SoylentNews is people
SoylentNews
BleepingComputer has an interesting article on a 2015 design decision by Intel that opened up the JTAG interface to attacks.
Attackers with access to a device can take control over a target's computer and bypass all local security systems by abusing a hardware debugging interface included with Intel CPUs, which in recent years has become accessible via an external USB 3.0 port.
The debugging interface is JTAG (Joint Test Action Group), a debugging framework that has been included for many years with Intel chipsets.
JTAG works under the software level, allowing engineers, developers, and system administrators access to a hardware debugging utility that can provide insight into how the OS kernel, hypervisors, and local drivers are performing.
[...] In older Intel CPUs, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer's chassis.
Starting with the Skylake CPU line released in 2015, Intel dropped the ITP-XDP interface and allowed developers and engineers to access this powerful debugging utility via common USB 3.0 ports, accessible from the device's exterior, via a new a new technology called Direct Connect Interface (DCI).
Two Positive Technologies security researchers, Maxim Goryachy and Mark Ermolov, argue that this has significantly simplified the attack procedure needed to take control of Intel-based machines.
The two explain that while most hardware vendors disable the DCI interface before they ship products out of the factory's gateway, the DCI interface can be re-enabled via a computer's BIOS settings.
If a target doesn't password-protect its BIOS, attackers can enable this setting, and then connect via USB and alter core processes, undetectable to any type of security software installed on a targetted[sic] machine.
Submitted via IRC for TheMightyBuzzard
(Score: 2, Insightful) by Anonymous Coward on Friday January 20 2017, @01:31PM
Does this require physical access or just access to something with physical access? If I remotely exploited your printer, phone, router, scanner, smart fridge, or internet-enabled sex toy and you plug it in to a USB3 port, can I now root your machine?
(Score: 2, Offtopic) by Gaaark on Friday January 20 2017, @01:35PM
Yeah, baby! That's it... A little deeper... A little more... Yes, yes, yes!!!!! Pwned!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Interesting) by BenJeremy on Friday January 20 2017, @01:53PM
No. From what I gather, the option would have to be enabled in the BIOS, as the machine should disable this capability otherwise. In practice, an attacker would have to have physical access to your PC, and really, at that point, it's game over anyway.
I would be interested to know, however, if there is a window of opportunity to exploit the JTAG as the machine boots up, before the BIOS switches it off. The whole purpose of the JTAG is to access the hardware at the lowest level for physical debugging. Perhaps that's not an issue, I'd prefer this to be set physically via hardware, like through a jumper, rather than logically.
(Score: 0) by Anonymous Coward on Friday January 20 2017, @03:26PM
Could the attacker possibly change the BIOS setting from within the running OS?
(Score: 1) by kurenai.tsubasa on Friday January 20 2017, @04:27PM
I still haven't bothered to master UEFI, but I was amazed when I learned that a UEFI securely booted OS could change UEFI settings. Can anybody elucidate on whether this setting is exposed via UEFI and whether a “securely” booted OS can modify that setting?
Looks like there's a guide [archlinux.org] for Linux UEFI thanks to Arch. I don't have a Skylake machine but may be interesting to finally get my box UEFI booting and poke around in what's otherwise exported to the OS.
(Score: 1) by poofygoof on Saturday January 21 2017, @09:23PM
My limited understanding is that the settings themselves are range-checked before use, but bootguard only protects executable BIOS code. (There may be a CRC / checksum applied to the settings to protect against corruption, but I haven't read through that code...)
Disclosure: I have some experience with server BIOS at Intel, but am not speaking on their behalf here.
(Score: 0) by Anonymous Coward on Friday January 20 2017, @02:14PM
Yes. Any device which uses a microcontroller as opposed to hardwired silicon to control the USB port is a potential attack vector.
(Score: 2, Funny) by Anonymous Coward on Friday January 20 2017, @03:17PM
To be extra sure, I drive my USB ports with vacuum tubes.
(Score: 2) by inertnet on Friday January 20 2017, @04:22PM
Maybe that cool new USB gadget you ordered from China can..