Researchers have extracted the secret key that encrypts updates for a number of Intel CPUs. This could have far-reaching consequences for the way the chips are used and possibly the way they are secured.
The key enables the microcode updates provided by Intel to be decrypted in order to fix security vulnerabilities and other types of errors. If you have an decrypted copy of an update, hackers can potentially reverse engineer it and learn exactly how to exploit the hole it is patching. The key may also be used by parties other than Intel – such as a malicious hacker or hobbyist – to update chips with their own microcode, although that modified version would not survive a reboot.
"It's pretty difficult to assess the safety impact right now," independent researcher Maxim Goryachy said in a direct message. "In any case, this is the first time in the history of Intel processors that you can run your microcode inside and analyze the updates." Goryachy and two other researchers – Dmitry Sklyarov and Mark Ermolov, both with security firm Positive Technologies – worked together on the project.
The key can be extracted for any chip – be it a Celeron, Pentium or Atom – that is based on the Goldmont architecture from Intel.
Tumble down the rabbit hole
This discovery came about three years ago when Goryachy and Ermolov found a critical vulnerability indexed as Intel SA-00086 that allowed them to run code of their choice in the independent core of chips that contained a subsystem called Intel Management Engine is known. Intel has fixed the bug and released a patch. However, because chips can always be rolled back to an earlier firmware version and then exploited, the vulnerability cannot be effectively eliminated.
The Chip Red Pill logo.
Sklyarov et al.
Five months ago, the trio was able to use the vulnerability to access "Red Unlock", a service mode (see page 6 here) that is embedded in Intel chips. Enterprise engineers use this mode to debug microcode before chips are released to the public. Alluding to the Matrix movie, the researchers named their tool for accessing this previously undocumented debugger chip Red Pill, as it allows researchers to experience the insides of a chip that is normally banned. The technology works with a USB cable or a special Intel adapter that forwards data to a vulnerable CPU.
By accessing a Goldmont-based CPU in Red Unlock mode, the researchers were able to extract a special area of ROM called MSROM (Micro Code Sequencer ROM). From there, they began carefully reverse engineering the microcode. After months of analysis, the update process and the RC4 key used were displayed. However, the analysis did not reveal the signature key with which Intel cryptographically proves the authenticity of an update.
In a statement, Intel officials wrote:
The described issue does not pose a security risk to customers and we do not rely on the obfuscation of information behind Red Unlock as a security measure. In addition to reducing INTEL-SA-00086, OEMs following Intel manufacturing guidelines have reduced the OEM-specific unlock capabilities required for this research.
The private key used to authenticate the microcode is not on the silicon, and an attacker cannot load an unauthenticated patch onto a remote system.
Impossible so far
This means that attackers cannot use Chip Red Pill and the decryption key it contains to remotely hack vulnerable CPUs, at least not without chaining them to other currently unknown vulnerabilities. Likewise, attackers cannot use these techniques to infect the supply chain of Goldmont-based devices. However, the technique opens up opportunities for hackers who have physical access to a computer running one of these CPUs.
"There is a common misconception that modern CPUs are mostly repaired at the factory and occasionally receive tight microcode updates for particularly serious bugs," said Kenn White, chief product security officer at MongoDB. "But as far as this is true (and largely not), there are very few practical limits to what an engineer with the Keys to Kingdom can do for this silicon."
One possibility could be hobbyists who want to root their CPU the way people have jailbroken or rooted iPhones and Android devices, or hacked Sony's PlayStation 3 console.
In theory, Chip Red Pill could also be used in a nasty maid attack where someone with transient access to a device hacked it. In either case, however, the hack is tethered, which means it will only last as long as the device is on. After the restart, the chip would return to its normal state. In some cases, the ability to execute arbitrary microcode within the CPU can also be useful for attacks on cryptographic keys, such as those used in trusted platform modules.
"Right now there is only one, but very important consequence: the independent analysis of a microcode patch, which was previously impossible," said Mark Ermolov, researcher at Positive Technologies. “Now researchers can see how Intel addresses one or the other bug / vulnerability. And that's great. Encryption of microcode patches is a kind of security through darkness. "