Intel's new CPUs are vulnerable to USB hacks

[Prysin]

So basically the ONE PLACE where kaby lake makes an important difference, aka mobile, is the place were they are most dangerous to use, security wise

[AnonymousGuy]

I skimmed the Youtube presentation source.

 

It seems odd that Intel left this debugging mode in place and it seems like it's more of a feature than a bug.  Someone needs physical access to your machine and be logged in at which point you're completely fucked anyways.  It's only theoretical that someone could actually do something significant with this technique.

 

The real MVP would be hooking up and trying to log in to the TAP in order to do fuse burn.  Then you could do shit like enabling additional cores changing frequencies etc.  That functionality *should* be protected by an unlock code that few people know.

[TheKDub]

3 hours ago, Almighty_Spoon said:

IMO you should be doing that anyway, i dont let ANYONE plug something into any of my devices unless its my own..

 

I generally don't, unless it's a friend and I need to share a file, or get a file from them. But even then, some friends.... lol

[ARikozuM]

7 hours ago, Bleedingyamato said:

Why do people keep banking info on their home computers?  

I don't..  

Also, you should hide your porn better.  ? lol

Quickbooks is on my computer for accounting and such, but the porn? That's on the server... Just kidding. Sort of... 

[themaniac]

so we'd be able to mess around the cpus code and other things?

[Ryujin2003]

15 hours ago, RKRiley said:

If its done through usb ports, surely the hacker would have to be at the computer then? So this wouldn't be a worry for most people at home, or companies.

Other than enthusiasts, who often takes a case apart? If hacking through USB, you could probably install something internally on your yhe USB 3.0 header that would autorun when the PC boots. So those company procured PCs that never get took apart could be very vulnerable. Trade secrets and Hilary's emails galore!

[iRileyx]

1 minute ago, Ryujin2003 said:

Other than enthusiasts, who often takes a case apart? If hacking through USB, you could probably install something internally on your yhe USB 3.0 header that would autorun when the PC boots. So those company procured PCs that never get took apart could be very vulnerable. Trade secrets and Hilary's emails galore!

Surely the company would notice a strange random bloke walking in, fiddling around with the laptops, and then randomly leaving again.

Unless they somehow installed it before the companies/persons take delivery of the machines

[Ryujin2003]

1 minute ago, RKRiley said:

Surely the company would notice a strange random bloke walking in, fiddling around with the laptops, and then randomly leaving again.

Unless they somehow installed it before the companies/persons take delivery of the machines

Insider threat is the most dangerous. He's the guy that works there, paid off under the table to perform acts like this. The guy who upgrades from a Ford Fiesta to a Jaguar over the weekend.

And yes, I'm saying before delivery. How many places have you worked at where the cases are opened a rend looked at prior to deployment? And if the company contracts the PCs, they can't even tough the hardware. I think it would be pretty easy.

 

Or program something into peripherals. It's not unusual to plug in mice and keyboards. I'm sure that's easily done. If there is a will, there is a way.

[Senzelian]

16 hours ago, cozz said:

Worse yet, it is completely undetectable by current security tools.

I use something called eyes.exe to detect if there is a USB stick connected. 

 

Srsly, I dont see any risk. 

[Sniperfox47]

Found their initial paper and there are a couple things I want to point out:

1) Affects both Skylake and Kaby Lake, not just Kaby Lake. Only affects -u series processors of both.

 

2) Only works if the UEFI is set up to allow DCI debugging over USB. All vendor firmwares have this disabled by default.

 

3) The attack they detail actually involves modifying a hidden UEFI setting (requires UEFI permissions. This is why you *always* set a password on your BIOS/UEFI.) or flashing a new UEFI (requires admin permissions or physical access to flash the BIOS chip) at which point the system is severely compromised already.

 

Honestly this is more of just a proof that a hardware compromised system can't be trusted than it is showing anything really surprising.

[goodtofufriday]

17 hours ago, RKRiley said:

If its done through usb ports, surely the hacker would have to be at the computer then? So this wouldn't be a worry for most people at home, or companies.

As an Admin for a company with many users that have laptops or portables with U series processors this is a HUGE issue. Where do you get the idea that it doesnt affect companies??

Someone sticks in a usb and can log any and all vpn traffic and credentials, get domain passwords or anything of that nature? Massive security concern for companies.

[Sniperfox47]

10 minutes ago, goodtofufriday said:

As an Admin for a company with many users that have laptops or portables with U series processors this is a HUGE issue. Where do you get the idea that it doesnt affect companies??

Someone sticks in a usb and can log any and all vpn traffic and credentials, get domain passwords or anything of that nature? Massive security concern for companies.

Not without flashing a custom UEFI as long as your IT guy has the UEFI protected properly (Boot guard + password) like he should anyways.

 

And if there's a custom UEFI being flashed your fucked anyways, regardless of your platform.

[goodtofufriday]

15 minutes ago, Sniperfox47 said:

Found their initial paper and there are a couple things I want to point out:

1) Affects both Skylake and Kaby Lake, not just Kaby Lake. Only affects -u series processors of both.

 

2) Only works if the UEFI is set up to allow DCI debugging over USB. All vendor firmwares have this disabled by default.

 

3) The attack they detail actually involves modifying a hidden UEFI setting (requires UEFI permissions. This is why you *always* set a password on your BIOS/UEFI.) or flashing a new UEFI (requires admin permissions or physical access to flash the BIOS chip) at which point the system is severely compromised already.

 

Honestly this is more of just a proof that a hardware compromised system can't be trusted than it is showing anything really surprising.

 

1 minute ago, Sniperfox47 said:

Not without flashing a custom UEFI as long as your IT guy has the UEFI protected properly (Boot guard + password) like he should anyways.

 

And if there's a custom UEFI being flashed your fucked anyways, regardless of your platform.

-Looks at your second point-

 

-discards email blast to underlings-

[anotherriddle]

Security is hard. But now I'll have to write a script that disables USB3 ports by default. sigh

damnit Intel. Also, this is the reason I want coreboot or an open bootloader for more devices.

 

[anotherriddle]

just reading a bit more about it. This is a JTAG exploit!  This is not the first time a chip manufacturer made a security hole with this debugging tool. And with USB3 this is now super convenient.

[anotherriddle]

16 hours ago, Stefan1024 said:

Forget to disable the debug interface for the final product? Yes this can happen. If they designed it wisely they can disable ut permanently with software (burn the fuse).

I agree completely. Also, if it is true that only some mobile processors are affected this is very likely the reason this happened. The mobile processors were the first to come out right? Maybe they were more in a hurry than it seemed.

[mark_cameron]

22 hours ago, ARikozuM said:

It isn't. This is merely reinforcing the fact that you need to practice safe techs.

....

 

Practice safe techs

 

Block up them unused USB ports? 

[ARikozuM]

2 hours ago, mark_cameron said:

....

 

Practice safe techs

 

Block up them unused USB ports? 

Make sure that protect bit is in place before extracting...

Back it up twice?

[ETHREAL1]

On 1/11/2017 at 5:42 PM, wcreek said:

Perhaps a USB drive could be infected without the user knowing it. Though I'm not sure how remote the hacker can actually be or if they can rely on other means to get access without being physically present.

If I am understanding this correctly it can  not be run from a flash drive as it would need some kind of processor to access the debug stuff, but also if they can get access they could just make an outbound connection with a malicious machine for remote connection.

[risk]

flash drives have processors, so do phones, type-c chargers, monitors, keyboards, mice, random gifts from strangers that look like thinkgeek toys