Lesson one: If you have a breach communicate

Universities are frequently targeted due to the amount of personal, confidential data being held. This is accumulated as part of the application process, along with on-going course attendance. One recent target has been the University of Warwick. The university is located in the Coventry in the UK, and is part of the Russell Group. While the details of the successful attack have not been published, this attack may have been invited in by one of the users. The issue may have all started with a user installing remote viewing software in 2019. At this point, the attackers were able to gain a foothold into the system and pivot into other areas, providing the data and information they sought.

Data

As to be expected, the attack had a focus. In this case, it was the usual data and information. The breach allowed the attackers access to student information. The attackers had also access to the staff and volunteer private information. This would provide the attackers the data needed for various unlawful acts, including taking over someone’s identity, getting credit in the other person’s name, and other fraudulent acts.

Multiple Breaches

In general, one breach is a bad operational defect. This can be devastating to the university, staff, and students in the short- and long-term. This can reach into the full network, or sections, based on the attack and target. If the attacker simply wants to exfiltrate data quickly that is marketable, they may breach the accounting or Human Resource networks. If they want to own the system and possibly extort funds, this is yet another avenue that may be best attacked with ransomware or other malware. In this case, the University was breached several times.

Problematic Factors

Simply stated, the university was breached. Granted, this is a rather unpleasant set of circumstances with potential legal consequences. There appears to be a systemic operational issue though with the breaches. First, there were multiple breaches within the university’s system in 2019. One is bad enough, with the damage that may be done. When you have multiple, the attackers know they are able to get in, get what they want, and exit with ease. If there were to have been an apprehension or concern on the part of the attackers, perhaps they would not have returned so brazenly. For them to return and enter unfettered is indicative of a larger issue.

With these multiple breaches, there is data, intellectual property, and other items possibly removed. There is also the opportunity for them to leave something behind, be it other back doors or malware, to make their life even easier if they would want to enter later. This has a clear impact on the staff and students. From the point in time for the breach, until the notification, the affected persons are blind to the attacker’s using their personal data and information, any researcher’s work product being in unauthorized hands, and generally being open to issues themselves. In this case, the university withheld this information.

One rationale for this was the university did not have the budget and resources to work on this. This, on its own, is an issue. Too many staff do not appreciate the cybersecurity role, and what this actually brings to the organization. Without a robust cybersecurity program in place, there will be issues and many unauthorized persons will have access to your private information. In other words, a reasonably prudent organization would have this in place to protect the data and information which has been given to it to manage and steward.

On another point, prior to the breach, the university was audited by the Information Commissioner’s Office, whose focus is data protection. The report, published in March, noted the chairperson of the university’s data protection privacy group (DPPG) should be replaced with an alternative with more experience. Upon receipt and review, the registrar completely agreed with their findings. Curiously, the registrar and Data Protection Officer are the same people. While the report is after the fact, the indicators had been present for some time and should have been acted on long ago. This report based on the audit was how the staff and students learned of the breaches and that their data had been compromised. Without this report, who knows when the university would have let anyone know of the circumstances. For some reason unbeknownst to many, the registrar joked about the audit, stating it was “tomato colored” and acting dismissive as to the possibility the data was at risk.  

In certain circles, not accomplishing this may be considered negligence.

Apparently, the lack of oversight and resources was to the extent the university may have known they were breached, however, had no idea of what data or systems had been impacted by the attack.

Mitigations

To overcome these problems, the university has created two additional committees to assist with the governance in this area and to provide advice. The university also put a new Chief Information and Digital Officer in place to better the cybersecurity stance.

Lessons

To fully fund the cybersecurity teams and the working group is still vital to operations, and any entity. If you are apathetic as to the network, operations, and any repercussions from a breach and being totally pwned by an unauthorized third party, there is an issue. In these times of budgetary constraints, allocating the resources can be a difficult task. The alternative though tends to be much more expensive financially in the short- and long-term, and provides the opportunity for the organization to be in the news, for all the wrong reasons. There needs to be some form of a balance with the operations. Without this in place, the organization is simply a target waiting to be breached and having to send out the breach notification letters.

There also needs to be the appropriate staff doing the appropriate tasks. There is room for staff with their specific expertise in any organization. When you someone in a role they do not have the experience for, you will have issues. At a senior management level in cybersecurity, there is not the time or the availability of resources to attempt to learn on the job. There will be areas that will be missed in tasks and functions as the person moves through the learning curve. This is not the first time someone has been placed in a management position in cybersecurity without the requisite experience, exemplary of the Peter Principle.

When you have a report publishing of record there are data breaches, as a member of management, you should not act apathetic and as if you are above the findings. The staff in charge of the cybersecurity for a university should take care of the data they are stewarding. They should care enough to ensure their staff and student’s information is not at risk. When an independent third party has to inform you of breaches, something should be done to protect the university, students, and staff other than commenting, as the registrar did, “If I tell you what, I ‘I must kill you.’”

This is a rather serious issue as the breach included personal data and access to the network, unfettered. There is in place during the breach of the GDPR. As time passes, it will be interesting to note if the government actually applies the GDPR or any of the like laws or statutes to the university for the significant error and indifference to the staff and students. The registrar’s response is one of the reasons why there are still numerous breaches.

Anyone affected by this should be wondering why the responsible staff are still present and working at the university, especially the registrar.

Resources

Jay, J. (2020, April 28). Warwick university suffered multiple breaches due to poor security protocols. Retrieved from https://www.teiss.co.uk/warwick-university-data-breaches/ 

Karageorgi, N., & Toms, O. (2020, April 27). University of warwick kept data breach secret from students and staff. Retrieved from https://theboar.org/2020/04/university-of-warwick-kept-data-breach-secret-from-students-and-staff-last-year/ 

Martin, A. (2020, April 27). The university of warwick was hacked and kept secret the breaches of students and staff. Retrieved from https://oltnews.com/the-university-of-warwick-was-hacked-and-kept-secret-the-breaches-of-students-and-staff 

Martin, A. (2020, April 27). Warwick university was hacked and kept breach secret from students and staff. Retrieved from https://news.sky.com/story/warwick-university-was-hacked-and-kept-breach-secret-from-students-and-staff-11978792 

Millman, R. (2020, April). GDPR ignored by warwick university? Retrieved from https://www.scmagazineuk.com/gdpr-ignored-warwick-university-failure-alert-staff-students-data-breach/article/1681689 

Rodger, J. (2020, April 27). Warwick university kept data hack secret from students and staff. Retrieved from https://www.birminghammail.co.uk/news/midlands-news/warwick-university-kept-data-hack-18156758 

Sandford, E. (2020, April 27). Hackers targeted university of warwick. Retrieved from https://www.coventrytelegraph.net/news/coventry-news/hackers-targeted-university-of-warwick-18157358

Beaumont Hospital with more woes

Hospitals have an exceptionally important role in society-to provide medical treatment. If this is not important enough, taxing the staff, budgetary constraints, and operations in general, there is the COVID-19. To add to this mountain of woe is in one instance is Beaumont Hospital announcing a data breach from last year. Beaumont Health is Michigan’s largest healthcare system.

Incident

In May 2019, the Beaumont Health System email system was breached by an unauthorized third party. The attacker accessed several of Beaumont’s employee email accounts. A portion of these held patient data. The health system became aware of the breach on March 29, 2020. The attackers had access from May 23, 2019, through June 3, 2019. The press release and articles do not indicate how this was discovered or the attack vector (e.g. phishing, social engineering, or another tactic).

One question which should be asked is why detecting this takes nearly a year. During the year the 112k+ persons, or approximately 5% of the 2.3m patients the health system has records for, affected by this were living their lives, thinking everything was fine and there were no worries. This has also been estimated at approximately 114k patients. One day, the affected persons then receive a notice of the unauthorized access, the data compromised, and the hospital's regrets. Was the InfoSec team under-staffed or simply the SIEM was not configured to detect this activity?

The health systems investigation was not able to ascertain if any of the data was actually copied or downloaded by the attackers. In retrospect, if you were going to go to the work and resource use to breach a hospital, once you accomplished your goal, you would not simply walk away.

Data

The unauthorized access is problematic on its own level. To add insult to the injury, the data access included the patient’s name, date of birth, diagnosis, procedure, treatment location, treatment type, prescription information, Beaumont patient account number, and medical record numbers.

But wait; there’s more. A portion of this sample, approximately 460 patients, also had their social security numbers, financial account information, health insurance information, and driver’s license or state identification numbers involved with this. The data was held in emails and email attachments.

When we think through this, the data involved may be used in a myriad of ways. This includes taking over the patient’s identity, filing false tax returns, gaining credit cards in their name, etc. Also, the records could be ransom-wared off. This will add the concern to the already stressed population.

Post-Incident

To remediate the issue, Beaumont has taken steps to better their internal processes and procedures to better their cybersecurity stance. Their press release also notes they will be addressing future threats. The health system is also going to provide additional training for the staff.

The health system’s recommendations to the affected parties were to monitor their insurance statements. Granted this is obvious, however, more action on the health system’s part would have been warranted.

History repeats itself

It would be great to say this was a one-off incident and there has never been an issue. Unfortunately, this is not the case. This represents the second breach this year announced. The prior announcement was in January when the health system notified 1,182 patients that a former employee had been accessing the records of patients. These patients had received treatments after automobile accidents. This data was forwarded to a personal injury attorney.

Resources

Ainsworth, A. (2020, April 17). Beaumont health alerts patients that unauthorized third-party accessed emails containing personal information. Retrieved from https://www.clickondetroit.com/news/local/2020/04/17/beaumont-health-alerts-patients-that-unauthorized-third-party-accessed-emails-containing-personal-information/ 

Davis, J. (2020, April 21). Beaumont health reports 2019 data breach impacting 114k patients. Retrieved from https://healthitsecurity.com/news/beaumont-health-reports-2019-data-breach-impacting-114k-patients

Fox2 Detroit. (2020, April 18). Beaumont health says 112k patients were impacted by data breach. Retrieved from https://www.fox2detroit.com/news/beaumont-health-says-112k-patients-were-impacted-by-data-breach

HIPAA Journal. (2020, April 20). Beaumont health notifies 112,000 patients about may 19 data breach. Retrieved from https://www.hipaajournal.com/beaumont-health-notifies-112000-patients-about-may-2019-data-breach/

Shamus, K.J. (2020, April 17). Beaumont health security breach puts personal information of 112,000 at risk. Retrieved from https://www.bridgemi.com/business-bridge/beaumont-health-security-breach-puts-personal-information-112000-risk and https://www.freep.com/story/news/health/2020/04/17/beaumont-health-security-breach-personal-information/5155716002/

Stone, J. (2020, April 20). Detroit hospital network says data breach affected more than 100,000 patient accounts. Retrieved from https://www.cyberscoop.com/beaumont-health-data-breach/

Walsh, D. (2020, April 18). Data breach at Beaumont exposes information of 112,000 patients. Retrieved from https://www.modernhealthcare.com/cybersecurity/data-breach-beaumont-exposes-information-112000-patients

WXYZ. (2020, April). Beaumont says data incident impacted 112k people; names, SSNs and more were in emails accessed. Retrieved from https://www.wxyz.com/news/beaumont-says-data-incident-impacted-112k-people-names-ssns-and-more-were-in-emails-accessed

Vehicle cybersecurity still lacking: Ford Focus and Volkswagen Polo

Vehicles are becoming increasingly connected and complicated. The modules/equipment in the vehicle along with the connectivity makes the newer vehicles targets with many attack vectors. With these advances, the consumer would think cybersecurity would be the first thing on the engineer’s mind. Unfortunately, this is not always the case. It is likewise notable, there are many laws and statutes directed at the vehicles for emissions and other aspects of the vehicle. While these are indeed needed, there are no laws focused on the cybersecurity applied to vehicles. There is a handful of these in the works, however, at this stage, these are more voluntary and may be presented as more of a standard versus legislative action.

Successful breach

While these are noteworthy, generally, if an automobile the manufacturer does not have to or is strongly encouraged to, it is difficult to get the issue resolved and feature in the vehicle. A recent case in point involved a For Focus Titanium Automatic 1.0L and a Volkswagen Polo SEL TSI Manual 1.0L. These are both gas-powered vehicles and are very popular in Europe.

Researchers at Context Information Security were tasked with conducting a pentest of sorts on these two vehicles.

The research indicated there were rather serious cybersecurity flaws with the test vehicles. The researchers have reported these and are waiting until providing their test to the public as part of the responsible vulnerability disclosure process. This provides the manufactures time to correct or mitigate the issue, prior to sending the vulnerability, and how to attack it to anyone who has an internet connection.

Researcher’s attacks generalized

While the specifics are not available, the researchers did release general information regarding their successful attacks. As a recap, the subject vehicles, and nearly all others at this point use the Controller Area Network (CAN) to communicate between the modules in each vehicle. These communications are relevant for tire pressure, driving controls, braking, steering, etc. If this is successfully attacked, the driver and passengers assuredly are going to have a bad day. This area was one where the researchers were able to successfully access the Polo.

There was also another vulnerability with OTA (over the air) updates. The vehicles have a number of computers and programs located with the vehicle’s system. These at times need to be updated. Think of it like when you turn off your computer and the system warns you there are patches that need to be uploaded for your system. To have the owners all make appointments to drive their vehicles in every time there is an update is not a workable solution and would halt any work that would need to be done in the repair/maintenance portion of the garages at the dealerships. The researchers were able to tamper with these updates, thus adding the malicious functionality of changing the official update to whatever they would want.

The researchers also found a vulnerability with the infotainment unit in the vehicle. This, when successfully attacked, would enable or disable the vehicle’s traction control, tamper with the headlights, and holds a large amount of personal data (e.g. phone contacts, and location history). This attack was accomplished with a simple command. For this attack, the researchers or bad actors would need to have physical access. While this is a hurdle, it is not impossible, especially since this would only take approximately five minutes.

There were other tests done, with mixed results.

The researchers, curiously, were able to find the Wi-Fi credentials that apparently were for the computer systems on the Ford production line. This is a rather significant and truly bad thing to have that easily accessible.

Resources

Chllingsworth, L. (2020, April 15). Which? Identifies security risk in these road vehicles as hackers may steal your data. Retrieved from https://www.express.co.uk/life-style/cars/1269260/which-ford-volkswagen-car-security-safety-hackers-crime

Forrester, N. (2020, April 15). Latest ford and Volkswagen smart cars pose ‘serious’ privacy and security risk. Retrieved from https://securitybrief.asia/story/latest-ford-and-volkswagen-smart-cars-pose-serious-privacy-and-security-risk

Hull, R. (2020, April 8). Popular ford and vw cars found to have ‘serious security flaws’ with their connected systems putting personal data and safety at risk. Retrieved from https://www.thisismoney.co.uk/money/cars/article-8201733/Popular-Fords-VWs-security-flaws-connected-tech.html

Laughlin, A. (2020, April 9). We hacked ford focus and a volkswagen polo. Retrieved from https://www.which.co.uk/news/2020/04/we-hacked-a-ford-focus-and-a-volkswagen-polo/

Newsquest Digital Content Team. (2020, April). Ford and vw cars exposed to hackers after ‘serious’ security flaws. Retrieved from https://www.worcesternews.co.uk/news/regional/18389786.ford-vw-cars-exposed-hackers-serious-security-flaws/ and https://www.yorkpress.co.uk/news/national/uk_today/18378273.ford-vw-cars-exposed-hackers-serious-security-flaws/

Thomas, P. (2020, April 10). Popular ford and vw cars found to have ‘serious security flaws’ with their connected systems putting personal data and safety at risk. Retrieved from https://www.iaati.org/news/entry/popular-ford-and-vw-cars-found-to-have-serious-security-flaws-with-their-co

4CAN as another vehicle cybersecurity testing tool

Vehicle cybersecurity continues to grow in pertinence. This is especially the case with the CAV (connected and autonomous vehicle) as these advancements in technology application and improves in performance. The connected vehicles are already in place and used on the road. The autonomous vehicles are still being developed and tested. There will be a time when the scenes in movies, e.g. iRobot with the fleets of self-driving cars, are in place with the vehicles communicating with each other and the infrastructure (V2V, and V2I). 

As the prominence continues to grow, so does the potential for attack. This may be from the bad actors looking for their 15 minutes of fame, malicious attackers, or cybersecurity researchers. In each of these vehicles are also vastly more attack points than in prior years. The modern vehicles have hundreds of sensors feeding data to the vehicle regarding the vehicle and also the environment in which it is driving. These may be LiDAR, radar, cameras, microphones, and other sensors. These sensors provide real-time data to the vehicle and end-users on the vehicle’s operations, which is processed immediately dependent on the criticality. 

The attackers may have access to the vehicle’s computers through the vehicle’s WiFi, Bluetooth, or cellular means. While this is notable, the controller area network (CAN) is what carries the messages through the vehicle. 

4CAN

To better protect the vehicle, better tools have to be created, which is what was done in 3Q2019 by Cisco. 4CAN was originated by George Tarnovsky, who is a member of Cisco Customer Experience Assessment and Penetration Team (CX APT). This is a hardware tool and was released as open-source. This is a PiHat, meaning the 4CAN is attached on top of the Raspberry Pi. This was engineered to be used by all automobile security researchers. The focus is to test the sensors and computers within the vehicle to check for vulnerabilities. As noted, the bench setup is much cleaner, simpler, and easier to use. This changes a 4 piece set up, including two Beaglebone boards, to two pieces of equipment.  This also lessens the setup time for the lab staff. 

The 4CAN tool works to validate the communication policy for intra-CAN bus communication, fuzzing the sensors and modules to detect vulnerabilities, and use various CAN commands to interact with the vehicle. The interaction hopefully would also detect any sensor or module vulnerabilities with the messages being sent. The tool is designed to test four CAN channels at once. 

While the tools do have advanced capabilities and would suit many use cases, the 4CAN is able to complete these tests with a simplified bench set up. This assists the lab engineer to keep it simple and organized.

Resources

Arghire, I. (2019, August 23). New tool from cisco hunts flaws in automotive computers. Retrieved from https://www.securityweek.com/new-tool-cisco-hunts-flaws-automotive-computers 

CISOMAG. (2019, August 26). Cisco releases new security tool to identify vulnerabilities in connected cars. Retrieved from https://www.cisomag.com/cisco-releases-new-security-tool-to-identify-vulnerabilities-in-connected-cars/

DeTrano, A., Royes, J., & Valites, M. (2019, August 22). New 4CAN tool helps identify vulnerabilities in on-board car computers. Retrieved from https://blog.talosintelligence.com/2019/08/new-4can-tool-helps-identify.html

DeTrano, A. (2019, August 5).4CAN. Retrieved from https://github.com/alexdetrano/4CAN/tree/master/tools 

Haking. (n.d.). 4CAN-Open source security tool to find security vulnerabilities in modern cars. Retrieved from https://hakin9.org/4can-open-source-security-tool-to-find-security-vulnerabilities-in-modern-cars/ 

Meterpreter. (2020, April 16). Cisco releases 4CAN tool to find vulnerabilities in on-board car computers. Retrieved from https://meterpreter.org/cisco-releases-4can-tool-to-find-vulnerabilities-in-on-board-car-computers/ 

N, B. (2019, August 25). 4CAN-Cisco released new open source security tool to find security vulnerabilities in modern cars. Retrieved from https://gbhackers.com/4can/ 

Paganini, P. (2019, August 24). Cisco has released a hardware tool, called 4CAN, developed to help researchers to discover vulnerabilities in automotive systems. Retrieved from https://securityaffairs.co/wordpress/90317/hacking/4can-automotive-testing-tool.html

Ba-Zynga: Being hacked is no game

Mobile gaming is an exciting field to work in and play in. With the processing of phones currently, there is not the lag present years ago. There are many companies that create these games. One of these is Zynga. Zynga is a social online game developer. The company became popular approximately a decade ago with the mobile game Farmville. They also own Words with Friends, Zynga Poker, Mafia Wars, and Café World.

Data Exfiltrated

The Zynga website was successfully attacked. This affects the gamers on the iPhone and Android platforms who installed and signed up for ‘Words with Friends’ game on or before September 2, 2019. This specifically affects the logins for game Words With Friends, and by some reports also Draw Something. The breach was reported on September 12, 2019. There were more than 170M user names and passwords exfiltrated with this attack.

This affects those users who had signed up for Draw Something or Words With Friends prior to September 2, 2019. This database held the credentials for 172,869,660 accounts. These were stored with salted SHA-1 hashes. The database held names, email addresses, login IDs, hashed passwords with SHA1 with salt, password reset token if one was ever requested, phone numbers if provided, Facebook ID (if connected), and Zynga account ID. There was no financial information accessed.

Not the first time

The hacker, from Pakistan, was contacted to comment on this. The hacker handle for the person is Gnosticplayers. This is not the first time Gnosticplayers have been able to breach the defenses and exfiltrate data. They also had the pleasure of exfiltrating much smaller databases previously with approximately 7M passwords, which were not secured. These databases were for the discontinued game OMGPop.

Concerns

This was not the first or second time this has occurred with Zynga. This would indicate a distinct lack of care for the data entrusted to the company by the users and for cybersecurity in general. Zynga, every time a user registers and puts their data in the online form, entrusts Zynga to do the right thing with the data. This did not occur, clearly, since the same issue has been shown again and again.

On another point, the passwords were salted and hashed. Generally, when industry-standard hash protocols are used, this is a good security measure. The issue is, however, industry standards were not followed.

Zynga has also not elected to note how this attack occurred. While this is not something a company would want to be known for, this could have assisted others to learn from their oversight.

Mitigation

Once detected, Zynga did contract with a third-party forensics firm to assist with the investigation, as well as law enforcement. Naturally, they also contacted the affected users to change their passwords.

Resources

Dunham, J. (2019, December 19). 173 million accounts exposed in hack of ‘Words with Friends’ developer. Retrieved from https://www.ctvnews.ca/sci-tech/13-million-accounts-exposed-in-hack-of-words-with-friends-developer-1.4736646

Gonzalez, O. (2019, October 1). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cnet.com/news/words-2ith-friends-hack-reportedly-exposes-data-of-more-than-200m-players/

Hern, A. (2019, December 19). 170M passwords stolen n zynga hack, monitor says. Retrieved from https://www.theguardian.com/games/2019/dec/19/170m-passwords-stoeln-in-zynga-words-2ith-friends-hack-monitor-says

Ivanova, I. (2019, October 2). Zynga data breach exposed 200 million Words with Friends players. Retrieved from https://www.cbsnews.com/news/words-with-friends-hack-zynga-data-breach-exposes-200-million-users/

Khandelwal, S. (2019, September 29). Exclusive-Hacker steals over 218 million zynga ‘Words with Friends’ gamers data. Retrieved from https://thehackernews.com/2019/09/zynga-game-hacking.html

Knight, S. (2019, October 1). Zynga hacked, more than 200 million accounts compromised. Retrieved from https://www.techspot.com/news/82150-zynga-hacked-more-than-200-million-accounts-compromised.html

Lakshmanan, R. (2019, October 1). 219M ‘Words with Friends’ players’ data reportedly stolen zynga hack (updated). Retrieved from https://thenextweb.com/security/2019/10/02/218m-words-with-friends-players-data-reportedly-stolen-in-zynga-hack/

Lyons, K. (2019, December 19). Zynga hack affected 170 million accounts. Retrieved from https://www.theverge.com/2019/12/19/21029682/zynga-hack-words-with-friends-draw-something-password-data-breach

Page, C. (2019, September 30). Zynga hack exposes data of 218 million Words with Friends players. Retrieved from https://www.theinquirer.net/inquirer/news/3082078/zynga-ack-words-with-frie

Zynga. (2019, September 12). Player security announcement.

Zynga. (2019). Protecting your account. Retrieved from https://www.zynga.com/security/protecting-your-account

Here we go again: Intel processors with problems

We all know the importance of chips in IT and embedded systems. Without the processing power, we would have many boat anchors sitting around collecting dust. One manufacturer, Intel, is in the news once again.

New Warning Issued

Research is being done on different platforms across the world. There are labs actively seeking viable exploits on the equipment, from the chip to the system level. In this case, Positive Technologies researched this issue and detected the exploit with the Intel processors. The processors released in the last five years have a security flaw in the silicon. As this is in the silicon, it can’t be fixed or patched with a firmware update, which is a problem.

Target

The issue is with the Converged Security and Management Engine (CSME). This is a subsystem in the CPU, which takes care of the security tasks, securing the entirety of the firmware. This process is during the processor operations, beginning when the power button is pressed.

Exploit

The vulnerability is would, when successful, would allow the unauthenticated user to potentially enable escalation of privilege. This would lead to the attacker being able to extract the chipset key stored on the PCH microchip and gain access to the data encrypted with this key. This is clearly not the optimal situation. What makes this worse is, if there were to be an attack, it is not possible to detect this.

On a brighter note, all is not lost. The exploit is rather difficult to process. First, the attacker would need physical access to the processor and time to complete the attack. Second, the attack itself is by far not easy. If one of the steps was not easy, having to complete them both only makes this exponentially more difficult to complete in the unauthorized environment. In certain limited instances, the attack could be performed with malware engineered to bypass the target’s OS-level protections. While this is a significant detriment, the potential attack removes the chain of trust for the platform.

Granted, this is still a possible attack, which is why there is attention being paid to this and mitigation put in place, correcting most of the issues. This sounds like a perfectly workable plan, however, there are so many known and unknown vectors, this is still a tough job.

Mitigations

While this is relatively serious, Intel has put in place mitigations. These mitigations were supposed to have done beginning in May 2019. Before the present mitigations are in place, the firmware and processor are still vulnerable when the system boots on. These, while the intent is in the right place, may not be sufficient to fully mitigate the issue. 

As noted, the issue with CSME cannot be fixed since the firmware errors are hard-coded in the Mask ROM. Instead of researching and trying options repeatedly which don’t work to fix the direct issue, Intel took this in a different direction and addressed the attack vectors, indirectly working to fix the problem. There are a number of attack vectors with this

References

Allan, D. (2020, March). Latest intel CPUs have ‘impossible to fix’ security flaw. Retrieved from https://www.techradar.com/news/latest-intel-cpus-have-impossible-to-fix-security-flaw

Dent, S. (2020, March 6). Researchers discover that intel chips have an unfixable flaw. Retrieved from https://www.engadget.com/2020-03-06-intel-chips-unpatchable-security-flaw.html

HalGameGuru. (2020, March 6). “Unfixable” security flaw found in intel CPUs. Retrieved from https://linustechtips.com/main/topic/1162393-unfixable-security-flaw-found-in-intel-cpus/

Help Net Security. (2020, March 12). Scientists expose another security flaw in intel processors. Retrieved from https://www.helpnetsecurity.com/2020/03/12/load-value-injection/

KW, T. (2020, March 22). Security experts have found another flaw in intel processors. Retrieved from https://klse.i3investor.com/blogs/future_tech/2020-03-22-story-h1485581927-Security_experts_have_found_another_flaw_in_Intel_processors.jsp

Lemos, R. (2020, March 6). Physical flaws: Intel’s root-of-trust issue mostly mitigated. Retrieved from https://www.darkreading.com/vulnerabilities---threats/physical-flaws-intels-root-of-trust-issue-mostly-mitigated/d/d-id/1337254

Positive Technologies. (2020, March 5). Positive technologies: Unfixable vulnerability in intel chipsets threatens users and content rightsholders. Retrieved from https://www.ptsecurity.com/ww-en/about/news/unfixable-vulnerability-in-intel-chipsets-threatens-users-and-content-rightsholders/

The Star. (2020, March 22). Security experts have found another flaw in intel processors. Retrieved from https://www.thestar.com.my/tech/tech-news/2020/03/22/security-experts-have-found-another-flaw-in-intel-processors

Warrant, T. (2020, March 6). A major new intel processor flaw could defeat encryption and DRM protections. Retrieved from https://www.theverge.com/2020/3/6/21167782/intel-processor-flaw-root-of-trust-csme-security-vulnerability