| Highlights from the slides: Your CPU chipset is also standalone webserver. Most vPro chipsets (MCHs) have: - An Independent CPU (not IA32!) - Access to dedicated DRAM memory - Special interface to the Network Card (NIC) - Execution environment called Management Engine (ME) Your chipset is a little computer. It can execute programs in parallel and independently from the main CPU! How might we design some malware that embeds itself into the chipset? Such malware would be able to survive reboots, brick the hardware on demand, reboot on demand, act as a MITM for all network traffic, inject vulnerabilities into the host OS during bootup, etc. Step 1: Search for an attack vector in any version of the Intel BIOS. If you can find any attack vector in any version of the BIOS, you've won. For example, if the latest Intel BIOS is v3.9.2, but you found an exploit in BIOS v2.3.1, you've still won. Because... Step 2: ... as the attacker, you can downgrade the victim's BIOS to any previous version without any user consent! Any old version of the BIOS is of course signed by Intel; all versions are. The chipset firmware allows any valid signed BIOS to replace the current BIOS regardless of whether it's older or newer than the current. It was pretty shocking that the BIOS can be downgraded without any user consent. Downgrading requires a reboot, but that's probably not a huge problem in practice. This article is from 2009, so at this point it's just an interesting piece of history. But I wonder whether any of these issues still persist today, such as the ability for userspace programs to downgrade/upgrade the BIOS at will? |
As for the management engine (the CPU that drives the vPro stuff), it exists in _all_ Intel chipsets since Series 5, vPro is just a certain configuration of its firmware. It also has full access to RAM, some access to USB, network and graphics.