Mark Ermolov and Dmitry Sklyarov from Positive Technologies (PT) and independent researcher Maxim Goryachy discovered a security flaw in Intel chips that allows attackers to access firmware encryption keys.
The high severity (CVSS 7.1) privilege escalation vulnerability CVE-2021-0146 is an unprotected debugging functionality, thus exposing firmware encryption keys.
According to Intel’s advisory, the vulnerability activates test or debug logic at runtime, allowing an unauthenticated attacker to escalate privileges through physical access.
Intel advised users to install vendor-specific firmware updates containing security fixes for the reported vulnerability.
Intel’s security flaw exposes encryption keys allowing spyware installation
Intel’s CPUs security flaw allows attackers to expose Intel’s Platform Trust Technology (PPT) and Enhanced Privacy ID (EPID) root encryption keys.
Attackers can extract this key to gain access and copy DRM-protected digital content such as eBooks.
“Using this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them.”
The vulnerability allows threat actors to bypass BitLocker and trusted platform modules (TPM) security protection to circumvent code-signing restrictions and run compromised firmware in the Intel Management Engine.
The attacker requires physical access to the vulnerable device to bypass TPM and BitLocker, making the security flaw a potential risk for stolen devices. However, the researchers did not find evidence of any attacks in the wild.
Technology website Ars Technica says the process requires about 10 minutes to complete. However, the attack requires direct interaction and physical access, thus unfavorable for mass exploitation.
The website explains that each Intel CPU has a unique key used as a “chipset key fuse” and is responsible for generating TPM and EPID encryption keys.
According to the researchers, an attacker can extract this key, decrypt it, and use it to run arbitrary code in Intel’s Management engine to extract TPM, BitLocker, EPID encryption keys. The attacker uses the encryption keys to unlock the device.
“One example of a real threat is lost or stolen laptops that contain confidential information in encrypted form,” Ermolov wrote. “Using this vulnerability, an attacker can extract the encryption key and gain access to [the] information within the laptop.”
Intel advises users to protect their devices from unauthorized physical access. Consequently, this vulnerability renders BitLocker and TPM redundant in protecting computing devices from unauthorized physical access.
The researchers also noted that an attacker could leverage the security flaw to execute supply chain attacks targeting Intel CPU-based devices.
“For example, an employee of an Intel processor-based device supplier could extract the Intel CSME firmware key and deploy spyware that security software would not detect.”
Other researchers have discovered several security vulnerabilities affecting Intel CPUs in the last two years. They include four Software Guard eXtensions (SGX) security flaws that could expose users’ sensitive data.
Others include Boot Guard vulnerabilities and unpatched security loopholes in Intel TPM’s Converged Security and Management Engine. Similarly, Intel’s products have experienced Spectre and Meltdown attacks.
Large tech companies are wary of using Intel chips as the foundation of their Trusted Computing Bases (TCB). Companies like Apple and Google are looking for alternative custom chips to power their computing centers.
List of Intel CPUs affected by privilege escalation security flaw
Intel’s privilege escalation security flaw affects some processors in the desktop, mobile, and embedded segments. It affects Apollo Lake, Gemini Lake, and Gemini Lake Refresh versions of Pentium, Celeron, and Atom processors.
Specific versions include Intel Pentium J, N, and Pentium Silver series; Intel Celeron J and N Series, and Intel Atom A, C3000, and E3900 series. These low-power and affordable CPUs run embedded systems including medical devices, mobile devices, and cheap desktops and laptops. Given the low priority accorded to low-end devices, these firmware updates could take a while or forever.