November 20, 2017 | By Joel Odom
Security researchers from Positive Technologies report having found a serious flaw in Intel-based PCs that allows an attacker to take complete control of an affected computer via its USB interface. The vulnerability, which Positive Technologies will fully disclose in December at Blackhat Europe, allows an attacker with USB port access to take over a PC's Intel Management Engine (IME). Since IME has broad control of a computer's hardware, the vulnerability offers full control of any affected computer. The researchers' initial claims indicate that the flaw exists on most Intel-based PCs manufactured since 2015.
IISP Analyst Joel Odom: "Though we will have to wait on Positive Technologies to disclose the full details of this vulnerability, it looks like this is the real deal. The attack path apparently uses the Joint Test Action Group (JTAG) debugging features on a vulnerable PC's USB port to gain access to the IME. The IME is a "tiny homunculus computer" (thanks to the Electronic Frontier Foundation for that delightful term) embedded into Intel-based PCs manufactured in the last 10 years that allows enterprises to remotely control their computers. Unfortunately, this embedded master controller can also be used by attackers to take control of a computer, which is exactly what Positive Technologies claims to have done.
The Electronic Frontier Foundation has an excellent writeup on IME and how it is ripe for misuse. In May, researchers demonstrated a remotely-exploitable IME vulnerability that allowed attackers to take control of some affected PCs, and there are certainly more undiscovered vulnerabilities lurking in IME. IME is a clever idea, but clever ideas are often the enemies of security.
Does the fact that physical access to a computer's USB port mitigate this vulnerability? Yes, it does, if you are only interested in remotely-exploitable vulnerabilities. The problem is that physical access to a system is often easy to achieve. For a USB-based attack to work, all you may have to do is to plug into a computer for a few seconds while the user is not looking, or maneuver the user into inserting a USB device for you. Modified USB devices sold via online vendors could leave enterprises vulnerable to compromise via the supply chain. We will have to wait for full disclosure at Blackhat to know the full impact of this vulnerability, but it looks like it's going to be another big one."
For further reading
- HackRead: https://www.hackread.com/intel-management-engine-technology-just-got-exposed-through-usb-ports/
- BlackHat Europe: https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668