Friday, January 13th 2017

Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit

At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.

This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
Before Skylake, low-level machine debugging was available through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, though - not every board carries the relevant connections; also the hardware and software as expensive and difficult to acquire - so there was not much concern regarding the scale and impact of the attacks (if you recall, typical risk measurement considers both the severity of an exploit's effect as well as the probability of that exploit being explored). That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through a specific standard USB 3.0 port on the motherboard - a technology which is much more ubiquitous and easily accessible.

There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.

Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.

The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:


Source: YouTube, HotHardware, Overclock3D
Add your own comment

41 Comments on Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit

#1
Basard
Lol.... those pesky Russians are gonna start USB hacking us now.....

And now I hear RT "took over" C-SPAN..... at least that's what the header said. Turns out some dummy just routed their online streams wrong....
Posted on Reply
#3
P4-630
The Way It's Meant to be Played
Well I have no reason to worry about this hacking, the only one using my computers is me and no one else.:D:p

No other people around besides some family now and then, but they don't touch my computers.
Posted on Reply
#4
TheLostSwede
P4-630 said:

No other people around besides some family now and then, but they don't touch my computers.
But what about the aliens..?
Posted on Reply
#5
GreiverBlade
natr0n said:
Hacky Lake-U
corrected ... after all it's only the Ultra low power that are affected .... right?

P4-630 said:
Well I have no reason to worry about this hacking, the only one using my computers is me and no one else.:D:p

No other people around besides some family now and then, but they don't touch my computers.
eehhh? your i5 is a i5-6500U ? :laugh: ;)



because after reading the news 3 time ... is see "U-Series vulnerable" but no mention if it's generic to other series (except a foggy "when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through standard USB 3.0 ports." ... is that for U-serie only or it does affect all Skylake and Krappy Lake? )

oh well just like @P4-630 no other have access to my computer (and nope ... no Aliens can either ... :p )
Posted on Reply
#6
anarekist
vulnerability mandated by the govt to ease their hardware intercept spy program, basically they get your hardware before you do, use the exploit to install malware then send it to you like nothing ever happened.
Posted on Reply
#7
puma99dk|
Why is it that this doesn't surprise me when Skylake has this and Kaby Lake also does?
Posted on Reply
#8
rtwjunkie
PC Gaming Enthusiast
@TheLostSwede They don't need USB for anal probe. :laugh:
Posted on Reply
#9
HD64G
Spyware purposed bug or stupidity from Intel engineers? No matter which one anyone choose, Intel is the main responsible as it left it there for 2 gens of their CPUs. :shadedshu:
Posted on Reply
#10
TheinsanegamerN
anarekist said:
vulnerability mandated by the govt to ease their hardware intercept spy program, basically they get your hardware before you do, use the exploit to install malware then send it to you like nothing ever happened.
Mandated, eh? Mind showing us your insider sources for that? :roll:
Posted on Reply
#13
Frick
Fishfaced Nincompoop
P4-630 said:
Well I have no reason to worry about this hacking, the only one using my computers is me and no one else.:D:p

No other people around besides some family now and then, but they don't touch my computers.
IIRC several serious attacks has started because someone has plugged in a USB-drive, either through ignorance (user in a corporation has a key with malicious code) or malice (infiltration).

EDIT: Stuxnet was delivered through USB sticks.
Posted on Reply
#14
BiggieShady
@Prima.Vera implied kudos for the implied facepalm, laughed my ass off :toast:
Posted on Reply
#15
TheLaughingMan
At this point I believe Intel may be just tanking this whole year on purpose. AMD For The Recovery!
Posted on Reply
#16
xorbe
Same fix as always, epoxy the offending usb port
Posted on Reply
#18
Brusfantomet
GreiverBlade said:
corrected ... after all it's only the Ultra low power that are affected .... right?


eehhh? your i5 is a i5-6500U ? :laugh: ;)



because after reading the news 3 time ... is see "U-Series vulnerable" but no mention if it's generic to other series (except a foggy "when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through standard USB 3.0 ports." ... is that for U-serie only or it does affect all Skylake and Krappy Lake? )

oh well just like @P4-630 no other have access to my computer (and nope ... no Aliens can either ... :p )
From my limited knowledge the U series is a SoC, as opposed to the desktop parts. The offending function could be hidden in some withe paper for the desktop chip sets (if meory serves me ther were some mentioning about JTAG on some of the PCIe/USB/whatever lanes for the Z270, if so then its a problem for your desktop, otherwise its limited to the U series.

xorbe said:
Same fix as always, epoxy the offending usb po
All of them? you want a mac that badly?
Posted on Reply
#19
silentbogo
Ok, here's a comment from one of the more paranoid members of TPU, e.g. me:
1) This exploit heavily relies on debugging interface being enabled. On 99.9% of all skylake systems(even laptops and tablets) it is not.
2) In order to enable the debugging interface you have to be able to update BIOS and ME firmware. So, it's not going to be as simple as sticking something in USB port (some boards even have ME locked via jumper)
3) The method itself, even if successful and meets all preconditions, is so unpractical, that you may as well ignore it. No Evil NSA Agent, or Crazy Russian Hacker is going to break into your house, update your BIOS, stick something weird into your USB port, just so he can monitor and log all of your naughty porn history.

It may be interesting from an academic perspective, but it will never become a new "rubber ducky", because it requires unrestricted access to the target system (which kind of defeats the purpose).

BTW, I haven't seen anyone blaming MS for Kernel Mode Debugging, or Google for ADB. Those present more imminent danger and are network-friendly.
Posted on Reply
#22
xorbe
Brusfantomet said:
Same fix as always, epoxy the offending usb port
All of them? you want a mac that badly?
Posted on Reply
#23
R-T-B
anarekist said:
vulnerability mandated by the govt to ease their hardware intercept spy program, basically they get your hardware before you do, use the exploit to install malware then send it to you like nothing ever happened.
Why would they need to use this when they could just flash the bios in that case?

None of your conspiracy theory even makes sense. Try harder.
Posted on Reply
#24
GC_PaNzerFIN
Intel is selling software that supports this vulnerability. BTW not bypassing "typical security features", the CPU clearly is in protected mode, meaning all except basic debugger features are locked off. :)
Posted on Reply
#25
Recon-UK
With Intfail doing well we can see AMDuhh should win now.
Posted on Reply
Add your own comment