Intel’s Secret Key to Decrypt Microcode Patches is Exposed

Intel’s Secret Key to Decrypt Microcode Patches is Exposed

Intel’s Secret Key to Decrypt Microcode Patches is Exposed

A group of security vulnerability researchers, after many months of work, were able to figure out the update process and secret key used to decrypt Intel microcode updates for the Goldmont architecture product lines.

This is an important finding as it peels back yet another layer of the onion that protects the core CPU from malicious manipulations. It allows outsiders to pull back the veil that has obfuscated patch contents, crafted to close vulnerabilities in Intel CPU’s, so they may understand what is exploitable in the processor. This is a leap forward for hardware hackers. It is the next step that assists in dismantling the traditional defense structures that have protected the update process of Intel core CPUs. 

Intel_Secret_Microcode_Keys_is_Exposed.png

The discovered key itself does not represent a direct system hacking threat at the moment, but it will provide researchers a much greater level of access and visibility to the inner workings of the CPU and may likely facilitate the discovery of many other vulnerabilities. 

The extracted RC4 secret key employs a symmetric cipher that has known weaknesses dating back to 2001 and has not been considered secure for most usages since 2015.  This key handless both the encryption and decryption of data. From all accounts, it appears the signing key, which verifies the legitimacy of a patch, was not compromised. Therefore, it would be difficult to remotely push a maliciously crafted microcode update to systems, as the devices should disregard it because it lacks the necessary authentication.

However, given the access to the key and onboard debug service mode, there may be a possibility that an attacker with direct physical access to the system might be able to run locally modified instructions on a targeted system. There would be limitations but the access and control would potentially be unprecedented. Overall, the greater threat is how this capability will enable the next steps of vulnerability research which could open up much greater avenues of attack.

Dan Goodin, Security Editor at Ars Technica, reached out to Intel for their position, which he published in his outstanding articleThe official response from Intel reads like it was written by lawyers and engineers, but absent cybersecurity mindsets. It talks only about the current exposure and not the long-term likely ramifications.

The issue described does not represent security exposure to customers, and we do not rely on obfuscation of information behind red unlock as a security measure. In addition to the INTEL-SA-00086 mitigation, OEMs following Intel's manufacturing guidance have mitigated the OEM specific unlock capabilities required for this research. The private key used to authenticate microcode does not reside in the silicon, and an attacker cannot load an unauthenticated patch on a remote system.

Intel should be worried. The flood of vulnerabilities and exploits in recent months against their products has shown systemic problems. The focus and research against hardware is only increasing and Intel is a prime target. The exposure of the microcode key will help accelerate the discovery of more secrets that pose a risk to the security of Intel’s products.

Leave a comment and be sure to subscribe to the Cybersecurity Insights channel for more rants, news, and perspectives.

Share this article

Leave your comments

Post comment as a guest

0
terms and condition.
  • John Gilmore

    Intel lost the game

  • Katie Dagnall

    This is huge !!!

  • Andrew Sotiriou

    Intel is in a big trouble !!!

  • Rob Humphreys

    They have fallen...

  • Jake Powell

    You know Intel is cooking up something that’s gonna get them multimillion dollar fines.

  • Bobby White

    I knew that something was wrong !

  • Scott Andrews

    Researchers warned us before it's too late ...

Share this article

Matthew Rosenquist 

Cybersecurity Expert

Matthew Rosenquist is an industry-recognized pragmatic, passionate, and innovative strategic security expert with 28 years of experience. He thrives in challenging cybersecurity environments and in the face of ever shifting threats. A leader in identifying opportunities, driving industry change, and building mature security organizations, Matthew delivers capabilities for sustainable security postures. He has experience in protecting billions of dollars of corporate assets, consulting across industry verticals, understanding current and emerging risks, communicating opportunities, forging internal cooperation and executive buy-in, and developing practical strategies. Matthew is a trusted advisor, security expert, and evangelist for academia, businesses, and governments around the world. A public advocate for best-practices, and communicating the risks and opportunities emerging in cybersecurity. He delivers engaging keynotes, speeches, interviews, and consulting sessions at conferences and to audiences around the globe. He has attracted a large social following of security peers, is an active member on advisory boards, and quoted in news, magazines, and books. Matthew is a recognized industry expert, speaker, and leader who enjoys the pursuit of achieving optimal cybersecurity. Matthew Rosenquist is experienced in building world class teams and capabilities, managing security operations, evangelizing best-practices to the market, developing security products, and improving corporate security services. 

   
Save
Cookies user prefences
We use cookies to ensure you to get the best experience on our website. If you decline the use of cookies, this website may not function as expected.
Accept all
Decline all
Read more
Analytics
Tools used to analyze the data to measure the effectiveness of a website and to understand how it works.
Google Analytics
Accept
Decline