Intel CPU

Attackers with access to a device can take control over a target's computer and bypass all local security systems by abusing a hardware debugging interface included with Intel CPUs, which in recent years has become accessible via an external USB 3.0 port.

The debugging interface is JTAG (Joint Test Action Group), a debugging framework that has been included for many years with Intel chipsets.

JTAG works under the software level, allowing engineers, developers, and system administrators access to a hardware debugging utility that can provide insight into how the OS kernel, hypervisors, and local drivers are performing.

Design decision opens JTAG interface to attacks

In older Intel CPUs, the JTAG interface was only accessible by connecting a special device to the ITP-XDP port found on the motherboard, inside a computer's chassis.

Starting with the Skylake CPU line released in 2015, Intel dropped the ITP-XDP interface and allowed developers and engineers to access this powerful debugging utility via common USB 3.0 ports, accessible from the device's exterior, via a new a new technology called Direct Connect Interface (DCI).

Two Positive Technologies security researchers, Maxim Goryachy and Mark Ermolov, argue that this has significantly simplified the attack procedure needed to take control of Intel-based machines.

The two explain that while most hardware vendors disable the DCI interface before they ship products out of the factory's gateway, the DCI interface can be re-enabled via a computer's BIOS settings.

If a target doesn't password-protect its BIOS, attackers can enable this setting, and then connect via USB and alter core processes, undetectable to any type of security software installed on a targetted machine.

Attackers need a special code

The only downside is that the BIOS DCI setting can be enabled only via a special code issued by Intel. Nevertheless, a determined attacker can acquire the code from the device acquisition documents.

"For example, you order a number of laptops with U-series CPUs for your company," researchers say. "The bad guys interfere with the purchasing process, activate DCI at any time via BIOS or with special activation code on a target system, and all the testing is successfully passed (correct BIOS version, everything matches, all disks are encrypted, etc.). Then an insider with a malicious USB device plugs the device into one of these laptops at the company and gets full access while no one is watching".

The attack scenario the two researchers describe contains a lot of "ifs" and "buts," but the attack is highly effective and stealthy if the BIOS is unprotected and if they get their hands on the DCI setting activation code.

Contacted by the researchers, Intel engineers didn't appear to be worried by the Positive Technologies crew, citing the same details in their response:

Intel implemented a proprietary Intel® Direct Connect Interface (DCI) over USB for JTAG debugging of closed chassis systems as a feature for 6th and 7th Gen Intel® Core™ processor based platforms. DCI is an integral part in enabling debug of today's light and small form factor systems via industry standard JTAG protocols. To provide additional security, the DCI interface is disabled by default per Intel specification and can only be enabled with user consent via BIOS configuration. Physical access and control of the system is required to enable DCI, however even when enabled, access to Intel confidential capabilities of the JTAG debugging commands is not possible without proprietary keys obtained via Intel license agreement.

Below is Maxim Goryachy presenting his findings at last year's 33rd Chaos Communication Congress held in Germany in December.