Security researchers from Positive Technologies revealed this week at Black Hat Asia in Singapore how an undocumented technology inside Intel microchips might be activated by attackers.
Maxim Goryachy and Mark Ermolov spoke about the hidden technology during their presentation 'Intel VISA: Through the Rabbit Hole.'
They found that modern Platform Controller Hub (PCH) and CPU contains the Visualization of Internal Signals Architecture (VISA,) a full-fledged logic signal analyzer, which allows monitoring the state of internal lines and buses in real time—a gold mine for researchers.
The researchers took advantage of a previously discovered vulnerability (INTEL-SA-00086) to study the VISA technology, which they believe it is used for manufacturing line verification of chips.
Featuring an enormous number of settings, VISA allows for the creating of custom rules for capturing and analyzing signals. It enables data from memory to be read, and signals from peripherals to be interrupted. Its purpose appears to be that of detecting flaws in processors and microchips. Although hidden and being disabled by default on all commercial systems, the researchers say that VISA can be easily be activated by threat actors.
"An attacker might be able to use the fact that VISA enables the creation of custom rules to capture and analyze signals to create further rules that can capture sensitive data, " they said.
They used publicly available methods to access the might of this technology without any hardware modifications on publicly available motherboards.
The researchers were able to read signals from internal buses and other internal PCH devices; unauthorized access to these devices then allowed for the intercepting of data from the computer memory. They did this using a previously disclosed vulnerability in the Intel Management Engine subsystem that also exists in the PCH microchip. This flaw, the researchers say, enables hackers to attack by injecting spyware in the subsystem code.
Intel claims that the disclosed vulnerability mentioned was mitigated in 2017, adding that systems using the latest firmware are protected from known vectors. However, the researchers claim that Intel's fix isn't enough as the firmware could still be downgraded to enable attackers to enable VISA.
However, in order to get at the VISA functionality an attacker needs that Intel Management Interface exposed, which is generally not the case in most systems.