A trio of researchers, as reported by Ars Technica, has extracted the secret key that encrypts (protects) updates of different Intel CPUs (Celeron, Pentium or Atom based on Goldmont architecture). This key allows you to decrypt CPU microcode updates, a kind of chip firmware that the company updates from time to time to fix vulnerabilities and other types of bugs. Obtaining a decrypted copy of an update could allow malicious people to do reverse engineering and learn how to exploit the flaw that the update intends to solve . The key may also allow third parties other than Intel to update a chip with its own microcode , although such an operation would have a limited life and would not “survive” a system reboot.

“That’s enough at the moment difficult to assess the impact on security , “independent researcher Maxim Goryachy told Ars Technica. “In any case, this is the first time in the history of Intel processors where you can run your own microcode and scan for updates “. Goryachy and two other researchers – Dmitry Sklyarov and Mark Ermolov, both of Positive Technologies – worked together on this research.

The genesis of this discovery dates back to three years ago , “when Goryachy and Ermolov found a critical flaw, referred to as Intel SA – 00086, which allowed the execution of arbitrary code within a chip independent core that included a subsystem called the Intel Management Engine, “writes the source. “Intel released a patch to fix the flaw, but since chips can always be rolled back to an earlier firmware version and then punctured, there is no way to completely eliminate the vulnerability.”

Five months ago, researchers were able to use the vulnerability in question to access “ Red Unlock “, a service mode integrated into Intel chips which is used by the company’s engineers to debug the microcode before the chips are released to market. In homage to the movie The Matrix, the researchers called their tool to access this debugger “Chip Red Pill”, because it allows researchers to enter a place that is usually off limits. “ The setup technique requires the use of a USB cable or a special Intel adapter which routes data to a vulnerable CPU “, Ars Technica writes, which suggests that it is certainly not something commonly feasible.

Having obtained access to the Goldmont CPU in Red Unlock mode, the Researchers managed to arrive at a special ROM area called MSROM (microcode sequencer ROM) and then embarked on the process of reverge engineering of the microcode. After months of analysis, they managed to understand the update process and the RC4 key used, while they failed to get the signature that Intel uses to cryptographically prove the authenticity of an update.

The Intel’s response

Asked about this, Intel explained that “the problem described does not represent a security exposure for customers and we do not rely on the information obfuscation behind Red Unlock as a security measure. to INTEL-SA mitigation – 00086, OEMs following Intel’s guidelines have mitigated the unlock specific requests for this search. The private key used to authenticate the microcode does not reside in the silicon and an attacker cannot upload an unauthenticated patch on a remote system “.

This means c that attackers cannot use Chip Red Pill and the decryption key it exposes to remotely hack vulnerable CPUs, at least not without exploiting other currently unknown vulnerabilities. Likewise, such techniques cannot be used to “infect the Goldmont-based device supply chain.” The attack is, albeit difficult, usable only by having physical access to a computer equipped with one of these CPUs.

“ For now there is only one but important consequence “, concluded Ermolov. “Independent analysis of a microcode patch that was previously impossible. Now researchers can see how Intel fixes a bug or other vulnerability. And that’s great.”