Intel SA-00086 vulnerability and CPU firmware security: what impacts in the cyber landscape
Discovered in 2017, the Intel SA-00086 vulnerability represents an important case study: it allows, in fact, to get hold of the private key used to decrypt the CPU security patches and can therefore be used to open a backdoor by exploiting the flaws that the same patches intend to fix. Therefore, with significant impacts in the cyber security landscape
In 2017, researchers managed to extract the private key used to crack security patches for Intel CPUs based on the Goldmont architecture. It is thus possible to reverse engineer the updates or write a custom firmware allowing a hostile actor to open a backdoor by exploiting the flaws that the patches intend to solve
Three Positive Technologies researchers managed to extract the private key used to decrypt the security patches released by Intel. A patch, also known as a fix or bugfix, is a code update aimed at fixing a vulnerability in the system, commonly referred to as a bug.
The key allows, therefore, to decrypt the updates of the microcode that makes up the firmware of the central processors (CPU). The firmware takes over the operation of the CPU in relation to the instructions it receives. Intel periodically releases updates aimed at fixing flaws within the firmware. By decrypting the updates, it is possible to trace the corrections made and to know the vulnerabilities. Any hostile actor could then open a backdoor by exploiting the flaws that the patch intends to fix.
The details of the Intel SA-00086 vulnerability
Beginning in 2017, Intel had started its own Bug Bounty Program, an initiative to incentivize researchers to report flaws in its products, including firmware, in exchange for a fee. As part of this project, the company has collaborated with over 250 researchers from around the world. In 2020, 105 of the 231 common vulnerabilities and exposures (CVEs) were reported through this program.
The discovery of Positive Technologies researchers dates back to 2017. Through this flaw, known as INTEL SA-00086, it was possible to enter the “Red Unlock” mode, used by Intel engineers to debug before releasing the chip to market. Once this mode was started, the experts were able to identify the microcode present in the ROM (read-only memory). Consequently, a reverse engineering process was initiated which led to the discovery of the decryption key.
The researchers in question, of Russian origin, are Maxim Goryachy, Dmitry Sklyarov, and Mark Ermolov. Maxim Goryachy is an embedded systems programmer, specializing in cryptography processes, virtualization technologies, reverse engineering, and hardware; Mark Ermolov is a systems programmer who specializes in the security aspects of hardware, firmware, and low-level system software; Dmitry Sklyarov is Head of Reverse Engineering at Positive Technologies. He was a security researcher at ElcomSoft and a lecturer at Moscow State Technical University.
The latter was accused in 2001 of alleged violation of the Digital Millennium Copyright Act (DMCA), as part of the United States trial against ElcomSoft and Dmitry Sklyarov . The case ended with the charges against Sklyarov dropped and ElcomSoft was not found guilty under the applicable jurisdiction.
The impacts in the cyber security landscape
Intel officials said the issue did not pose a customer safety exposure. The private key used to authenticate the microcode does not reside on the chip, and an attacker cannot remotely upload an unauthenticated patch.
This means that hackers cannot use the Chip Red Pill debugger and its decryption key to remotely hack vulnerable CPUs, at least not without chaining patches to other currently unknown vulnerabilities. Likewise, malicious actors cannot use these techniques to infect the supply chain of devices based on the Goldmont chip architecture.
However, the technique opens up several possibilities for hackers who have physical access to a computer that has one of these CPUs. Attackers could carry out an “evil-maid” attack, a form of tampering with an unattended device, in which an attacker with physical access imperceptibly alters it for later access. Specifically, Chip Red Pill could be used to tamper with CPUs to steal secret information or to install remote access tools.
Although the INTEL SA-00086 flaw has been identified and reported, the risks of compromising the chips and using them for malicious purposes remain high. One of them concerns the possibility that malicious chips are placed in the hardware of a device where it is possible to manipulate fundamental operating instructions.
In this way, attackers could alter the functioning of a device in minute detail without any anomalies being detected. Such chips can also steal encryption keys for secure communications, block security updates, and open any backdoors to malicious actors.
In today’s context, this problem has assumed considerable importance as numerous technology companies engage in commercial relations or subcontract part of their production to companies accused of having links with hostile governments, primarily the Chinese one.
In 2010, anomalous activity was discovered in servers supplied to the Pentagon by Super Micro Computer, a San Jose company founded in 1993 by Taiwanese engineer Charles Liang with some manufacturing sites in China. On the case, it was noted that unauthorized instructions had been loaded that allowed the data to be secretly copied and sent to the Beijing authorities. There is no evidence that details of military operations were stolen. However, the attackers gained access to a partial map of the Department of Defense’s unclassified networks.
Four years later, Intel’s security team also spotted a breach in the corporate network due to a tampered firmware update downloaded from the Supermicro website. Analysts linked this interference to the activities of APT 17, a hacker group close to the Beijing government.
Finally, in 2018, Supermicro came into the spotlight again after a Bloomberg Businessweek investigation revealed how the company had supplied some major companies, such as Apple and Amazon, with devices with chips inside used by the People’s Liberation Army. PLA) for espionage operations.
US intelligence agents were able to trace the malicious components by following the Supermicro supply chain backwards, since the device cards have serial numbers that lead back to specific factories.
While these issues have prompted a review of agreements signed with Chinese suppliers, the global shortage of chips has prompted numerous companies, including Intel, to increase their production in China, raising concerns from Washington.
To address this criticality, the United States Congress recently enacted the Chips and Science Act, which allocates more than $ 52 billion for the domestic production of computer chips, as well as billions more in tax credits to encourage investments in the sector.
Catch up on more articles here
Follow us on Twitter here