Researchers from Positive Technologies have revealed that some new Intel CPUs contain a debugging interface, accessible via USB 3.0 ports, that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools.
An attacker could use this to bypass all security systems for the embedding of code over a certain period of time, reading all possible data and even making the machine inoperative, for instance by re-writing its BIOS.
A talk on the mechanisms needed for such attacks, and ways to protect against them, was given by Maxim Goryachy and Mark Ermolov at the 33rd Chaos Communication Congress in Hamburg, Germany.
The duo noted: “These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment.”
The duo analysed and demonstrated one of these mechanisms in their presentation. The JTAG (Joint Test Action Group) debugging interface, now accessible via USB, has the potential to enable dangerous and virtually undetectable attacks. JTAG works below the software layer for the purpose of hardware debugging of the OS kernel, hypervisors and drivers. At the same time, though, this CPU access can be abused for malicious purposes.
On older Intel CPUs, accessing JTAG required connecting a special device to a debugging port on the motherboard (ITP-XDP). JTAG was difficult to access for both troubleshooters and potential attackers.
However, starting with the Skylake processor family in 2015, Intel introduced the Direct Connect Interface (DCI) which provides access to the JTAG debugging interface via common USB 3.0 ports.
No software or hardware manipulations are required to make target computers vulnerable — merely having the DCI interface enabled is sufficient. As the researchers found, this can be accomplished in several ways, and on many computers, DCI is enabled out-of-the-box and not blocked by default.
We spoke with Maxim Goryachy, and asked how would someone go about tricking someone into enabling the DCI interface?
Goryachy said: “There are several ways someone could do this. An attacker could change the BIOS configuration (for example, with a use of a Flash programmator) when they have physical access to the equipment during manufacturing, storage or usage. Some BIOSs do not block the DCI configuration which is why there is the possibility of turning on the DCI.”
Goryachy and Ermolov speculated that this mechanism in Intel CPUs could lead to a whole new class of Bad USB-like attacks, but at a deeper and even more dangerous level than their predecessor.
In their concluding remarks, the researchers proposed a number of protective measures based on use of Intel's BootGuard feature and forbidding activation of the debugging interface.
We asked Goryachy if he would compare this vulnerability to Stuxnet, to which he said: “This mechanism can be used on a hacked system regardless of the OS installed. Stuxnet was infecting only Windows machines, meanwhile the DCI can be used on any system with Intel U-series processor. This series is used on laptops and NUC. As of today, no publicly available security system will detect it.”
Goryachy said, “We have reported this case to Intel. As of today, this mechanism can be exploited only on Intel U-series processors.”