Researchers have extracted the secret key that encrypts updates for a number of Intel CPUs. This could have far-reaching consequences for the way the chips are used and possibly the way they are secured.
The key enables the microcode updates provided by Intel to be decrypted in order to fix security vulnerabilities and other types of errors. If you have a decrypted copy of an update, hackers can potentially reverse engineer it and learn exactly how to take advantage of the hole it is fixing. The key may also be used by parties other than Intel – such as a malicious hacker or hobbyist – to update chips with their own microcode, although that modified version would not survive a reboot.
“It’s pretty difficult to assess the safety implications right now,” said an independent researcher Maxim Goryachy said in a direct message. “In any case, this is the first time in the history of Intel processors that you can run your microcode inside and analyze the updates.” Goryachy and two other researchers –Dmitry Sklyarov and Mark Ermolovboth with the security company Positive Technologies – worked together on the project.
The key can be extracted for any chip – be it a Celeron, Pentium or Atom – that is based on Intel’s Goldmont architecture.
Tumble down the rabbit hole
This discovery came about three years ago when Goryachy and Ermolov found a critical vulnerability indexed as Intel SA-00086 that allowed them to run code of their choice in the independent core of chips that contained a subsystem called Intel Management Engine is known. Intel has fixed the bug and released a patch. However, because chips can always be rolled back to an earlier firmware version and then exploited, the vulnerability cannot be effectively eliminated.
Sklyarov et al.
Five months ago, the trio was able to use the vulnerability to access “Red Unlock”, a service mode (see page 6 here) that is embedded in Intel chips. Enterprise engineers use this mode to debug microcode before chips are released publicly. With a nod Die Matrix In the film, the researchers named their tool for accessing this previously undocumented debugger Chip Red Pill, as it allows researchers to experience the insides of a chip that is normally prohibited. The technology works with a USB cable or a special Intel adapter that forwards data to a vulnerable CPU.
By accessing a Goldmont-based CPU in Red Unlock mode, the researchers were able to extract a special area of ROM called MSROM (Micro Code Sequencer ROM). From there, they began carefully reverse engineering the microcode. After months of analysis, the update process and the RC4 key used were displayed. However, the analysis did not reveal the signature key with which Intel cryptographically proves the authenticity of an update.
In a statement, Intel officials wrote:
The described issue does not pose a security risk to customers and we do not rely on the obfuscation of information behind Red Unlock as a security measure. In addition to mitigating INTEL-SA-00086, OEMs following Intel manufacturing guidelines have mitigated the OEM-specific unlocking capabilities required for this research.
The private key used to authenticate the microcode is not on the silicon, and an attacker cannot load an unauthenticated patch onto a remote system.
Impossible so far
This means that attackers cannot use Chip Red Pill and the decryption key it contains to remotely hack vulnerable CPUs, at least not without chaining them to other currently unknown vulnerabilities. Likewise, attackers cannot use these techniques to infect the supply chain of Goldmont-based devices. However, the technique opens up opportunities for hackers who have physical access to a computer running one of these CPUs.
“There is a common misconception that modern CPUs are mostly fixed at the factory and occasionally receive tight microcode updates for particularly serious bugs,” said Kenn White, chief product security officer at MongoDB. “But to the extent that this is true (and by and large not), there are very few practical limits to an engineer could Do with the keys to the kingdom for this silicon. ”
One possibility could be hobbyists who want to root their CPU the way people have jailbroken or rooted iPhones and Android devices, or hacked Sony’s PlayStation 3 console.
In theory, Chip Red Pill could also be used in a nasty maid attack where someone with transient access to a device hacked it. In either case, however, the hack is tethered, which means it will only last as long as the device is on. After the restart, the chip would return to its normal state. In some cases, the ability to execute arbitrary microcode within the CPU can also be useful for attacks on cryptographic keys, such as those used in trusted platform modules.
“Right now there is only one, but very important consequence: the independent analysis of a microcode patch, which was previously impossible,” said Mark Ermolov, researcher at Positive Technologies. “Now researchers can see how Intel fixes one or the other bug / vulnerability. And that’s great. Encryption of microcode patches is a kind of security through darkness. ”
These were the details of the news In a first step, researchers extract a secret key that is... for this day. We hope that we have succeeded by giving you the full details and information. To follow all our news, you can subscribe to the alerts system or to one of our different systems to provide you with all that is new.
It is also worth noting that the original news has been published and is available at de24.news and the editorial team at AlKhaleej Today has confirmed it and it has been modified, and it may have been completely transferred or quoted from it and you can read and follow this news from its main source.
