Newly discovered flaw in Intel processors could enable attackers to steal sensitive data, breach encrypted files, and bypass DRM protections
PT SWARMexpert Mark Ermolov discovered a new exploitation vector for the vulnerabilities CVE-2017-5705, CVE-2017-5706, CVE-2017-5707, CVE-2019-0090, and CVE-2021-0146,which Intel has already fixed. Previously, these issues only enabled partial compromise, but this new method can lead to a complete security breach of affected platforms.
The newly discovered approach to exploitation can be applied to attacks on devices equipped with Intel Pentium, Celeron, and Atom processors from the Denverton, Apollo Lake, Gemini Lake, and Gemini Lake Refresh series. Production of these chips has ended, yet they remain in embedded systems, such as automotive electronics, and in ultra-mobile devices, including e-readers and mini-PCs. Intel was notified in accordance with the responsible disclosure policy but rejected the described problem and refused to take measures to eliminate or reduce the threat level.
The main exploitation vector involves supply chain attacks[1]. Attackers can embed spyware at the assembly or repair stage without altering the hardware.
“This approach requires no soldering or any other physical modification,” said Ermolov. “Local access is enough to retrieve the encryption key and inject malicious code into Intel CSME firmware. These implants often slip under the radar of Intel Boot Guard, virtualization-based security (VBS), and antivirus solutions. They can operate unnoticed, capture user data, lock devices, erase or encrypt files, and carry out other destructive actions.”
A secondary risk involves exploiting these formerly patched flaws to bypass DRM[2]safeguards, which can grant unauthorized access to content from various streaming services. The newly identified method also circumvents some Amazon e-reader protections, allowing threat actors to copy data on devices powered by vulnerable Intel Atom processors.
Attackers can also use these tactics to access data on encrypted storage devices like hard drives or SSDs. This approach can target laptops or tablets built on the at-risk processors.
In 2021, Positive Technologies worked with Intel to reduce the danger posed by CVE-2021-0146, which allowed extraction of the platform chipset key. That key is one of the Intel CSME subsystem’s most closely guarded secrets because it underpins the root of trust and generates every working key for data encryption and code integrity. The new exploitation method decrypts the chipset key by bypassing its fuse encryption layer, opening the door to malicious uses.
Mordor Intelligence ranks Intel as a leading chip supplier for IoT solutions. Its Atom E3900 processors, which are affected by the vulnerabilities, appear in devices used by dozens of automotive manufacturers. Organizations looking to maintain ongoing oversight of vulnerabilities can rely on MaxPatrol VM for continuous management. Should a breach occur, platforms like MaxPatrol SIEM can assist in spotting post-exploitation indicators and tracking further actions by attackers.
[1]Attacks on service providers, through third-party companies.
[2] Digital rights management — technical means of copyright protection.