At the Black Hat Asia 2019 security conference, security researchers from Positive Technologies disclosed the existence of a previously unknown and undocumented feature in Intel chipsets.
Called Intel Visualization of Internal Signals Architecture (Intel VISA), Positive Technologies researchers Maxim Goryachy and Mark Ermolov said this is a new utility included in modern Intel chipsets to help with testing and debugging on manufacturing lines.
Intel Management Engine
VISA is included with Platform Controller Hub (PCH) chipsets part of modern Intel CPUs and works like a full-fledged logic signal analyzer.
According to the two researchers, VISA intercepts electronic signals sent from internal buses and peripherals (display, keyboard, and webcam) to the PCH --and later the main CPU.
VISA exposes a computer's entire data
Unauthorized access to the VISA feature would allow a threat actor to intercept data from the computer memory and create spyware that works at the lowest possible level.
But despite its extremely intrusive nature, very little is known about this new technology. Goryachy and Ermolov said VISA's documentation is subject to a non-disclosure agreement, and not available to the general public.
Normally, this combination of secrecy and a secure default should keep Intel users safe from possible attacks and abuse.
However, the two researchers said they found several methods of enabling VISA and abusing it to sniff data that passes through the CPU, and even through the secretive Intel Management Engine (ME), which has been housed in the PCH since the release of the Nehalem processors and 5-Series chipsets.
Intel says it's safe. Researchers disagree.
Goryachy and Ermolov said their technique doesn't require hardware modifications to a computer's motherboard and no specific equipment to carry out.
The simplest method consists of using the vulnerabilities detailed in Intel's Intel-SA-00086 security advisory to take control of the Intel Management Engine and enable VISA that way.
"The Intel VISA issue, as discussed at BlackHat Asia, relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017," an Intel spokesperson told ZDNet yesterday.
"Customers who have applied those mitigations are protected from known vectors," the company said.
‘We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed,’ said Positive Technologies expert Maxim Goryachy. Intel told Metro that the VISA vulnerability was real, but said it ‘required physical access’ meaning that hackers couldn’t activate it over the internet and begin stealing information.
However, in an online discussion after his Black Hat talk, Ermolov said the Intel-SA-00086 fixes are not enough, as Intel firmware can be downgraded to vulnerable versions where the attackers can take over Intel ME and later enable VISA.
Furthermore, Ermolov said that there are three other ways to enable Intel VISA, methods that will become public when Black Hat organizers will publish the duo's presentation slides in the coming days.
As Ermolov said yesterday, VISA is not a vulnerability in Intel chipsets, but just another way in which a useful feature could be abused and turned against users. Chances that VISA will be abused are low. This is because if someone would go through the trouble of exploiting the Intel-SA-00086 vulnerabilities to take over Intel ME, then they'll likely use that component to carry out their attacks, rather than rely on VISA.
As a side note, this is the second "manufacturing mode" feature Goryachy and Ermolov found in the past year. They also found that Apple accidentally shipped some laptops with Intel CPUs that were left in "manufacturing mode."
Build a monster $5,100 AMD Ryzen Threadripper... SEE FULL GALLERY
1 - 5 of 8
More vulnerability reports:
- Severe security bug found in popular PHP library for creating PDF files
- Cisco bungled RV320/RV325 patches, routers still exposed to hacks
- Google Photos vulnerability could have let hackers retrieve image metadata
- Microsoft to fix 'novel bug class' discovered by Google engineer
- Zero-day in WordPress SMTP plugin abused by two hacker groups
- Google fixes Chrome 'evil cursor' bug abused by tech support scam sites
- DJI fixes vulnerability that let potential hackers spy on drones CNET
- Top 10 app vulnerabilities: Unpatched plugins and extensions dominate TechRepublic