At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets.
Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines.
VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer.
According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH --and later the main CPU.
VISA exposes a computer's entire data
Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level.
But despite its extremely intrusive nature, very little is known about this new technology. Goryachy and Ermolov said VISA's documentation is subject to a non-disclosure agreement, and not available to the general public.
Normally, this combination of secrecy and a secure default should keep Intel users safe from possible attacks and abuse.
However, the two researchers said they found several methods of enabling VISA and abusing it to sniff data that passes through the CPU, and even through the secretive Intel Management Engine (ME), which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.
Intel says it's safe. Researchers disagree.
Goryachy and Ermolov said their technique doesn't require hardware modifications to a computer's motherboard and no specific equipment to carry out.
The simplest method consists of using the vulnerabilities detailed in Intel's Intel-SA-00086 security advisory to take control of the Intel Management Engine and enable VISA that way.
"The Intel VISA issue, as discussed at BlackHat Asia, relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017," an Intel spokesperson told ZDNet yesterday. "Customers who have applied those mitigations are protected from known vectors."
However, in an email to ZDNet, the two researchers said the Intel-SA-00086 fixes are not enough, as Intel firmware can be downgraded to vulnerable versions where the attackers can take over Intel ME and later enable VISA.
Furthermore, the researchers said there are three other ways to enable Intel VISA not dependent on those vulnerabilities, methods that will become public when Black Hat organizers will publish the duo's presentation slides in the coming days.
"Those vulnerabilities are only one way to enable Intel VISA, in our talk we gave several other ways to do this task," the two researchers told ZDNet in an email. "As we have repeatedly said, these fixes are dummy, they don't do anything because the digitally signed firmware can be downgraded to any of previous version."
As Ermolov said yesterday, VISA is not a vulnerability in Intel chipsets, but just another way in which a useful feature could be abused and turned against users. Chances that VISA will be abused are low. This is because if someone would go through the trouble of exploiting the Intel-SA-00086 vulnerabilities to take over Intel ME, then they'll likely use that component to carry out their attacks, rather than rely on VISA. However, this research highlights another potential attack vector in Intel chipsets.
As a side note, this is the second "manufacturing mode" feature Goryachy and Ermolov found in the past year. They also found that Apple accidentally shipped some laptops with Intel CPUs that were left in "manufacturing mode."
Article updated with comments from Positive Technologies researchers.
More vulnerability reports:
- Severe security bug found in popular PHP library for creating PDF files
- Cisco bungled RV320/RV325 patches, routers still exposed to hacks
- Google Photos vulnerability could have let hackers retrieve image metadata
- Microsoft to fix 'novel bug class' discovered by Google engineer
- Zero-day in WordPress SMTP plugin abused by two hacker groups
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic