SHORT: This is my collection of links to articles about Intel CPU/chipset security holes.
For some longer time I’m interested in security holes/flaws in PC hardware as I find such things a real nightmare from software developer point of view. What good is a perfectly written software with a state of the art security if the hardware allows to bypass it?
Last years I’ve noticed that such a security flaw is continuously present in Intel CPUs in form of Intel ME and Intel AMT technology. Please let me know if similar findings exist for AMD CPUs.
Someone may say that security problems described in articles listed below are rather related to Intel chipsets than to Intel CPUs. However nowadays you can’t (even on a desktop computer) have an Intel CPU and a non-Intel chipset on your motherboeard (in old days it was possible: SiS chipsets, NVidia chipsets, etc.). So when choosing an Intel CPU you really choose an entire Intel platform (CPU, chipset, etc.) with all these problems. Thus this all begins with an Intel CPU – so is the title of this post.
Intel Management Engine (ME) / Intel Active Management Technology (AMT)
It looks like Intel ME/AMT is a hardware backdoor present in all Intel systems (CPU+chipset) since 2008 (introduction of Nehalem cores) or even earlier on systems with vPro technology. It’s a separate computer, able to execute arbirary code, able to control all buses in the “main” computer (the one user interacts with) and it’s working when there is a power supply connected (even when the “main” computer is turned off).
- Intel Management Engine (ME) – Libreboot FAQ
- A Quest To The Core. Thoughts on present and future attacks on system core technologies by Joanna Rutkowska – an overwhelming presentation of hardware holes (mainly in Intel chipsets and CPUs) and how thay can be exploited. (2009)
- Why Rosyna Can’t Take A Movie Screenshot – a nice article describing what this technology (Intel ME/AMT) can do. There is a lot of related links under the article. (2015)
- Intel x86 considered harmful – a paper by Joanna Rutkowska being a survey of the various problems and attacks presented against the x86 platform over the last 10 years. (2015)
- Intel x86s hide another CPU that can take over your machine (you can’t audit it), (2016)
- Intel AMT Vulnerability Shows Intel’s Management Engine Can Be Dangerous – Intel published a security advisory about a vulnerability in Intel ME/AMT. (2017)
- CVE-2017-5689 – “An authentication bypass vulnerability affecting just about every Intel server with AMT, ISM or Intel Small Business technology enabled, allowing unprivileged network attackers to gain system privileges (where AMT has been provisioned). This is notable because AMT provides the possibility to remotely control a computer even if when powered off. Packets sent to ports 16992 or 16993 are redirected through Intel’s Management Engine (a small, separate processor independent of the main CPU) and passed to AMT. Patch rollouts are expected to be slow, as while it is Intel’s responsibility to develop the patches (which it has done), it is not Intel’s responsibility to deliver them. That’s down to the device manufacturers and OEMs; and it is generally thought that not all will do so.” (2017)
- How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine – announcement of a presentation on the Black Hat Europe 2017 conference
- Niemal każde CPU Intela od Skylake jest narażone na groźny atak przez USB (En: Almost every Intel CPU since Skylake is exposed to an attack via USB) – news in Polish about discovery made by Positive Technologies company. And here is the original article: Where there’s a JTAG, there’s a way: obtaining full system access via USB (2017)
- PC vendors scramble as Intel announces vulnerability in firmware – Arstechnica.com about discovery made by Positive Technologies Research (2017)
- Researcher finds another security flaw in Intel management firmware – Arstechnica.com: a remote control can be gained over a PC with Intel ME after an attacker had a physical access (2018)
Intel Processor Trace (PT)
Intel System Management Mode (SMM)
SMM was originally introduced by Intel so we can call it Intel technology. However it’s present in AMD CPUs as well.
This time Intel’s implementation of a particular x86 instruction was worse that the one found in AMD CPUs.
Intel Hardware Level Speculative Execution
Some sources say Intel CPUs produced since 1995 are affected by the “Meltdown” flaw and that OS fix will slow down performance around 20% or more. The fix is generally known as “Kernel page-table isolation”. The “Spectre” flaw is even worse, as it cannot be fixed by a software patch, and the worst is that “Spectre” is not Intel-specific (as almost all other security holes collected in this post), but it can be reproduced on AMD and ARM.
- Kernel-memory-leaking Intel processor design flaw forces Linux, Windows redesign, (2018)
- Intel Hardware Level Speculative Execution To Blame For Kernel Bug – KPTI Workaround Introduces Performance Hits Up To 23% On Average, (2018)
- Spectre Attacks: Exploiting Speculative Execution – this is about “Spectre” flaw which affects not only Intel CPUs but AMD CPUs and ARM CPUs as well, (2018)
- Joanna Rutkowska on Twitter about digging in “Spectre” flaw as early as in 2010, (2018)
Intel Software Guard Extensions (SGX)
- Spectre haunts Intel’s SGX defense: CPU flaws can be exploited to snoop on enclaves – article describing how the “Spectre” flaw makes Intel SGX insecure, (2018)