Security researchers have warned of a major new security vulnerability within Intel’s processors that could compromise hardware-based encryption and DRM protection. The vulnerability exists in Intel processor hardware released over the past five years and could allow an attacker to create special malware that runs at the hardware level that traditional malware cannot detect, such as a keylogger. However, Intel’s latest 10th-generation processor is not vulnerable.
Security firm Positive Technologies discovered the flaw and warned that it could break the chain of trust in key technologies such as hardware encryption, hardware authentication and modern DRM protection. Security researcher Mark Emerov said the vulnerability jeopardizes everything Intel has done to trust the platform and the security foundation.
The root cause of the vulnerability is Intel’s Converged Security Management Engine (CSME), which is part of an Intel chip that protects all firmware running on Intel processor computers. Intel has patched vulnerabilities in CSME before, but researchers warn that CSME firmware is still vulnerable because it is not protected early in the system’s startup.
Successful attacks that exploit this vulnerability require skills and, in most cases, physical access to the COMPUTER, but other malware may bypass OS-level protection to perform local attacks, and some attacks may be performed by other malware. This can lead to data from encrypted hard drives being decrypted, falsifying hardware IDs, and even extracting DRM-protected digital content.
Intel downplayed the new security vulnerability, noting that it may require specialized hardware and physical access. “Intel has been informed of a vulnerability that could affect Intel’s Converged Security Management Engine, where unauthorized users with specialized hardware and physical access may be able to execute arbitrary code within Intel CSME subsystems of certain Intel products,” an Intel spokesman said in a statement. Intel issued mitigation measures and recommended keeping the system up to date. Specific content can be found in the CVE-2019-0090 security bulletin.