New Intel CSME CPU Bug is 'Unfixable' Security Vulnerability Affecting Chipsets Released Over Last Five Years

A new vulnerability has been discovered in Intel CPU chipsets, purportedly unfixable, which could threaten enterprise users and content rights holders across the globe using chipsets released in the last five years.

The exploit targets already known vulnerabilities in the Intel Converged Security and Management Engine, which is responsible for the initial authentication of Intel-based systems by loading and verifying all other firmware for modern platforms.

Researchers at enterprise security firm Positive Technologies discovered that this vulnerability could allow hackers to compromise platform encryption keys and steal sensitive information, adding the "unfixable vulnerability in Intel chipsets threatens users and content rightsholders."

Encryption is a process that translates plain text data into something that is random and meaningless, also known as ciphertext. Decryption is converting this random text back to readable information.

Mark Ermolov, the lead specialist of OS and hardware security and one of the researchers involved in the discovery, explained: "Attackers can obtain the key in many different ways. For example, they can extract it from a lost or stolen laptop to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key.

"In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub."

Intel has confirmed that it is aware of the discovery in its CSME and that it affects most Intel chipsets released in the last five years—other than Ice Point (Generation 10). Other products include:

  • Intel CSME prior to versions 11.8.65, 11.11.65, 11.22.65, 12.0.35
  • Intel Server Platform Services prior to version SPS_E3_05.00.04.027.0
  • Intel Trusted Execution Engine prior to versions TXE 3.1.65, TXE 4.0.15

The company has advised that anyone affected by this vulnerability should contact their system or motherboard manufacturer to obtain a firmware or BIOS update. Intel has confirmed that it can't provide updates for systems or motherboards from other manufacturers.

The vulnerability—known as CVE-2019-0090—allows a local attacker to extract the chipset key stored on the Intel Platform Controller Hub microchip and obtain access to encrypted data. According to Positive Technologies, this sort of breach is impossible to detect, making the potential threat more concerning.

Intel Chip
Intel Fellow Wilfred Gomes, a member of Intel’s Silicon Engineering Group, holds a processor with the advanced packaging technology called Foveros. It combines unique three-dimensional stacking with a hybrid computing architecture that mixes and matches multiple types of cores for different functions. According to Positive Technologies, chipsets from the last five years are affected by an undetectable security vulnerability. Walden Kirsch/Intel Corporation

"With the chipset key, attackers can decrypt data stored on a target computer and even forge its Enhanced Privacy ID (EPID) attestation or in other words, pass off an attacker computer as the victim's computer," states a Positive Technologies the press release.

EPID is used in Digital Rights Management (DRM), financial transactions, and the processes around verifying remote devices. For example, attackers can exploit the vulnerability to bypass content DRM and make illegal copies.

"Since it is impossible to fully fix the vulnerability by modifying the chipset ROM, Positive Technologies experts recommend disabling Intel CSME based encryption of data storage devices or consider migration to tenth-generation or later Intel CPUs," explains the press release.

Founder of World Privacy Forum, Pam Dixon, believes that while the vulnerability could potentially be exploited in the future, it would require a combination "extraordinary skill, time, and physical access to the affected device."

"Yes, it's a serious flaw that could someday enable bypassing DRM and other protections, but it appears that there are questions as to how it could be scaled to widespread use at this time," she told Newsweek. "An attacker would need to go through multiple very difficult steps to unlock the Chipset Key, and that requires physical access.

"Something that may factor into a risk analysis at the consumer level is the growing use of iPads and other iOS devices to create and access content. iOS devices do not have this vulnerability and could blunt potential impact, possibly significantly.

"Also, not all laptop models have the older chips with this vulnerability. At the enterprise level, as time goes on and the affected devices are replaced by new devices without this vulnerability, the risk will continue to decrease. However, that being said, protecting physical access to affected devices at the enterprise level just became even more important," said Dixon.

How can I check if I'm affected by this security vulnerability?

According to Intel, anyone concerned about potentially being affected by the vulnerability should reboot their system and access the system BIOS.

For Windows PC users, the BIOS key is set by the manufacturer—normally F10, F2, F12, F1 or DEL. Intel ME/Intel CSME firmware information might be available in the BIOS information screens, but if it isn't available in the system BIOS, contact the system manufacturer for assistance.

Mike Jennings, a technology expert and writer, told Newsweek: "Intel has always had security vulnerabilities—it's hard for them to keep up when hackers always move goalposts. Meltdown and Spectre are two of the highest-profile vulnerabilities of recent years, although they've both been fixed since.

"If people keep hold of their computers, have decent security software installed and keep their computers updated, they'll be fine."

Newsweek contacted Intel for comment and was provided with the following statement: "Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products. Intel released mitigations and recommends keeping systems up-to-date.

"Additional guidance specific to CVE-2019-0090 can be found at: https://www.intel.com/content/www/us/en/support/articles/000033416/technologies.html."