Researchers have discovered a major new security flaw inside processors made by US multinational corporation and chip making giant Intel for the past five years. The flaw allow exploits to defeat hardware-based encryption and DRM protections. According to security company Positive Technologies, the security bug could break apart a chain of trust for important technology like silicon-based encryption, hardware authentication and modern DRM protections.
"We will provide more technical details in a full-length white paper to be published soon. We should point out that when our specialists contacted Intel PSIRT to report the vulnerability, Intel said the company was already aware of it (CVE-2019-0090). Intel understands they cannot fix the vulnerability in the ROM of existing hardware. So they are trying to block all possible exploitation vectors. The patch for CVE-2019-0090 addresses only one potential attack vector, involving the Integrated Sensors Hub (ISH). We think there might be many ways to exploit this vulnerability in ROM. Some of them might require local access; others need physical access," said Mark Ermolov, from Positive Technologies.
Virtually all Intel chips released in the past five years contain an unfixable flaw that may allow sophisticated attackers to defeat a host of security measures built into the silicon.
While Intel has issued patches to lessen the damage of exploits and make them harder, security firm Positive Technologies said the mitigations may not be enough to fully protect systems, ArsTechnica reported on Friday.
The security vulnerability discovered applies to machines with Intel chips built over the last five years or so. Intel said that it was notified of the vulnerabilities and released mitigations in May 2019 to be incorporated into firmware updates for motherboards and computer systems.