Security researchers at Positive Technologies have discovered a security vulnerability affecting most Intel processors released in the past 5 years. Intel has already taken steps to mitigate against some possible attacks… but because the vulnerability is in the boot ROM (the first thing that loads when a chip is powered up), there’s no way to completely fix the issue with a software, firmware, or BIOS update.
The good news is that 10th-gen and later Intel chips are said to be unaffected. And Intel tells the folks at Ars Technica that thanks to security updates it has already rolled out, it’s likely that an attacker would need physical access to your computer in order to exploit the vulnerability.
So… maybe don’t leave your Intel-powered PC lying around where government or corporate spies can pick it up anytime soon?
Mark Ermolov of Positive Technologies has a blog post explaining a bit more about the bug and why it’s unfixable.
In a nutshell, the vulnerability is in the Intel Converged Security and Management Engine (CSME), which is “responsible for initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms. Since the CSME is hard-coded into the read-only Mask ROM of a chip, it’s impossible for Intel to roll out a firmware update with a bug fix.
Not only does this mean there’s a vulnerability in the first thing that loads when you turn on a computer. But Intel’s CSME is also responsible for the cryptography used in Intel’s hardware-based security features, which means that a flaw in the foundation is… well, sort of like taking a few bricks out of the foundation of a wall — the whole thing becomes a lot less sturdy and more vulnerable to malicious attackers.
Ermolov also notes that if hackers figure out how to use the flaw to extract Intel’s Enhanced Privacy ID (EPID) then “utter chaos will reign” because that ID is used for “an entire generation of Intel chipsets,” which means that it would open the door to forging hardware IDs and extracting data from encrypted disks.
So… it might not be a bad time to consider upgrading to a computer with a 10th-gen Intel Core processor, an AMD Ryzen chip… or maybe sticking with a much older Intel processor, since only chips released in the last 5 years are said to be affected by this vulnerability.