Intel is the fix A vulnerability that unauthorized persons with physical access can exploit to install malicious firmware on a chip to defeat a variety of actions, including Bitlocker protection, trusted platform modules, anti-copy restrictions, and others.
The vulnerability — found in Pentium, Celeron, and Atom CPUs on Apollo Lake, Gemini Lake, and Gemini Lake Refresh — would allow skilled hackers who own an affected chip to run it in debug and test modes used by firmware developers. Intel and other chip manufacturers go to great lengths to prevent such access by unauthorized persons.
Once in developer mode, the attacker can extract the key used to encrypt the data stored in the TPM, and in case the TPM is used to store the Bitlocker key, it bypasses the latter protection as well. The enemy can also bypass code signing restrictions that prevent unauthorized firmware from running in the Intel Management Engine, a subsystem inside vulnerable CPUs, and from there permanently a backdoor to the chip.
While the attack requires the attacker to have brief physical access to the vulnerable device, this is exactly the scenario TPM, Bitlocker, and codeigning designed for mitigation. The whole process takes about 10 minutes.
Each Intel CPU has a unique key that is used to generate follow-up keys for things like Intel’s TPM, Enhanced Privacy Identifier, and other types of protection that rely on features built into the Intel silicon. This unique key is known as a “fuse code key” or “chipset key fuse”.
Maxim Gouriacci, one of the researchers who discovered the vulnerability, told me, “We discovered that you can extract this key from the security valves.” “Essentially, this key is encrypted, but we also found a way to decrypt it, allowing us to execute arbitrary code within the management engine, extract bitlocker/tpm keys, etc.”
A blog post published on Monday expanded on the things hackers might use exploits for. Mark Ermolov, one of the researchers who discovered the vulnerability wrote:
One example of a real threat is the loss or theft of laptops containing confidential information in encrypted form. With this vulnerability, an attacker could extract the encryption key and access the information inside the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee at a hardware supplier based on an Intel processor could, in theory, extract the Intel CSME [converged security and management engine] Firmware key and spread spyware that security software won’t detect. This vulnerability is also dangerous because it facilitates extraction of the root encryption key used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy Identifier) technologies in digital content protection systems against illegal copying. For example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management. With this vulnerability, an intruder could extract the root EPID key from a device (e-book), and then, after hacking Intel EPID technology, download, copy, and distribute electronic materials from providers in file form.
Bulging, complex higher education systems
Over the past few years, researchers have exploited a combination of firmware and performance features in Intel products to work around the company’s basic security guarantees about its CPUs.
In October 2020, the same team of researchers extracted the secret key that encrypts updates for a variety of Intel CPUs. Having an unencrypted version of an update could allow hackers to reverse engineer it and learn precisely how to exploit the patched hole. The switch may also allow non-Intel parties – eg, a malicious hacker or hobbyist – to update chips with their own microcode, although this custom version will not survive a reboot.