Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Friday January 20 2017, @01:06PM   Printer-friendly
from the if-you've-got-physical-access dept.

BleepingComputer has an interesting article on a 2015 design decision by Intel that opened up the JTAG interface to attacks.

Attackers with access to a device can take control over a target's computer and bypass all local security systems by abusing a hardware debugging interface included with Intel CPUs, which in recent years has become accessible via an external USB 3.0 port.

The debugging interface is JTAG (Joint Test Action Group), a debugging framework that has been included for many years with Intel chipsets.

JTAG works under the software level, allowing engineers, developers, and system administrators access to a hardware debugging utility that can provide insight into how the OS kernel, hypervisors, and local drivers are performing.

[...] In older Intel CPUs, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer's chassis.

Starting with the Skylake CPU line released in 2015, Intel dropped the ITP-XDP interface and allowed developers and engineers to access this powerful debugging utility via common USB 3.0 ports, accessible from the device's exterior, via a new a new technology called Direct Connect Interface (DCI).

Two Positive Technologies security researchers, Maxim Goryachy and Mark Ermolov, argue that this has significantly simplified the attack procedure needed to take control of Intel-based machines.

The two explain that while most hardware vendors disable the DCI interface before they ship products out of the factory's gateway, the DCI interface can be re-enabled via a computer's BIOS settings.

If a target doesn't password-protect its BIOS, attackers can enable this setting, and then connect via USB and alter core processes, undetectable to any type of security software installed on a targetted[sic] machine.

Submitted via IRC for TheMightyBuzzard


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 0) by Anonymous Coward on Friday January 20 2017, @03:26PM

    by Anonymous Coward on Friday January 20 2017, @03:26PM (#456562)

    In practice, an attacker would have to have physical access to your PC, and really, at that point, it's game over anyway.

    Could the attacker possibly change the BIOS setting from within the running OS?

  • (Score: 1) by kurenai.tsubasa on Friday January 20 2017, @04:27PM

    by kurenai.tsubasa (5227) on Friday January 20 2017, @04:27PM (#456585) Journal

    I still haven't bothered to master UEFI, but I was amazed when I learned that a UEFI securely booted OS could change UEFI settings. Can anybody elucidate on whether this setting is exposed via UEFI and whether a “securely” booted OS can modify that setting?

    Looks like there's a guide [archlinux.org] for Linux UEFI thanks to Arch. I don't have a Skylake machine but may be interesting to finally get my box UEFI booting and poke around in what's otherwise exported to the OS.

    • (Score: 1) by poofygoof on Saturday January 21 2017, @09:23PM

      by poofygoof (6482) on Saturday January 21 2017, @09:23PM (#457098)

      My limited understanding is that the settings themselves are range-checked before use, but bootguard only protects executable BIOS code. (There may be a CRC / checksum applied to the settings to protect against corruption, but I haven't read through that code...)

      Disclosure: I have some experience with server BIOS at Intel, but am not speaking on their behalf here.