Intel debugger interface open to hacking via USB

Researchers from security vendor Positive Technologies have revealed that some new Intel processors contain a debugging interface accessible via USB 3.0 ports, that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools. 

An attacker could use the vulnerability to bypass security systems to inject malicious code, and to silently spy on users and capture their data. 

Researchers Maxim Goryachy and Mark Emlov said the vulnerability can also be used to make computers inoperable, by rewriting basic input/output operating system (BIOS) firmware that starts up the systems.

The pair presented a paper on the vulnerability at the 33rd Chaos Communication Congress in Hamburg, Germany, having found that the JTAG (Joint Test Action Group) debugging interface is now accessible via USB version 3.0 ports used to connect peripherals to computers.

On older Intel CPUs, accessing JTAG required connecting a special connector to a debugging port on the motherboard (ITP-XDP). This meant JTAG was difficult to access for both troubleshooters and potential attackers.

However, starting with the Skylake processor family in 2015, Intel introduced the Direct Connect Interface (DCI) that provides access to JTAG via USB 3.0 ports. 

This makes debugging and system recovery easier than in the past but can potentially enable dangerous and virtually undetectable attacks. 

JTAG is a low-level hardware feature that sits below software layer, and is used mainly for for debugging the operating system kernel, hypervisors and device drivers. An attacker accessing a computer over JTAG can bypass operating system security restrictions and gain full control over the system.

No special software or hardware tricks are required to exploit target the vulnerability, the researchers said.

Simply having DCI enabled is sufficient. As the researchers found, this can be accomplished in several ways, and on many computers, DCI is enabled out-of-the-box and not blocked by default.

Should DCI not be enabled by default, and blocked, attackers can still gain access to the interface, the researchers said.

“An attacker could change the BIOS configuration (for example, by using a Flash memory programmer) when they have physical access to the equipment during manufacturing, storage or usage. Some BIOSs do not block the DCI configuration which is why there is the possibility of turning on the DCI," Goryachy said.

The duo noted: “These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment.” 

Goryachy and Ermolov speculated that the debugging vulnerability in Intel CPUs could lead to a whole new class of BadUSB style attacks, but at a deeper and even more dangerous level than earlier variants.

The researchers proposed a number of mitigation measures incliuding using Intel's BootGuard feature and disallowing activation of the debugging interface.

Goryachy noted that the attack works irrespective of the operating system installed on a computer.

“This mechanism can be used on a hacked system regardless of the OS installed. The DCI can be used on any system with Intel U-series processor," the researcher said.

Skylake U-series processors used on new laptops and Intel's miniature Next Unit of Computing (NUC) are vulnerable, the researchers said.

As of today, no publicly available security tools will detect the above attacks, Goryachy added