BleepingComputer has an interesting article on a 2015 design decision by Intel that opened up the JTAG interface to attacks.
Attackers with access to a device can take control over a target's computer and bypass all local security systems by abusing a hardware debugging interface included with Intel CPUs, which in recent years has become accessible via an external USB 3.0 port.
The debugging interface is JTAG (Joint Test Action Group), a debugging framework that has been included for many years with Intel chipsets.
JTAG works under the software level, allowing engineers, developers, and system administrators access to a hardware debugging utility that can provide insight into how the OS kernel, hypervisors, and local drivers are performing.
[...] In older Intel CPUs, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer's chassis.
Starting with the Skylake CPU line released in 2015, Intel dropped the ITP-XDP interface and allowed developers and engineers to access this powerful debugging utility via common USB 3.0 ports, accessible from the device's exterior, via a new a new technology called Direct Connect Interface (DCI).
Two Positive Technologies security researchers, Maxim Goryachy and Mark Ermolov, argue that this has significantly simplified the attack procedure needed to take control of Intel-based machines.
The two explain that while most hardware vendors disable the DCI interface before they ship products out of the factory's gateway, the DCI interface can be re-enabled via a computer's BIOS settings.
If a target doesn't password-protect its BIOS, attackers can enable this setting, and then connect via USB and alter core processes, undetectable to any type of security software installed on a targetted[sic] machine.
Submitted via IRC for TheMightyBuzzard
(Score: -1, Troll) by Anonymous Coward on Friday January 20 2017, @01:09PM
Physical access means it's already owned.
FUCK SOY STAIN FAKE NEWS
Niggery Buzzard fly into some power lines and die.
(Score: 3, Insightful) by EEMac on Friday January 20 2017, @01:25PM
"Physical access means it's already owned." There is deep wisdom in this line.
The article has value as documenting a _new_ way, out of the many many ways, a physically-accessible computer with BIOS settings available can be taken over.
(Score: 3, Interesting) by bob_super on Friday January 20 2017, @06:54PM
Actually, if you do have a bit more money, there are embedded solutions which will protect you even against physical access, while still fairly capable (mid-range ARM).
They might be cracked by some Three-Letter Agencies (I didn't have the Clearance for that briefing, or wouldn't tell you if I did), but will keep away all but the smartest hackers. You'd have to be very important indeed, for someone to dedicate the massive effort...
(Score: 2, Insightful) by Anonymous Coward on Friday January 20 2017, @01:31PM
Does this require physical access or just access to something with physical access? If I remotely exploited your printer, phone, router, scanner, smart fridge, or internet-enabled sex toy and you plug it in to a USB3 port, can I now root your machine?
(Score: 2, Offtopic) by Gaaark on Friday January 20 2017, @01:35PM
Yeah, baby! That's it... A little deeper... A little more... Yes, yes, yes!!!!! Pwned!
--- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
(Score: 2, Interesting) by BenJeremy on Friday January 20 2017, @01:53PM
No. From what I gather, the option would have to be enabled in the BIOS, as the machine should disable this capability otherwise. In practice, an attacker would have to have physical access to your PC, and really, at that point, it's game over anyway.
I would be interested to know, however, if there is a window of opportunity to exploit the JTAG as the machine boots up, before the BIOS switches it off. The whole purpose of the JTAG is to access the hardware at the lowest level for physical debugging. Perhaps that's not an issue, I'd prefer this to be set physically via hardware, like through a jumper, rather than logically.
(Score: 0) by Anonymous Coward on Friday January 20 2017, @03:26PM
Could the attacker possibly change the BIOS setting from within the running OS?
(Score: 1) by kurenai.tsubasa on Friday January 20 2017, @04:27PM
I still haven't bothered to master UEFI, but I was amazed when I learned that a UEFI securely booted OS could change UEFI settings. Can anybody elucidate on whether this setting is exposed via UEFI and whether a “securely” booted OS can modify that setting?
Looks like there's a guide [archlinux.org] for Linux UEFI thanks to Arch. I don't have a Skylake machine but may be interesting to finally get my box UEFI booting and poke around in what's otherwise exported to the OS.
(Score: 1) by poofygoof on Saturday January 21 2017, @09:23PM
My limited understanding is that the settings themselves are range-checked before use, but bootguard only protects executable BIOS code. (There may be a CRC / checksum applied to the settings to protect against corruption, but I haven't read through that code...)
Disclosure: I have some experience with server BIOS at Intel, but am not speaking on their behalf here.
(Score: 0) by Anonymous Coward on Friday January 20 2017, @02:14PM
Yes. Any device which uses a microcontroller as opposed to hardwired silicon to control the USB port is a potential attack vector.
(Score: 2, Funny) by Anonymous Coward on Friday January 20 2017, @03:17PM
To be extra sure, I drive my USB ports with vacuum tubes.
(Score: 2) by inertnet on Friday January 20 2017, @04:22PM
Maybe that cool new USB gadget you ordered from China can..
(Score: 4, Interesting) by Anonymous Coward on Friday January 20 2017, @01:54PM
This sounds like Intel has made it so much easier for regular joes to crack any DRM schemes, like netflix, hulu, etc use as well as the stuff built into video games.
I look forward to buying a $20 usb dongle from alibaba that lets me make bit-perfect local copies of any streamed videos played on my computer.
And since the dongle itself is just a little computer when netflix, et al update their DRM the dongle makers can sell a subscription to software updates that overcome the DRM updates.
(Score: 3, Funny) by sjames on Friday January 20 2017, @03:50PM
We can get in now, All we need is a pound of gold, 3 chickens, and a block from a Mayan pyramid!
Or we could pop the drive into another machine...
Yeah, I suppose we could do that too....
(Score: 0) by Anonymous Coward on Friday January 20 2017, @04:32PM
Intel has under-documented and undocumented methods to completely own your computer. These methods can be done remotely, without physical access to your computer, even if the computer is turned off.
(Score: 3, Insightful) by ledow on Friday January 20 2017, @04:54PM
Would like to know how they can do anything remotely if you have even the most basic firewall in place. Or did you mean "remote" from the computer, i.e. on the same network?
And the same is true of any number of manufacturers. 3DFX cards had DMA access to all of RAM, with a Windows driver that let you access any memory range whatsoever. There's also no telling what anything installed as an administrator does, so any nVidia, AMD or Intel graphics card could be doing literally anything on your PCIe buses, on the OS driver level in software, and you'd never know anything about it.
Pretending that this kind of thing is new, or Intel-only, is really just kidding yourself.
Hell, Firewire allowed arbitrary DMA for years. God knows what those closed-source binary drivers in Windows or from manufacturers are doing. And even an audit of what such devices/software have so far done in every system collectively from every firewall log ever made in the whole wrold? Wouldn't tell you if there was a "activation" button/message/trigger that would suddenly change that software / hardware's behaviour to do something pre-programmed and much more insidious at any point.
And Intel *is* your computer, they don't need to own it.
Or AMD.
Or maybe even ARM.
You have absolutely no idea what they are doing with your data at any point. It could be broadcasting it encrypted on FM every Tuesday at 8pm for all you know, unless someone has noticed that happening and traced it back, you have no idea.
Hey, has your BIOS still got an EMI reduction mode to reduce the electromagnetic emissions that its operation generates on ordinary radio frequencies?
(Score: 3, Interesting) by archfeld on Friday January 20 2017, @06:31PM
I wonder if a wireless USB adaptor would fit the bill. Bridging the gap between local access and remote access. Any machine you can get physical access to can be compromised.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge