Security researchers have succeeded in extracting the secret key that Intel processors use to encrypt updates, and the effects of their discovery could be considerable. With the turnkey in hand, it is now possible to crack Intel's microcode updates to fix security vulnerabilities and other bugs. It could even allow hackers to push updates to the chip with their own microcode, even if they couldn't survive a system reboot. Independent researcher Maxim Goryachy and researchers Dmitry Sklyarov and Mark Ermolov of Positive Technologies made the discovery by exploiting a critical vulnerability that Ermolov and Goryachy found in Intel's management engine in 2017. Goryachy provided additional information on the research team's latest discovery. in a direct message to Ars Technica, saying: “At the moment, it is quite difficult to assess the impact on security. But in any case, this is the first time in the history of Intel processors that you can run your microcode inside and check for updates. "
Red chip pill
Three years ago, Goryachy and Ermolov discovered a critical vulnerability in Intel's management engine, indexed as Intel SA-00086, that allowed them to run code of their choice on the reliant kernel of Intel processors. While the chip giant has released a patch that fixes the bug, it could still be exploited because processors can be rolled back to an older version of firmware without the patch. Earlier this year, the research team was able to use the vulnerability they found to unlock a service mode built into Intel chips called "Red Unlock" that its engineers use to debug microcode. Goryachy, Ermolov, and Sklyarov later named their tool for accessing the Chip Red Pill debugger a reference to The Matrix. By accessing one of the Goldmont-based Intel processors in Red Unlock mode, the researchers were able to extract a special ROM area called MSROM (microcode sequencer ROM). They then reverse-engineered the chipmaker's microcode and, after months of analysis, were able to extract the RC4 key that Intel used in the upgrade process. However, the researchers were unable to discover the signing key that Intel used to cryptographically prove whether an update is genuine or not. In a statement, Intel officials downplayed the team's discovery while assuring users that their processors are safe from potentially malicious chip upgrades, saying: "The issue described does not represent a customer security exposure and we do not trust the obfuscation of the information behind the red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEM-specific unlock capabilities required by this investigation have been mitigated by OEMs following Intel manufacturing guidelines. The private key used to authenticate the microcode does not reside on the silicon, and an attacker cannot upload an unauthenticated patch to a remote system. Hackers may not be able to use the discovery by Goryachy, Ermolov and Sklyarov, but for security researchers it could be of great help, as they will now be able to analyze Intel's microcode patches to see how the company fixes bugs. and security vulnerabilities Via Ars Technica