltdown and Spectre are two of the highest-profile vulnerabilities of recent years, although they've both been fixed since.
"If people keep hold of their computers, have decent security software installed and keep their computers updated, they'll be fine."
Newsweek
İhbar Hattı
