Stories
Slash Boxes
Comments

SoylentNews is people

Hackers Can Use Just-Fixed Intel Bugs to Install Malicious Firmware on PCs

posted by Fnord666 on Friday November 20 2020, @03:05PM   Printer-friendly

upstart writes in with an IRC submission:

Hackers can use just-fixed Intel bugs to install malicious firmware on PCs:

As the amount of sensitive data stored on computers has exploded over the past decade, hardware and software makers have invested increasing amounts of resources into securing devices against physical attacks in the event that they're lost, stolen, or confiscated. Earlier this week, Intel fixed a series of bugs that made it possible for attackers to install malicious firmware on millions of computers that use its CPUs.

The vulnerabilities allowed hackers with physical access to override a protection Intel built into modern CPUs that prevents unauthorized firmware from running during the boot process. Known as Boot Guard, the measure is designed to anchor a chain of trust directly into the silicon to ensure that all firmware that loads is digitally signed by the computer manufacturer. Boot Guard protects against the possibility of someone tampering with the SPI-connected flash chip that stores the UEFI, which is a complex piece of firmware that bridges a PC's device firmware with its operating system.

[...] Intel isn't saying how it fixed a vulnerability that stems from fuse settings that can't be reset. Hudson suspects that Intel made the change using firmware that runs in the Intel Management Engine, a security and management coprocessor inside the CPU chipset that handles access to the OTP fuses, among many other things. (Earlier this week, Intel published never-before-disclosed details about the ME here.)

The two other vulnerabilities stemmed from flaws in the way CPUs fetched firmware when they were powered up. All three of the vulnerabilities were indexed under the single tracking ID CVE-2020-8705, which received a high severity rating from Intel. (Intel has an overview of all November security patches here. Computer manufacturers began making updates available this week. Hudson's post, linked above, has a far more detailed and technical writeup.

Original Submission

 
This discussion has been archived. No new comments can be posted.
Hackers Can Use Just-Fixed Intel Bugs to Install Malicious Firmware on PCs | Log In/Create an Account | Top | 9 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Insightful) by DannyB on Friday November 20 2020, @05:00PM

    by DannyB (5839) on Friday November 20 2020, @05:00PM (#1079826) Journal

    Physical access is a problem.

    But systems could be more resistant to physical access attacks. It should be possible to have systems be tamper-evident.

    The attacker can try using physical media, restart the computer, remove its power and/or network connections. Open the case. But they probably can't change the keys inside the tamper resistant TPM.

    Isn't it the wet dream of the [RIAA|MPAA]-holes to make all computers resistant to physical attacks -- by the purchasers / owners of the computer!

    This is why we now have TPM, and the euphemism of "Management Engines" inside microprocessors.

    Does anyone remember when microprocessors did one thing: execute instructions? Anyone?

    --
    If you eat an entire cake without cutting it, you technically only had one piece.
    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Interesting=1, Total=2
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4