- May 9, 2015
- 630
-
At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
Before Skylake, low-level machine debugging was available through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, though - not every board carries the relevant connections; also the hardware and software as expensive and difficult to acquire - so there was not much concern regarding the scale and impact of the attacks (if you recall, typical risk measurement considers both the severity of an exploit's effect as well as the probability of that exploit being explored). That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through a specific standard USB 3.0 port on the motherboard - a technology which is much more ubiquitous and easily accessible.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here:
At this year's CCC hacker congress, researchers from Positive Technologies have released information, which documents vulnerabilities in Intel's Skylake and Kaby Lake series processors' handling of USB 3.0-based debugging - which could be used to attack, corrupt, and even subvert a user's system.
This vulnerability allows attackers to bypass typical security mechanisms - both at the hardware and at the OS level - by using a new debugging interface, which could allow them to install malware and/or rewrite the system's firmware and BIOS. The exploit is currently undetectable using existing security tools, and according to the researchers, this mechanism can be used on a hacked system regardless of the OS installed.
Before Skylake, low-level machine debugging was available through a special device that connected to the motherboard's debugging port (ITP-XDP). It was not easily accessible, though - not every board carries the relevant connections; also the hardware and software as expensive and difficult to acquire - so there was not much concern regarding the scale and impact of the attacks (if you recall, typical risk measurement considers both the severity of an exploit's effect as well as the probability of that exploit being explored). That changed when Skylake came out, which introduced the Direct Connect Interface (DCI) that provides access to the JTAG debugging interface through a specific standard USB 3.0 port on the motherboard - a technology which is much more ubiquitous and easily accessible.
There are no hardware or software tricks needed for an attacker to exploit this, all that is required is that the DCI interface is enabled. On many systems, DCI is enabled by default. On those that are not, there are several ways to enable it. Once DCI is activated, it works like any kernel debugger: the CPU can be paused, all memory and register contents can be read and written, without the operating system ever noticing that it was paused in the first place. The researchers have already reported this vulnerability to Intel, though at this time there is no fix available. The fact that any individual with malicious intent needs to have physical access to the machine and its USB 3.0 ports makes this exploit a little more difficult to accomplish, but it would seem that workplaces or servers are particularly vulnerable. One minor caveat is that only a single, board-specific, USB 3.0 port can be used for debugging, so an attacker would have to try out all of them, or know the right one for that hardware configuration.
Motherboard vendors could provide a BIOS update, which disables DCI debugging and locks it down, so that any software running after the BIOS can not re-enable it.
The researchers have also uploaded a video where they explain the process in more detail. Watch the video right here: