back to article Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port

Researchers at the Black Hat Asia conference this week disclosed a previously unknown way to tap into the inner workings of Intel's chip hardware. The duo of Mark Ermolov and Maxim Goryachy from Positive Technologies explained how a secret Chipzilla system known as Visualization of Internal Signals Architecture (VISA) allows …

  1. bpfh Bronze badge

    If they have rooted the system...

    Then you probably have bigger problems, but somthing like could have easily been mitigated with a mobo jumper, somthing requiring physical access to set / unset.

    1. Anonymous Coward
      Anonymous Coward

      Re: If they have rooted the system...

      Once upon a time, VISA/TraceHub required physical hardware access to access it. Think JTAG across other devices.

      Then along came Intel ME (check what the flaw INTEL-SA-00086 is...) and almost limitless access to your Intel computer was provided, either locally or remotely. What could possibly go wrong?

      "You know if we do this, remote users will potentially have access to our debug features"

      Was this a <three letter acronym> back door? I'd be surprised if anyone making a secret backdoor would do so many stupid things. I suspect ego - we know what we are doing, we don't need to discuss this with other engineering teams and our code is so good, it will never be broken.

      1. bpfh Bronze badge

        Re: If they have rooted the system...

        I was actually thinking of JTAG. Lots of devices have JTAG headers, but you still need to break open the box and attach a plug to it (and if they have physical access to your device, it's game over, debug / diag ports or not - if I can plug it in and measure signals over an osmelloscope, x-ray the parts and take thermal images of what it's doing internally...).

        The secure coding memo does not seem to have filtered down to the hardware design teams, who are probably still being asked to suck every last clockcycle (clocksuckers?) out of the silicon and at some point the decision will be made to trade off one against the other.

        From there, fine, if someone has root access, it's very bad, but the fact that you have direct access to a tiny subset of very important data, you can start filtering out what is data or look at specific parts of the chip - say security subroutines, and just monitor that...Exfiltering terabytes of raw data is one thing, but sit there gently poking the cpu for somthing interesting then only taking that when it's detected for example to improve your tailored access?

        Hanlon's razor says cockup before conspiracy, but when you do know that TLA's are out to get whatever they can, in IT starting with the clipper chip, and carrying on over the last 25 years at least... who knows.

        /rant.

      2. phuzz Silver badge

        Re: If they have rooted the system...

        "Was this a <three letter acronym> back door?"

        No it was a misjudged attempt to bring features that were usually reserved for the lights-out management system in servers, down to the desktop level to make it easier for admins to administer large numbers of machines. (eg, Imagine you had to update the EFI on a thousand desktops, you can rack up the overtime walking round all the offices, or use ME to schedule it overnight and head down the pub).

        Why they thought it was a good idea to bring to all of their CPUs rather than just a subset I don't know. Laziness?

  2. ThatOne Silver badge
    Facepalm

    Hmm.

    Right now the only way to get to it is using a vulnerability as Root. Till they find another vulnerability, not requiring Root...

    1. FrankAlphaXII

      Re: Hmm.

      The way I read it was that it not only required root, it required physical access on top of it, and that's a step above even root.

      1. Michael Wojcik Silver badge

        Re: Hmm.

        I don't believe so. I haven't tried it, but I believe that on a system that isn't patched for CVE-2017-5712, you could enable VISA remotely.

        The other INTEL-SA-00086 vulnerabilities require "local access", but I'm not sure they require physical access. That is, they might be exploitable via, say, a USB HID plugged into the system, if you can trick the user into inserting one. (And many users are willing to plug USB devices of uncertain provenance into their computers.)

  3. Brian Scott

    Needing root is not the problem

    It's easy to think of this as vulnerability but I don't think that's the point.

    What it means that a bad guy™ can use the feature on their own equipment to investigate and develop new speculation attacks in the comfort of their own homes. When the attack has been properly developed, it can presumably be set loose on their targets without any further need for the debugging help this 'feature' has given them.

    The only system that the attacker needs root access to is the one sitting on the desk in front of them.

    1. Paul Crawford Silver badge

      Re: Needing root is not the problem

      What it means that a bad good guy™ can use the feature on their own equipment to investigate and overcome the curse of DRM.

      Fixed it for you?

      NB: Good girls are also available...

      1. DougS Silver badge

        Apple 4K DRM broken

        A bunch of 4K movies have appeared on pirate sites recently, matching the 4K releases on iTunes, leading to speculation that iTunes DRM has been broken. Maybe they didn't break the DRM, but played the movie on a PC using iTunes and lifted the HEVC data stream out of the Intel CPU using VISA?

        1. Mage Silver badge
          Boffin

          Re: Apple 4K DRM broken

          Or pointed a 4K camera at a 4K TV in a dark room?

          DRM is stupid and mainly used to enforce abusive splitting of markets to rip off consumers. It's never stopped piracy / copyright violation.

          1. DougS Silver badge

            Re: Apple 4K DRM broken

            No one could really believe pointing a 4K camera at a 4K TV would provide a product that could be confused with a rip of 4K source material by anyone who wasn't legally blind.

            1. gnasher729 Silver badge

              Re: Apple 4K DRM broken

              "No one could really believe pointing a 4K camera at a 4K TV would provide a product that could be confused with a rip of 4K source material by anyone who wasn't legally blind."

              Most people can't distinguish between a 4K movie and a DVD on their HDTV.

              1. defiler Silver badge

                Re: Apple 4K DRM broken

                Maybe they should upgrade from an SDTV then...

        2. doublelayer Silver badge

          Re: Apple 4K DRM broken

          Another option is piping the video out to a screen that can take 4K or higher resolution that also takes a copy. Now slice off any interface that shouldn't be there and you're done. Note: screen not necessary, a graphics card claiming to have such a screen is sufficient. When you pipe unencrypted digital information across a bus, expect that someone can record it off that.

    2. Doctor Syntax Silver badge

      Re: Needing root is not the problem

      "The only system that the attacker needs root access to is the one sitting on the desk in front of them"

      Go it in one. If there are any exploits left to be discovered this is the way to discover them wihthout in itself being an exploit.

      1. amanfromMars 1 Silver badge

        Re: Needing root is not the problem

        Go it in one. If there are any exploits left to be discovered this is the way to discover them wihthout in itself being an exploit. ..... Doctor Syntax

        Quite so, Doctor Syntax .... thus to become a Remote Executable Facility and Virtual AI Utility.

        And in Spooky Hugo de Garis Terrain, a GODSend and Global Operating Device Invitation to Explore its Validity and Far Reach with Accompanied Deep Insertions in Human Operating SCADASystems.

        The Super Sub Micro Atomic Field of Mega MetaData Base Knowledge Manipulation though is clearly not suited for all, for there would appear to be only a few practising the Art more than just effectively and selflessly.

        It would be lovely though to be proved wrong in that. :-)

  4. John Smith 19 Gold badge
    Pint

    Good work people.

    Beers all around*

    *Non alcoholic celebratory beverages are also available.

  5. amanfromMars 1 Silver badge

    They would, wouldn't they ....... Deny it an Advanced Persistent Threat Fact

    Ignore the noise about a scary hidden backdoor in Intel processors: It's a fascinating debug port

    Howdy Shaun,

    Do you really believe Intel processor backdoors are used only in-house as a port for fascinating debugging .... and not also as a systemic vulnerability path for stealthy anonymous third party exploitation of second and first party expectations and aspirations?

    It is a very dangerous assumption to be in any way wrong about ...... because of the false sense of security it would generate in Intel Fab Labs/chip factories.

  6. _LC_
    Megaphone

    Let’s not forget

    Let’s not forget how “similar” vulnerabilities were turned into a media shitstorm against AMD. Shortly after Meltdown and Spectre became public, hitting Intel very hard while AMD wasn’t nearly affected as much, this smear campaign was launched successfully:

    “Israeli Security Company Attacks AMD by Publishing Zero-Day Exploits” (all of them required root access)

  7. Anonymous Coward
    Anonymous Coward

    Did I read TPM root keys?

    If I read it right does that mean TPM and by extension the entire platform is compromised? Anyone relying on secure boot, bitlocker etc. is screwed if one of their machines falls into the wrong hands?

    1. amanfromMars 1 Silver badge

      Re: Did I read TPM root keys?

      If I read it right does that mean TPM and by extension the entire platform is compromised? Anyone relying on secure boot, bitlocker etc. is screwed if one of their machines falls into the wrong hands? ... AC

      Yes, it is writ right and correct.

      If touted and pimped/pumped and dumped as No, such is wrong, does fake news treat its listeners both badly and madly, methinks.

      What do you want to believe is correct and not wrong?

    2. doublelayer Silver badge

      Re: Did I read TPM root keys?

      Not exactly. You can access the processor part, but only while it is running. If you have physical access but no access to the system running on the device (E.G. encrypted disk), you could not see it in action because you couldn't run that system. You could of course boot up your own image, but then the data you want to extract wouldn't be resident in the processor. In order to use this maliciously, you need to have access to the system while the processor is working on data you want to steal.

  8. Will Godfrey Silver badge
    Mushroom

    Funny that

    Almost every commentard here had exactly the same thought as me.

    Investigate in the comfort of your own home without risk of exposure. Craft your malware carefully, then let rip.

    1. amanfromMars 1 Silver badge

      Re: Funny that

      And here be AI Ready Made Play Space Places, Will Godfrey ....... https://www.zerohedge.com/news/2019-03-30/dangers-government-funded-artificial-intelligence

      1. Cliff Thorburn

        Re: Funny that

        So rough translation of the China Model to the UK, be a Brexiteer and walk in Heaven, Remainers languish in Hell as part of the AI driven ‘social points’ system? ...

        Will be using the ‘3 Shell’ method for future toilet visits not through technical advancements but lack thereof!

        1. Anonymous Coward
          Anonymous Coward

          Re: Funny that

          Can we get rid of these bots? Any ideas? When they post so many times in one thread, it begins to get a lot more irritating.

    2. Jack of Shadows Silver badge

      Re: Funny that

      I need newer hardware but... yeah, that could be fun!

  9. steelpillow Silver badge
    Facepalm

    No less a vulnerability for being indirect.

    So black hats can brain-scan the chip for vulnerabilities, even if the brain scanner is not itself a direct vulnerability.

    You would think that a hardware dev feature like this would only be available on dev chips, with the relevant shit being at least encapsulated and preferably emasculated on the production version. But no, all it needs is a piece of feckin' software. Well done, Intel, you are living up to your reputation bigtime.

    1. Loyal Commenter Silver badge

      Re: No less a vulnerability for being indirect.

      I'm no chip designer, but surely it wouldn't be beyond the realms of possibility for Intel to bake the paths for this into all their chips, for debuggin purposes, and then just dike it out for the RTM version? If nothing else, they're presumably giving away secrets to their competitors by not doing so...

  10. Paul

    How does this affect someone with root access on their virtual machine, on a multi-tenanted physical host?

    1. MonkeyJuice

      Good catch. It sounds like they would at least have access to the DMA channels across all vpus. Maybe encryption at rest wasn't obscurity but was an NSA level mitigation all along?

    2. amanfromMars 1 Silver badge

      Virtually Real Attack Vectors in Materialised AIDefence Sectors

      How does this affect someone with root access on their virtual machine, on a multi-tenanted physical host? ..... Paul

      Paul, Hi,

      Surely the greater question is how does this affect and infect everyone else with or without root accesses on virtual machines on multi-tenanted physical hosts/cloudy servers, for the truth in the answer to your question is hardly at all, and possibly even not at all?

      And it is delusional hubris to try and dismiss the fact and systemic vulnerability for such ignorance only leaves IT fantastically free to both anonymously and autonomously ..... well, the choices range between create novel wonders and/or deliver madness and mayhem?

  11. Glen Turner 666

    It *is* a fascinating debug feature. But as the slidepack points out, there's the ability to use it for havoc by using the debugging facilities. For example, burning a fuse to activate a debugging feature of the random number generator, in which the RNG always returns the same number. Being a fuse, that change will survive a reboot.

    1. stiine Bronze badge
      Black Helicopters

      So, If I tell you what lottery numbers I just got....

  12. Voyna i Mor Silver badge

    What did we learn on day one?

    Security through obscurity is only a good idea if access to your system is tightly controlled, and perhaps not even then.

    One would have thought that Intel could have designed the thing so there was a physical fuse to blow on all production devices that disabled the "feature" while leaving it active only for engineering samples. Till a disgruntled engineer sells a sample to the bad boys for millions of dollars.

    1. Michael Wojcik Silver badge

      Re: What did we learn on day one?

      It's actually not that obscure. Intel commented on the presentation to point out that VISA (or VIS, which I think is the current official Intel name for it) has been documented for a while, in some Intel publication.

  13. Anonymous Coward
    Anonymous Coward

    I blame Microsoft.

    I just do, ok. I don't have to explain it.

    1. Hey Nonny Nonny Mouse

      Re: I blame Microsoft.

      Yeah, but Apple use the same chips so...

  14. Anonymous Coward
    Anonymous Coward

    Hacking your own system ?

    Wasn't there talk of making that illegal ? Or more to the point, haven't a few (probably US) court cases already tried to establish that trying to break into hardware you own is a no-no ?

  15. Giovani Tapini

    Problem is

    That although this helps research other attacks it's also useful for low level code design and optimisation if you are at the kernel or compiler level.

    We can't have it both ways where a technology can be both optimised and hidden at the same time.

    I hope this just improves the checking of said low level code...

  16. Tom 64

    Breaking out the popcorn!

    It's open season on intel CPU vulnerabilities

  17. Anonymous Coward
    Anonymous Coward

    Where's the story

    It's a known debugging tool - just like the sort available on most of the other processors I use (at a very low-level).

    Use the profiling counters to work out cache hits, etc. Oh, that's Spectre hack emulated.

    Check what data is flowing across busses or stored in registers using JTAG. Oh, we can see the decrypted version of that key.

    For a processor you can take the lid off and reverse engineer it using an electron microscope.

    You can look at almost anything you want if you physically have a box.

    My choice for secure at the moment is a write once FPGA, take the lid off and you destroy the fuse charges trying to read them.

    Shutting up now and staying anonymous.

  18. DDearborn

    Hmmm

    Watching the deep state being forced into conducting damage control in public always brings a smile to my face. However, this is one of those times where the best and the brightest on the outside clearly are not listening. They know for a fact that there really is something to see here and they won't move along despite the valiant efforts of articles like this..........

    1. amanfromMars 1 Silver badge

      00Original Explosive Devices ....... for Virtual Nudges in New Directions

      Watching the deep state being forced into conducting damage control in public always brings a smile to my face. However, this is one of those times where the best and the brightest on the outside clearly are not listening. They know for a fact that there really is something to see here and they won't move along despite the valiant efforts of articles like this.......... .... DDearborn

      Hmmm? Does that Court and Deliver AIdDivine Interventions with Immaculate Source and Almighty Force at urService to Server?

      The posit here is that it so does.

      It is hard to impossible to not conclude such is gift from GOD Knows Whom from Heaven Knows Where.

      What do you do with IT?

      Anything Almighty Revealing and Superlatively EMPowering with Perfect Honey Pots Satisfying Insatiable Lust Demand with Crowning Captivating Desires ...... which you will find is to XSSXXXX Totally Addictive and Virtually Immersive.

      Step through that Portal knowing what to expect and you aint ever going back in time and space, are you?

      Step through that Portal not knowing what to realistically expect, and your prime crash course materiel for More Fully Immersive ProgramMING.

  19. Country_without_a_constitution

    RSA got 10 Million

    If the NSA would spend that much to get a company to choose weak encryption, how much would Intel get paid?

  20. Anonymous Coward
    Anonymous Coward

    How come no one's investigating UI hardware?

    e.g. what with all that GPU, an embedded OCR can lift text (or just take a snapshot) from the video output.. there's no encryption there is there.

  21. Simon B-52

    Mean Buggers

    Mean Buggers not disclosing this at first introduction. At bare metal level, this is a very useful tool, though bare metal on a Pentium is the land of nightmares for me.

    I'm sure it suited the egos of some Intel engineers to keep quiet about this, but doubt it's the only reason that policy has been persued.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019