Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday January 20 2017, @01:06PM   Printer-friendly
from the if-you've-got-physical-access dept.

BleepingComputer has an interesting article on a 2015 design decision by Intel that opened up the JTAG interface to attacks.

Attackers with access to a device can take control over a target's computer and bypass all local security systems by abusing a hardware debugging interface included with Intel CPUs, which in recent years has become accessible via an external USB 3.0 port.

The debugging interface is JTAG (Joint Test Action Group), a debugging framework that has been included for many years with Intel chipsets.

JTAG works under the software level, allowing engineers, developers, and system administrators access to a hardware debugging utility that can provide insight into how the OS kernel, hypervisors, and local drivers are performing.

[...] In older Intel CPUs, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer's chassis.

Starting with the Skylake CPU line released in 2015, Intel dropped the ITP-XDP interface and allowed developers and engineers to access this powerful debugging utility via common USB 3.0 ports, accessible from the device's exterior, via a new a new technology called Direct Connect Interface (DCI).

Two Positive Technologies security researchers, Maxim Goryachy and Mark Ermolov, argue that this has significantly simplified the attack procedure needed to take control of Intel-based machines.

The two explain that while most hardware vendors disable the DCI interface before they ship products out of the factory's gateway, the DCI interface can be re-enabled via a computer's BIOS settings.

If a target doesn't password-protect its BIOS, attackers can enable this setting, and then connect via USB and alter core processes, undetectable to any type of security software installed on a targetted[sic] machine.

Submitted via IRC for TheMightyBuzzard


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: -1, Troll) by Anonymous Coward on Friday January 20 2017, @01:09PM

    by Anonymous Coward on Friday January 20 2017, @01:09PM (#456507)

    Physical access means it's already owned.

    FUCK SOY STAIN FAKE NEWS

    Niggery Buzzard fly into some power lines and die.

    Starting Score:    0  points
    Moderation   -1  
       Troll=1, Total=1
    Extra 'Troll' Modifier   0  

    Total Score:   -1  
  • (Score: 3, Insightful) by EEMac on Friday January 20 2017, @01:25PM

    by EEMac (6423) on Friday January 20 2017, @01:25PM (#456511)

    "Physical access means it's already owned." There is deep wisdom in this line.

    The article has value as documenting a _new_ way, out of the many many ways, a physically-accessible computer with BIOS settings available can be taken over.

    • (Score: 3, Interesting) by bob_super on Friday January 20 2017, @06:54PM

      by bob_super (1357) on Friday January 20 2017, @06:54PM (#456647)

      Actually, if you do have a bit more money, there are embedded solutions which will protect you even against physical access, while still fairly capable (mid-range ARM).
      They might be cracked by some Three-Letter Agencies (I didn't have the Clearance for that briefing, or wouldn't tell you if I did), but will keep away all but the smartest hackers. You'd have to be very important indeed, for someone to dedicate the massive effort...

  • (Score: 2, Insightful) by Anonymous Coward on Friday January 20 2017, @01:31PM

    by Anonymous Coward on Friday January 20 2017, @01:31PM (#456516)

    Does this require physical access or just access to something with physical access? If I remotely exploited your printer, phone, router, scanner, smart fridge, or internet-enabled sex toy and you plug it in to a USB3 port, can I now root your machine?

    • (Score: 2, Offtopic) by Gaaark on Friday January 20 2017, @01:35PM

      by Gaaark (41) on Friday January 20 2017, @01:35PM (#456518) Journal

      Yeah, baby! That's it... A little deeper... A little more... Yes, yes, yes!!!!! Pwned!

      --
      --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
    • (Score: 2, Interesting) by BenJeremy on Friday January 20 2017, @01:53PM

      by BenJeremy (6392) on Friday January 20 2017, @01:53PM (#456525)

      No. From what I gather, the option would have to be enabled in the BIOS, as the machine should disable this capability otherwise. In practice, an attacker would have to have physical access to your PC, and really, at that point, it's game over anyway.

      I would be interested to know, however, if there is a window of opportunity to exploit the JTAG as the machine boots up, before the BIOS switches it off. The whole purpose of the JTAG is to access the hardware at the lowest level for physical debugging. Perhaps that's not an issue, I'd prefer this to be set physically via hardware, like through a jumper, rather than logically.

      • (Score: 0) by Anonymous Coward on Friday January 20 2017, @03:26PM

        by Anonymous Coward on Friday January 20 2017, @03:26PM (#456562)

        In practice, an attacker would have to have physical access to your PC, and really, at that point, it's game over anyway.

        Could the attacker possibly change the BIOS setting from within the running OS?

        • (Score: 1) by kurenai.tsubasa on Friday January 20 2017, @04:27PM

          by kurenai.tsubasa (5227) on Friday January 20 2017, @04:27PM (#456585) Journal

          I still haven't bothered to master UEFI, but I was amazed when I learned that a UEFI securely booted OS could change UEFI settings. Can anybody elucidate on whether this setting is exposed via UEFI and whether a “securely” booted OS can modify that setting?

          Looks like there's a guide [archlinux.org] for Linux UEFI thanks to Arch. I don't have a Skylake machine but may be interesting to finally get my box UEFI booting and poke around in what's otherwise exported to the OS.

          • (Score: 1) by poofygoof on Saturday January 21 2017, @09:23PM

            by poofygoof (6482) on Saturday January 21 2017, @09:23PM (#457098)

            My limited understanding is that the settings themselves are range-checked before use, but bootguard only protects executable BIOS code. (There may be a CRC / checksum applied to the settings to protect against corruption, but I haven't read through that code...)

            Disclosure: I have some experience with server BIOS at Intel, but am not speaking on their behalf here.

    • (Score: 0) by Anonymous Coward on Friday January 20 2017, @02:14PM

      by Anonymous Coward on Friday January 20 2017, @02:14PM (#456535)

      Yes. Any device which uses a microcontroller as opposed to hardwired silicon to control the USB port is a potential attack vector.

      • (Score: 2, Funny) by Anonymous Coward on Friday January 20 2017, @03:17PM

        by Anonymous Coward on Friday January 20 2017, @03:17PM (#456561)

        To be extra sure, I drive my USB ports with vacuum tubes.

    • (Score: 2) by inertnet on Friday January 20 2017, @04:22PM

      by inertnet (4071) on Friday January 20 2017, @04:22PM (#456583) Journal

      Maybe that cool new USB gadget you ordered from China can..