Intel's Skylake and Kaby Lake-based Systems Vulnerable to USB Exploit

[Recon-UK]

With Intfail doing well we can see AMDuhh should win now.

 

[ZeDestructor]

Ok, here's a comment from one of the more paranoid members of TPU, e.g. me:
1) This exploit heavily relies on debugging interface being enabled. On 99.9% of all skylake systems(even laptops and tablets) it is not.
2) In order to enable the debugging interface you have to be able to update BIOS and ME firmware. So, it's not going to be as simple as sticking something in USB port (some boards even have ME locked via jumper)
3) The method itself, even if successful and meets all preconditions, is so unpractical, that you may as well ignore it. No Evil NSA Agent, or Crazy Russian Hacker is going to break into your house, update your BIOS, stick something weird into your USB port, just so he can monitor and log all of your naughty porn history.

It may be interesting from an academic perspective, but it will never become a new "rubber ducky", because it requires unrestricted access to the target system (which kind of defeats the purpose).

BTW, I haven't seen anyone blaming MS for Kernel Mode Debugging, or Google for ADB. Those present more imminent danger and are network-friendly.

For me and you, no. But for high-value targets on the other hand (political dissidents, journalists in various places, security researchers researching certain targets, people with access to very cutting-endge IP for example), it's a perfectly valid attack point. Once you are a target, you should worry. For the rest of us, we fly by being too many to target.

 

[Easy Rhino]

The hacker who discovered this obviously has some insight into the machine code so this smells like an inside job. Regardless, all software is hack-able. If you are afraid someone will compromise your system using a USB stick you best lock up your PC in a safe before leaving the house.

 

[silentbogo]

For me and you, no. But for high-value targets on the other hand (political dissidents, journalists in various places, security researchers researching certain targets, people with access to very cutting-endge IP for example), it's a perfectly valid attack point. Once you are a target, you should worry. For the rest of us, we fly by being too many to target.

You've probably skipped the "unpractical" part. If you have access to UEFI firmware, it will be easy to exploit existing UEFI bugs, rather than doing this circle-jerk in order to do the same thing.

It's like, if you are a hypothetical evil NSA agent, and you need to surveil some anti-political rebel journalist, you are going to dress up as a phone company employee and install a tiny ultrasonic speaker into user's PC, alongside a trojan which uses webcam mic to record all conversations, then you implant an ultrasonic mic into his landline phone and transmit the recorded conversations via Dail-up while no one is home. By the time you are done installing all of this, the Journalist will probably accept you as a family member, or at least an accidental roommate, and tell you his secrets anyway.

 

[ZeDestructor]

You've probably skipped the "unpractical" part. If you have access to UEFI firmware, it will be easy to exploit existing UEFI bugs, rather than doing this circle-jerk in order to do the same thing.

It's like, if you are a hypothetical evil NSA agent, and you need to surveil some anti-political rebel journalist, you are going to dress up as a phone company employee and install a tiny ultrasonic speaker into user's PC, alongside a trojan which uses webcam mic to record all conversations, then you implant an ultrasonic mic into his landline phone and transmit the recorded conversations via Dail-up while no one is home. By the time you are done installing all of this, the Journalist will probably accept you as a family member, or at least an accidental roommate, and tell you his secrets anyway.

Intercepting the machine in the mail or customs is safer and easier. And for all the bit's you've listed, a pro can do easily in under an hour if they're fully prepared.

 

[thesmokingman]

Woot, now this is some progress. Who cares about IPC when it's even faster to hack now!

 

[Brusfantomet]

Woot, now this is some progress. Who cares about IPC when it's even faster to hack now!

We could start measuring Incursions Per Clock in stead.

 

[DRDNA]

That isn't a U SKU CPU, so it's not affected.

Yeah but I also have this one coming today and looks like it will be vulnerable.
ASUS Premium High Performance 15.6" FHD Laptop(Intel Core i7-5500U, 8GB RAM, 1TB HDD, DVD,Windows 10- Black)

looks like I'm gonna need my tinfoil again! lol

 

[anarekist]

Mandated, eh? Mind showing us your insider sources for that?

http://dailycaller.com/2014/05/15/l...re-interception-and-bug-planting-workstation/

and you dont hear anything because of course there is a gag order
http://www.digitaltrends.com/web/google-fisc-gag-order-user-data-requests/

 

[mcraygsx]

Not a huge deal.

Not a big deal for trolls or people living under rock like yourself. But for IT Industry, it sure is.

 

[lexluthermiester]

The hacker who discovered this obviously has some insight into the machine code so this smells like an inside job. Regardless, all software is hack-able. If you are afraid someone will compromise your system using a USB stick you best lock up your PC in a safe before leaving the house.

It should be noted however, that this hacking method can NOT be used to bypass full disc encryption, if the system is off when the attempt is made. I am referring to Truecrypt, VeraCrypt and the like. Bitlocker does not count as it requires part of the OS to remain unencrypted.

 

[lexluthermiester]

Intel...

So classic!

 

[lexluthermiester]

Ok, here's a comment from one of the more paranoid members of TPU, e.g. me:
1) This exploit heavily relies on debugging interface being enabled. On 99.9% of all skylake systems(even laptops and tablets) it is not.
2) In order to enable the debugging interface you have to be able to update BIOS and ME firmware. So, it's not going to be as simple as sticking something in USB port (some boards even have ME locked via jumper)
3) The method itself, even if successful and meets all preconditions, is so unpractical, that you may as well ignore it. No Evil NSA Agent, or Crazy Russian Hacker is going to break into your house, update your BIOS, stick something weird into your USB port, just so he can monitor and log all of your naughty porn history.

It may be interesting from an academic perspective, but it will never become a new "rubber ducky", because it requires unrestricted access to the target system (which kind of defeats the purpose).

BTW, I haven't seen anyone blaming MS for Kernel Mode Debugging, or Google for ADB. Those present more imminent danger and are network-friendly.

Hey be nice, Crazy Russian Hacker is cool! [ https://www.youtube.com/user/CrazyRussianHacker ]

And FYI, ADB is not as network friendly as you think. Trust me on that one!

 

[silentbogo]

Hey be nice, Crazy Russian Hacker is cool! [ https://www.youtube.com/user/CrazyRussianHacker ]

And FYI, ADB is not as network friendly as you think. Trust me on that one!

Just like JTAG over USB is not as easy to work with as advertised (or flashing UEFI firmware with homemade tools for that matter).

ah....that CrazyRussianHacker... then we are all doomed, because "Safety is numbeg one pgiogity"!

 

[lexluthermiester]

Just like JTAG over USB is not as easy to work with as advertised (or flashing UEFI firmware with homemade tools for that matter).

ah....that CrazyRussianHacker... then we are all doomed, because "Safety is numbeg one pgiogity"!

Right? Been watching his video's for a while and his english is getting better as time does on. But we're getting off-topic..

 

[silentbogo]

I only know about this dude, because he keeps popping up in Youtube suggested videos, no matter how hard I try to avoid him.
Almost like RED21 with his DIY cheeseburger.

 

[nem..]