Mark Ermolov and Dmitry Sklyarov of Positive Technologies (PT) and independent researcher Maxim Goryachy have discovered a security flaw in Intel chips that allows attackers to gain access to firmware encryption keys.
The CVE-2021-0146 High Severity Privilege Escalation (CVSS 7.1) vulnerability is an unprotected debugging feature, exposing firmware encryption keys.
According to Intel’s advice, the vulnerability activates test or debug logic at run time, allowing an unauthenticated attacker to elevate his privileges through physical access.
Intel advised users to install vendor-specific firmware updates that contain security fixes for the reported vulnerability.
Intel security flaw exposes encryption keys allowing installation of spyware
Intel’s processor security vulnerability allows attackers to expose Intel’s Platform Trust Technology (PPT) and Enhanced Privacy ID (EPID) root encryption keys.
Attackers can extract this key to access and copy DRM protected digital content, such as eBooks.
“Using this vulnerability, an intruder can extract a device’s root EPID key (eBook), then after compromising Intel EPID technology, download vendor electronic documents as a file, copy and distribute them. “
The vulnerability allows malicious actors to bypass BitLocker and Trusted Platform Modules (TPM) security protection to bypass code signing restrictions and run compromised firmware in Intel Management Engine.
The attacker needs physical access to the vulnerable device to bypass TPM and BitLocker, making the security breach a potential risk for stolen devices. However, researchers have found no evidence of attacks in nature.
The Ars Technica technology website states that the process takes about 10 minutes. However, the attack requires direct interaction and physical access, thus unfavorable to mass exploitation.
The website explains that each Intel processor has a unique key that is used as a “chipset key fuse” and is responsible for generating the TPM and EPID encryption keys.
According to the researchers, an attacker can extract this key, decrypt it and use it to execute an arbitrary code in the management engine of Intel in order to extract the TPM, BitLocker and EPID encryption keys. The attacker uses the encryption keys to unlock the device.
“An example of a real threat is the loss or theft of laptops containing confidential information in encrypted form,” Ermolov wrote. “Using this vulnerability, an attacker can extract the encryption key and gain access to [the] information in the laptop.
Intel advises users to protect their devices from unauthorized physical access. Therefore, this vulnerability makes BitLocker and TPM redundant in protecting computing devices from unauthorized physical access.
The researchers also noted that an attacker could take advantage of the security flaw to execute supply chain attacks targeting Intel-based devices.
“For example, an employee of an Intel processor-based device vendor could extract the Intel CSME firmware key and deploy spyware that the security software wouldn’t detect.”
Other researchers have discovered several security holes affecting Intel processors over the past two years. They include four Software Guard eXtensions (SGX) security vulnerabilities that could expose sensitive user data.
Others include Boot Guard vulnerabilities and unpatched security vulnerabilities in Intel TPM’s Converged Security and Management Engine. Likewise, Intel’s products have suffered Specter and Meltdown attacks.
Big tech companies are reluctant to use Intel chips as the basis of their Trusted Computing Bases (TCBs). Companies like Apple and Google are looking for alternative custom chips to power their data centers.
List of Intel processors affected by an elevation of privilege security vulnerability
Intel’s privilege escalation security vulnerability affects some processors in the desktop, mobile, and integrated segments. It affects the Apollo Lake, Gemini Lake, and Gemini Lake Refresh versions of the Pentium, Celeron, and Atom processors.
Specific versions include the Intel Pentium J, N and Pentium Silver series; Intel Celeron J and N series, and Intel Atom A, C3000, and E3900 series. These low-power, affordable processors run embedded systems including medical devices, mobile devices, and inexpensive desktops and laptops. Given the low priority given to low-end devices, these firmware updates can take a long time, if not forever.