Nearly every Intel chipset released in the past five years contains a vulnerability that could allow hackers to gain deep access to your computer. Security firm Positive Technologies released that disclosure this week in a report that was downplayed by Intel due to the complexity of exploiting the flaw.
A complex flaw with big implications — In essence what's happening is that whenever you boot your Intel-based computer, security measures within the CPU's Converged Security and Management Engine (CSME) are supposed to execute that lock down the computer's memory and prevent hackers from modifying it.
What Positive Technologies found, however, is that there's a brief moment between booting the computer and when protections within the CSME actually execute. That gives hackers a window to execute malicious code with the highest of system privileges. The CSME is able to intercept data passing through USB, meaning a hacker could, theoretically, insert code into the CSME that launches a keylogger.
What's worse is that Ars Technica reports a firmware update cannot fix the flaw because it's hard-coded into the silicon that boots the CSME. Any malicious code inserted also wouldn't be recognized by antivirus software.
“This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms,” Mark Ermolov, lead specialist of OS and hardware security at Positive Technologies wrote in a blog post. “The problem is not only that it is impossible to fix firmware errors that are hard-coded in the mask ROM of microprocessors and chipsets. The larger worry is that, because this vulnerability allows a compromise at the hardware level, it destroys the chain of trust for the platform as a whole.”
You're probably safe unless you're a spy — Experts say that the exploiting the vulnerability requires physical access to the computer as well as specialized gear — and significant years of experience with firmware. It's not your typical exploit where a phishing link or attachment could get you. It's the sort of thing nation states attacking specific, high-value targets might be able to exploit, but not your casual 419 scammer.
“Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products,” Intel wrote in a statement to Ars Technica. “Intel released mitigations and recommends keeping systems up-to-date. Additional guidance specific to CVE-2019-0090 can be found here.”