Wednesday, October 5th 2016

Major Intel NUC Security Vulnerability Uncovered

A major security vulnerability got uncovered, affecting Intel NUC (next-unit of computing) compact system boards featuring 5th and 6th generation Core processors. It involves a BIOS-level security hole, with which an attacker with local administrative privileges can make their malware access the "system management mode," a special BIOS-level user-state, and take full control of the platform.

Intel has since released corrective BIOS updates for its 6th generation "Swift Canyon," 6th generation "Grass Canyon" and "Pinnacle Canyon" boards; and 5th generation "Rock Canyon" boards. Even the performance-oriented "Skull Canyon" NUC, which features Intel's powerful onboard graphics core, isn't spared from this vulnerability. The latest BIOS update can be installed on affected platforms using the Intel Driver Update Utility.
Add your own comment

17 Comments on Major Intel NUC Security Vulnerability Uncovered

#1
yogurt_21
attacker with local administrative privileges
the world has turned to massive scare tactics on even the dumbest of things.

"This is a vulnerability for your home where someone with the keys and security system codes can wreck your stuff..."

Posted on Reply
#2
xorbe
Ironically smm is supposed to enhance security. The x86 security model is so complex now, when combined with virtualization, it has to be riddled with undiscovered/unannounced corner cases.
Posted on Reply
#3
TheinsanegamerN
yogurt_21 said:
the world has turned to massive scare tactics on even the dumbest of things.

"This is a vulnerability for your home where someone with the keys and security system codes can wreck your stuff..."


Local administrator privileges can be acquired via malware. You dont need to PHYSICALLY touch the machine to do so.
Posted on Reply
#4
Steevo
TheinsanegamerN said:
Local administrator privileges can be acquired via malware. You dont need to PHYSICALLY touch the machine to do so.
With the compromise of keys from known software all it will take is some idiot getting an email and opening an attachment, or downloading something to kick start an installation or standalone executable with elevated privileges.

https://labs.mwrinfosecurity.com/blog/masquerading-as-a-windows-system-binary-using-digital-signatures/
Posted on Reply
#5
hojnikb
sometimes i think intel employs brainless monkeys instead of real coders for their software department.

tell me one piece of software from intel, thats actually any good ?
Posted on Reply
#6
tabascosauz
hojnikb said:
sometimes i think intel employs brainless monkeys instead of real coders for their software department.

tell me one piece of software from intel, thats actually any good ?
No need for such hyperbolic language. We get your point. Intel SSD Toolbox is a fine piece of software for quick firmware updates and convenient checking of SMART attributes for Intel SSDs.
Posted on Reply
#7
Jism
Both Intel and AMD cpu's are basicly not recommended for fully secured systems. Even that flaw in Intel's NUC is nothing compared to the microcode intel and amd puts into their cpu's: https://libreboot.org/faq/#intel
Posted on Reply
#8
Prima.Vera
Jism said:
Both Intel and AMD cpu's are basicly not recommended for fully secured systems. Even that flaw in Intel's NUC is nothing compared to the microcode intel and amd puts into their cpu's: https://libreboot.org/faq/#intel
Unfortunately there are no alternatives, unless going with ARM CPUs that also have their share of vulnerabilities...
Posted on Reply
#9
laszlo
technically all hardware connected to a pc is secure if not tampered at production stage and hidden code is inserted in firmware (remember hdd with NSA code?)

there is no such thing as secure system once is connected to internet in my opinion
Posted on Reply
#10
R-T-B
yogurt_21 said:
the world has turned to massive scare tactics on even the dumbest of things.

"This is a vulnerability for your home where someone with the keys and security system codes can wreck your stuff..."


It's a little more complex than that...

Theoretically, with access to the firmware, one could install firmware residing malware that a reinstall would not fix.

It's more like an attacker with keys to your home can claim legal ownership of your home...
Posted on Reply
#11
Jism
It was funny to read that Russia switched from all US type of X86 hardware to Arm or related hardware, above documents prove this already that extra security adds extra chances of malware.

World is sickening and the amount of backdoors a PC, router or any device has these days.
Posted on Reply
#13
yogurt_21
R-T-B said:
It's a little more complex than that...

Theoretically, with access to the firmware, one could install firmware residing malware that a reinstall would not fix.

It's more like an attacker with keys to your home can claim legal ownership of your home...
no.

more like they can squat in your home until you have the police remove them. Which isn't hard. Nor is rolling back a bios to remove the threat and then loading a new one that isn't vulnerable to it.

at any rate Nuc's are desktop level. Ie no one would bother with this exploit. If they have local admin access they have everything they want already and this exploit is useless to them.

At a server level then sure a bios level back door would be most useful, especially in bigger organizations.
Posted on Reply
#14
Jism
It's a shame anyways the hardware you buy these days can never be trusted. Everything includes microcode, that holds a potential backdoor, to any of your personal computer, server, NAS or whatever device you are having. Even your PS3/PS4 that updates every night (loads a new firmware) cannot be held safe.
Posted on Reply
#15
R-T-B
yogurt_21 said:


Which isn't hard. Nor is rolling back a bios to remove the threat and then loading a new one that isn't vulnerable to it.
Any firmware residing malware could block this.
Posted on Reply
#16
yogurt_21
R-T-B said:
Any firmware residing malware could block this.
which also can be removed but lets take a tally

1 the hacker uses an exploit to gain full local admin privileges
2 instead of taking what they wanted that exists at this level, they want to compromise this system further by using the bios exploit in the OP
3 to prevent the bios exploit from being removed they then turn to firmware which they load onto something that runs first.
4 they take the spoils from step 1 and wait for IT
5 IT/hired tech/advanced user finds local admin exploit removes and reboots
6 local admin exploit re-appears due to bios exploit
7 IT/hired tech/advanced user searches google on another device, finds article and attempts to load new bios
8 new bios load fails or reverts exploit due to firmware
9 IT/hired tech/advanced user searches google on another device, finds another article and removes firmware while the unit is offline and then uploads new exploit proof bios then loads up OS and removes local admin exploit.

So that's a pita for the hacker who only really wanted the info from step 1, a big pita for the user and techs to remove the thing, and a massive obvious trail of "change all your account info stat!" that the hacker seriously didn't want to happen because that completely undoes all his hard work...

or he could use local admin exploit, gain info, and then wipe his exploit and the trail of it ever happening. That way all the account info remains unchanged and he can now use it himself or sell it. This of course can be fully automated ad would be happening simultaneously to thousands of people on the net who will be using many different devices rather than just these specific models Intel NUCs...

you starting to get the picture? The local admin exploit wasn't platform specific, yet somehow they're supposed to go several extra steps in on one model of pre-builts? One that isn't exactly the no 1 seller.
Posted on Reply
#17
R-T-B
I won't disagree it's blown out of proportion. My point is it's not a non-issue to a determined, very specific and targeted attack and that's all really. I wouldn't lose much sleep over it but it highlights a strange disconnect between features that are supposed to aid security and their actual impact.
Posted on Reply
Add your own comment