Tuesday04 October 2022

With More and More Hardware Flaws Found, How Will the Security Industry Respond? Featured

Reading time is around minutes.

The IT Security industry has spent billions of dollars on software to keep you “safe” from malware and attackers. Whether that money was spent in marketing or actual product improvement is up for debate. Still the fact remains that each year we hear about new advances that can keep you and your systems safe from Malware and or threat actors. Almost all of these systems rely on software to do their job and in most cases cannot even see beyond the OS they reside on. This focus has caused the development of a massive blind spot, hardware-based attacks.

Over the last few years we have seen more and more systemic hardware flaws allowing for complete compromise of a system that ever before. From the UEFI Bios to compromising core management functions attacks no longer have to worry about anti-malware as they can bypass much of that by now. The latest flaw uncovered exists in Intel chipsets and is so ingrained into the hardware that it is no fixable with a patch. There are patches to make this flaw harder to exploit, but they can never make it go away.

In this case the issue is with the CSME (Converged Security and Management Engine) and the SPS (Sever Platform Services in pretty much all of the Intel based motherboards made in the last five years. The flaw is easiest to exploit hen you have local access, but according to researchers at Positive Technologies it can be done remotely with more effort. The flaw itself is in the way the ROM (Read Only Memory) in these systems is protected. By exploiting this flaw (CVE-2019-0090) a skilled attacker could read the chipset key directly from the PCH. This could allow for a large number of extended attacks, including recovery of encrypted information (as long as it used the local Intel encryption), spoofing a physical device to appear to be the attacked device (through gathering the attacked device’s Enhanced Privacy ID),

By compromising this system, at this level you are basically giving away the keys to the kingdom, you have the ability to compromise the firware TPM, any DRM protected content, and Intel Identity Protection. As we mentioned above, remote exploitation of this would be rather difficult, although not impossible, however it does expose lost or stollen laptops and devices, as well as opening up a new supply chain hack. Considering where some of the motherboards are made it would not be out of the realm of possibility for someone to compromise a certain number of boards before being shipped to high value targets. Once the keys are in hand remote access to those systems would not be too difficult to set up (think about the UEFI BIOS based agent from years past).

Current recommendations for this nasty little bug are to contact your mother board manufacturer to obtain the latest BIOS update (if there is one), to disable CSME encryption (or disable CSME completely if possible), or to upgrade to a 10th generation Intel CPU (not always possible).

We expect hardware hacking and flaws like this one to continue to pop up as more and more attention is paid to how components on current hardware communicate and work. Sadly, this is something that the security industry has not even begun to spend money on detecting, let alone preventing.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.