Intel responded to a claim about hackers gaining hardware-level access to PCs sporting its sixth- and seventh-generation processors. The claim was made during a presentation at the 33rd annual Chaos Communication Congress conference in Hamburg, Germany, which showed how hackers could use a cheap device to gain access to a debugging interface embedded in hardware. The point of entry is through any USB 3.0 port on the device via Intel’s Direct Connect Interface (DCI) feature provided with its sixth- and seventh-generation platforms.
“Intel implemented a proprietary Intel Direct Connect Interface over USB for JTAG [Joint Test Action Group] debugging of closed chassis systems as a feature for 6th and 7th Gen Intel Core processor based platforms,” Intel told Digital Trends. “DCI is an integral part in enabling debug of today’s light and small form factor systems via industry standard JTAG protocols.”
That said, the hacking possibility revealed in the presentation is no cause for alarm. It’s not going to bring the world to a standstill. A hacker must have physical access to a PC in order to carry out this specific attack. Even more, if hackers do manage to gain physical access, they can just about perform any attack from any angle, whether it is through a USB port, breaking open the PC, and so on.
Intel points out that BIOS Guard will keep hackers from changing the firmware, and even if hackers do gain access to the debugging interface, they can’t gain access to Intel’s confidential instructions without grabbing a key from Intel through a non-disclosure agreement. Even more, encrypted hard drives can withstand against this specific attack.
“To provide additional security, the DCI interface is disabled by default per Intel specification and can only be enabled with user consent via BIOS configuration,” Intel told Digital Trends. “Physical access and control of the system is required to enable DCI.”
For a better understanding of what’s going on, start with the debugging interface created by the JTAG. This standard was originally designed to test printed circuit boards once they were manufactured and installed but has since expanded to processors and other programmable chips. Scenarios for using the interface include forensics, research, low-level debugging, and performance analysis.
The interface itself resides within the processor and programmable chips. In turn, JTAG-capable chips have dedicated pins that connect to the motherboard, which are traced to a dedicated 60-pin debugging port on a system’s motherboard (ITP-XDP). This port enables testers to connect a special device directly to the motherboard to debug hardware in relation to drivers, an operating system kernel, and so on.
But now the JTAG debugging interface can be accessed through a USB 3.0 port by way of Intel’s Direct Connect Interface “debug transport technology.” When a hardware probe is connected to the target Intel-based device, the USB 3.0 protocol isn’t used, but rather Intel’s protocol is employed so that testers can perform trace functions and other debugging tasks at high speed. Using a USB 3.0 port means testers aren’t forced to break into the PC to physically connect to the XDP debugging port.
Intel’s Direct Connect Interface appears to be embedded in the company’s sixth-generation motherboard chipsets, such as the 100 Series (pdf), and its processors. It’s also used in the new seventh-generation Kaby Lake platform as well, meaning hackers have two generations of Intel-based PCs to infest and possibly render useless, such as by rewriting the system’s BIOS.
As shown in the presentation by security researchers Maxim Goryachy and Mark Ermolov, one way of accessing the JTAG debugging interface through the USB 3.0 port is to use a device with a cheap Fluxbabbitt hardware implant running Godsurge, which can exploit the JTAG debugging interface. Originally used by the National Security Agency — and exposed by Edward Snowden — Godsurge is malware engineered to hook into a PC’s boot loader to monitor activity. It was originally meant to live on the motherboard and remain completely undetectable outside a forensic investigation.
However, as previously stated, hackers need to have physical access to a PC to take control and spread their malicious code in this specific JTAG-focused attack. Typically, the debugging modules in Intel’s processors require Intel’s SVT Closed Chassis Adapter connected via USB 3.0, or a second PC with Intel System Studio installed connected directly to the target PC via USB 3.0 as well.
Finally, Goryachy noted in his presentation that the problem only resides with Intel’s sixth- and seventh-generation Core ‘U’ processor platforms. Obviously, Intel is now fully aware of the report, but there is really no cause for alarm. Still, the debugging interface on affected PCs can be deactivated if needed. Even more, Intel Boot Guard can be used to prevent malware and unauthorized software from making changes to the system’s initial boot block.
This story was originally published in January 2017. Updated on 01-17-2017 by Kevin Parrish: Added Intel’s response regarding the potential access to its processors.
