ITP Techblog

Brought to you by IT Professionals NZ
« Back to Home

Encryption keys can be stolen from Intel processors

Peter Membrey, Contributor. 18 November 2021, 8:36 am
Encryption keys can be stolen from Intel processors

Intel is once again in the spotlight this week after announcing a security flaw in a number of their computer processors.

If exploited, the flaws could allow an attacker with physical access to the device, the ability to get around Bitlocker disk encryption, gain access to the contents of the TPM (Trusted Platform Module) and even potentially install undetectable malicious firmware.

This is truly the stuff of security nightmares - the whole point of a trusted platform is that it can be, well, trusted. When that trust is broken, technologies that are based upon it will most likely be compromised as well. But how bad is this exploit really?

Well, it's pretty bad

According to Positive Technologies who discovered the flaw, the affected processors (Pentiums, Celerons and Atoms in the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms), are the basis of many high-end ultra notebooks, IoT (internet of things) devices and by at least 30 car manufacturers (including Tesla's Model 3, if an unofficial source cited by Positive Technologies can be believed).

That's a pretty big blast radius for an exploit but fortunately, there are a few factors that make it slightly less disturbing.

Screenshot 2021-11-18 at 8.35.04 AM.png

First, physical access is required to conduct the exploit which at least means that someone would need to get their hands on the kit in order to compromise it. They won't be able to compromise the device over the internet.

Second, the affected processors are primarily limited to embedded and mobile platforms, so it's very unlikely that this issue would turn up in one of your servers. Even if it did, hopefully, there are sufficient physical security safeguards in place to prevent a wannabe attacker from getting to them.

Lastly, Intel is recommending that affected users upgrade their firmware, suggesting that fixes are available that will protect those devices going forward. Whilst the attack requires physical access, applying the firmware update should be relatively painless, though it will almost certainly require a reboot.

What's the likely impact?

For most people affected by this, upgrading their firmware will be sufficient to mitigate the risk. Figuring out how to manage that sort of rollout could either be trivial (individual users on laptops) to extremely complex (how does one update thousands of cars remotely and safely?).

There are three main takeaways from this vulnerability for me. The first is that the exploit allows recovery of the processor's encryption key, which would mean Bitlocker disk encryption could be bypassed. This means any laptop that has been lost or stolen that depended on Bitlocker to protect the data on the machine (pretty much any Windows device) could potentially now be accessed.

As scary as that is, most laptops that are stolen are very quickly reinstalled and sold on, so unless you were the specific target of an attack, those previously lost devices are unlikely to come back and haunt you. Now that the exploit is public, however, that could very well change for sophisticated actors, so you should upgrade as soon as possible.

The second is more theoretical at this point, but if you can breach the processor, someone who really knows what they're doing could over time extract other material as well. This could, amongst other things, let them reverse engineer security updates, understand the update in-depth and then devise ways of exploiting the very thing the update was supposed to patch.

This one is most likely less of a concern to most people and businesses but it has the potential to bypass digital rights management (DRM) controls that rely on the trusted platform. That would make it possible to copy or extract protected ebooks, video and audio content which can then be distributed without protection. If this is your thing, investigating the firmware updates is something you're going to want to look at as a matter of priority.

Okay, but what exactly was the exploit?

The exploit has been assigned CVE-2021-0146 but so far there is little information available on Mitre. Intel's page has the most information at present and states that it has a CVSS score of 7.1. This is considered High, and the only thing that prevents it from being rated as Critical is that physical access is required. A description of the issue can be found on Intel's security page: 

"Hardware allows activation of test or debug logic at runtime for some Intel(R) processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access."

Processors are complicated devices that operate on a number of levels, many that end users never see. When these chips are being designed and tested it is necessary to have higher than normal access to them in order to debug and fix any issues that are found. One of these debug features allows access to parts of the processor that are normally not visible, and hence the potential to extract information that shouldn't be seen, which in the case of this exploit is primarily key material.

The existence of these debug features isn't controversial, it's just they're not supposed to be accessible out in the wild and that's where Intel has come unstuck this time.

Final thoughts

If you have any of the affected platforms mentioned above, you definitely want to get them updated as soon as possible. Due to it requiring physical access, the potential for mayhem is significantly reduced, but don't let that lull you into a false sense of security.

We have seen a number of exploits over recent years such as Meltdown and Spectre massively impacting performance for many server workloads and a range of attacks rendering Intel's SGX extensions vulnerable. It is unlikely that this exploit will be the last.

Could this be an opportunity for alternative architectures such as RISC-V or OpenPOWER to make up some ground?

Peter Membrey is Chief Architect at ExpressVPN, based in Hong Kong. He is responsible for driving engineering excellence within ExpressVPN and has co-authored over a dozen books and a number of research papers on information security issues. He is a member of IT Professionals NZ.  


You must be logged in in order to post comments. Log In

Web Development by The Logic Studio