Positive Technologies has been in cybersecurity for 17 years and has a breadth of experience in source code analysis and large-scale penetration testing. The company is paid by clients in industries such as telecommunications and electronic banking to discover vulnerabilities in their security systems. It performs a variety of audits and assessments of various critical systems. To do this properly, it engages in a lot of research and development to find different kinds of vulnerabilities. The larger the vulnerability it discovers, the better its reputation becomes.
Security researchers at Positive Technologies discovered a rare kind of vulnerability: a large-scale hardware flaw. It is a zero-day hardware vulnerability, meaning it is unfixable. The company uncovered this flaw in a part of Intel chips. Specifically, the exploit was found in the part of the Intel chip that is responsible for many critical activities, including cryptographic functionality, firmware and boot-up, among others. The vulnerability allows potential hackers to insert code and take over the PC.
The Troubling Trend of Hardware Exploits
Hardware exploits are a real pain for manufacturers compared to software exploits. The problem is simply a matter of digital versus physical. A hardware issue requires physical patches, which are basically impossible for mass-manufactured goods such as processor chips. As with Spectre and Meltdown, software patches are used to fix hardware patches, but it is much trickier. Intel was slammed in 2018 for the Meltdown and Spectre flaws that exposed critical data to potential malicious attackers through a similar hardware vulnerability in its chips.
In the worst-case scenario, an attacker could gain access to applications and system files within the operating system and “own” the computer remotely. In the new flaw discovered by Positive Technologies, the vulnerability lies with the ROM and would give hackers access to a single key used by Intel for whole generations of chipsets, making it much more difficult or impossible to protect Intel chipset users. With the flaw, hardware IDs could eventually be copied, and then digital files and even encrypted information could be accessed and stolen.
Bottom Line
Though the zero-day exploit is unfixable, it requires a great deal of technical skill, expensive equipment and physical access to a machine initially. The vulnerability affects Intel chipsets made in the last five years. Positive Technologies notified Intel of the flaw in May 2019, and the company has responded with integrated software patches in the form of firmware updates that it believes will mitigate and disrupt attempts to exploit the new vulnerability.