Friday, January 13th 2017
Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit
At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
Before Skylake, low-level machine debugging was available through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, though - not every board carries the relevant connections; also the hardware and software as expensive and difficult to acquire - so there was not much concern regarding the scale and impact of the attacks (if you recall, typical risk measurement considers both the severity of an exploit's effect as well as the probability of that exploit being explored). That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through a specific standard USB 3.0 port on the motherboard - a technology which is much more ubiquitous and easily accessible.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:
Sources:
YouTube, HotHardware, Overclock3D
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:
41 Comments on Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit
And now I hear RT "took over" C-SPAN..... at least that's what the header said. Turns out some dummy just routed their online streams wrong....
No other people around besides some family now and then, but they don't touch my computers.
because after reading the news 3 time ... is see "U-Series vulnerable" but no mention if it's generic to other series (except a foggy "when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through standard USB 3.0 ports." ... is that for U-serie only or it does affect all Skylake and Krappy Lake? )
oh well just like @P4-630 no other have access to my computer (and nope ... no Aliens can either ... :p )
Looks like I will need to be careful until there is a fix available.
EDIT: Stuxnet was delivered through USB sticks.
1) This exploit heavily relies on debugging interface being enabled. On 99.9% of all skylake systems(even laptops and tablets) it is not.
2) In order to enable the debugging interface you have to be able to update BIOS and ME firmware. So, it's not going to be as simple as sticking something in USB port (some boards even have ME locked via jumper)
3) The method itself, even if successful and meets all preconditions, is so unpractical, that you may as well ignore it. No Evil NSA Agent, or Crazy Russian Hacker is going to break into your house, update your BIOS, stick something weird into your USB port, just so he can monitor and log all of your naughty porn history.
It may be interesting from an academic perspective, but it will never become a new "rubber ducky", because it requires unrestricted access to the target system (which kind of defeats the purpose).
BTW, I haven't seen anyone blaming MS for Kernel Mode Debugging, or Google for ADB. Those present more imminent danger and are network-friendly.
None of your conspiracy theory even makes sense. Try harder.