Intel Skylake, Kaby Lake Processors Vulnerable To USB Port Debugging Exploit Says Researchers
A pair of researchers from Positive Technologies claim that Intel's newest generation processors are susceptible to a USB port debugging vulnerability that could allow an attacker to take over full control of a system. Starting with Skylake (and presumably Kaby Lake, though the researchers do not specifically mention Intel's 7th generation Core CPUs), Intel U-series chips have a debugging interface that is accessible via USB 3.0 ports, and that is where the potential problem lies.
The researchers say that attackers could exploit the debugging interface to bypass any security measures in place that would prevent installing malicious code over a certain period of time. An attacker could also use the vulnerability to spy on a user and access his data, or even prevent a system from running by rewriting its BIOS, the firmware in a PC that initializes the hardware prior to booting into the operating system.
"These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment," the researchers say.
What is at issue here is the JTAG (Joint Test Action Group) debugging interface. It works below the software layer so that troubleshooters can perform hardware debugging on the OS kernel, hypervisors, and drivers.
Before Skylake, this was done through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, so there was not much concern that an attacker would use it to wreak havoc on a system. That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through standard USB 3.0 ports.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it.
"An attacker could change the BIOS configuration (for example, with a use of a Flash 'programmator') when they have physical access to the equipment during manufacturing, storage or usage. Some BIOSs do not block the DCI configuration which is why there is the possibility of turning on the DCI," said Maxim Goryachy, who along with Mark Ermolov discovered this security flaw.
Goryachy went so far as to insinuate that this could be a bigger security problem than Stuxnet. Whereas Stuxnet only infected Windows PCs, this latest vulnerability can be used on any system running an Intel U-series CPU, including laptops and NUCs.
The researchers say that attackers could exploit the debugging interface to bypass any security measures in place that would prevent installing malicious code over a certain period of time. An attacker could also use the vulnerability to spy on a user and access his data, or even prevent a system from running by rewriting its BIOS, the firmware in a PC that initializes the hardware prior to booting into the operating system.
"These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment," the researchers say.
What is at issue here is the JTAG (Joint Test Action Group) debugging interface. It works below the software layer so that troubleshooters can perform hardware debugging on the OS kernel, hypervisors, and drivers.
Before Skylake, this was done through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, so there was not much concern that an attacker would use it to wreak havoc on a system. That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through standard USB 3.0 ports.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it.
"An attacker could change the BIOS configuration (for example, with a use of a Flash 'programmator') when they have physical access to the equipment during manufacturing, storage or usage. Some BIOSs do not block the DCI configuration which is why there is the possibility of turning on the DCI," said Maxim Goryachy, who along with Mark Ermolov discovered this security flaw.
Goryachy went so far as to insinuate that this could be a bigger security problem than Stuxnet. Whereas Stuxnet only infected Windows PCs, this latest vulnerability can be used on any system running an Intel U-series CPU, including laptops and NUCs.
