Security researchers at Positive Technologies have discovered a security vulnerability affecting most Intel processors released in the past 5 years. Intel has already taken steps to mitigate against some possible attacks… but because the vulnerability is in the boot ROM (the first thing that loads when a chip is powered up), there’s no way to completely fix the issue with a software, firmware, or BIOS update.

The good news is that 10th-gen and later Intel chips are said to be unaffected. And Intel tells the folks at Ars Technica that thanks to security updates it has already rolled out, it’s likely that an attacker would need physical access to your computer in order to exploit the vulnerability.

So… maybe don’t leave your Intel-powered PC lying around where government or corporate spies can pick it up anytime soon?

Mark Ermolov of Positive Technologies has a blog post explaining a bit more about the bug and why it’s unfixable.

In a nutshell, the vulnerability is in the Intel Converged Security and Management Engine (CSME), which is “responsible for initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms. Since the CSME is hard-coded into the read-only Mask ROM of a chip, it’s impossible for Intel to roll out a firmware update with a bug fix.

Not only does this mean there’s a vulnerability in the first thing that loads when you turn on a computer. But Intel’s CSME is also responsible for the cryptography used in Intel’s hardware-based security features, which means that a flaw in the foundation is… well, sort of like taking a few bricks out of the foundation of a wall — the whole thing becomes a lot less sturdy and more vulnerable to malicious attackers.

Ermolov also notes that if hackers figure out how to use the flaw to extract Intel’s Enhanced Privacy ID (EPID) then “utter chaos will reign” because that ID is used for “an entire generation of Intel chipsets,” which means that it would open the door to forging hardware IDs and extracting data from encrypted disks.

So… it might not be a bad time to consider upgrading to a computer with a 10th-gen Intel Core processor, an AMD Ryzen chip… or maybe sticking with a much older Intel processor, since only chips released in the last 5 years are said to be affected by this vulnerability.

via ZDNet and Ars Technica

Support Liliputing

Liliputing's primary sources of revenue are advertising and affiliate links (if you click the "Shop" button at the top of the page and buy something on Amazon, for example, we'll get a small commission).

But there are several ways you can support the site directly even if you're using an ad blocker* and hate online shopping.

Contribute to our Patreon campaign

or...

Contribute via PayPal

* If you are using an ad blocker like uBlock Origin and seeing a pop-up message at the bottom of the screen, we have a guide that may help you disable it.

5 replies on “Unfixable vulnerability discovered in most recent Intel chips”

  1. I HAVE AIO FOR BROWSING, MAIL … (AND iAM RUNNING ON hASWELL)
    DESKTOP FOR HARD STUFF (NO WIRELESS CONNECTIVITY)
    AND A TABLET FOR WORKING, NOTE TAKING (RIPPED THE WIRELESS BOARD OUT)

    IS THERE ANYTHING I SHOULD BE WORRIED ABOUT?

    1. It’s only an issue if people who would exploit this have physical access to your computer, as I understand it. As someone else pointed out, this is more of an issue in corporate environments. If your desktop — and Haswell is right on that border of five years or so, I think, and I’m not sure it’s even affected — is private and your personal machine at home, you should not worry.

  2. Are we in a war (against Intel) …??

    OR

    It’s a new kind of business tactics by Intel …!!

    HELP! HELP! I’m getting drown in the * Lake(s) … 😉

    1. This mostly affects corporate security – It may be a requirement that “Laptops with access to proprietary data must use whole-disk encryption without published exploits.” Stolen laptops are a common physical access risk.

Comments are closed.