Friday, January 13th 2017
Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit
At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
Before Skylake, low-level machine debugging was available through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, though - not every board carries the relevant connections; also the hardware and software as expensive and difficult to acquire - so there was not much concern regarding the scale and impact of the attacks (if you recall, typical risk measurement considers both the severity of an exploit's effect as well as the probability of that exploit being explored). That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through a specific standard USB 3.0 port on the motherboard - a technology which is much more ubiquitous and easily accessible.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:
Sources:
YouTube, HotHardware, Overclock3D
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:
41 Comments on Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit
It's like, if you are a hypothetical evil NSA agent, and you need to surveil some anti-political rebel journalist, you are going to dress up as a phone company employee and install a tiny ultrasonic speaker into user's PC, alongside a trojan which uses webcam mic to record all conversations, then you implant an ultrasonic mic into his landline phone and transmit the recorded conversations via Dail-up while no one is home. By the time you are done installing all of this, the Journalist will probably accept you as a family member, or at least an accidental roommate, and tell you his secrets anyway.
ASUS Premium High Performance 15.6" FHD Laptop(Intel Core i7-5500U, 8GB RAM, 1TB HDD, DVD,Windows 10- Black)
looks like I'm gonna need my tinfoil again! lol
and you dont hear anything because of course there is a gag order
www.digitaltrends.com/web/google-fisc-gag-order-user-data-requests/
And FYI, ADB is not as network friendly as you think. Trust me on that one!
ah....that CrazyRussianHacker... then we are all doomed, because "Safety is numbeg one pgiogity"! :roll:
Almost like RED21 with his DIY cheeseburger.:banghead: