3 min Security

Researches extract security key for microcode in Intel CPU

Researches extract security key for microcode in Intel CPU

Researches have found the key that Intel uses to secure microcode updates in a number of their processors. The keys can be used to analyze updates or install custom patches.

The technique can’t be used to hack all Intel processors. The key can only be found in chips based on the Goldmont architecture. This architecture used in 2016 and 2017 in power-efficient SoCs in the Atom, Celeron and Pentium Silver lines. You will mostly find these chips in cheap laptops and desktops, a couple of tablets and a few NASes.

Red Unlock

The leak builds on previous efforts to crack Intel processors, Ars Technica writes. Three years ago, security researches Maxim Goryachy and Mark Ermolov found a critical vulnerability, which they called Intel SA-00086. The vulnerability enabled the researches to run their own code on chips that included the Intel Management Engine subsystem. This is the case in nearly all Intel processors released after 2008. Intel has patched the leak, but chips can always be rolled back to an earlier firmware version that hasn’t been patched.

The researchers used this vulnerability to access the service mode of the chips, called Red Unlock. This mode is usually used by Intel engineers to debug the processors. The researchers used the mode to investigate the chips further.

When the researchers of security firm Positive Technologies, including Goryachy, Ermolov, as well as Dmitry Sklyarov, explored the Red Unlock mode in a Goldmont processor, they stumbled upon a special area in the memory, called MSROM. This is where the microsequencer was stored. By reverse-engineering this code, the researchers managed to find the security key for the microcode.

Physical access

The main security risk posed by the leak is that, when Intel releases a patch for a potential vulnerability in a Goldmont processor, third parties can theoretically read the content of the patch. Based on this, malicious parties can figure out which vulnerability the patch is supposed to solve and build an exploit. Because firmware updates can be rolled back, patched systems remain vulnerable.

Even though it’s theoretically possible to install your own microcode on these processors, it doesn’t mean that all devices with Goldmont-chips are in immediate danger. To gain access to the processor, a malicious person needs physical access to the device in question and connect to it with a USB cable or special Intel adapter.

This means a hacker won’t be able to gain access to your computer from a remote location unless the attack is combined with another vulnerability allowing this. No such vulnerability is currently known.

Tip: Researchers find vulnerabilities in Intel processors from 2011 and newer