At this week's Black Hat Asia 2019 conference, researchers from Positive Technologies revealed findings about an undocumented technology in Intel microchips that allow reading data from the memory of and intercepting the signals from peripherals.
On March 28, 2019, Positive Technologies experts Maxim Goryachy and Mark Ermolov spoke in Singapore, discussing the microchips in their session Intel VISA: Through the Rabbit Hole.
The PCH microchips (Platform Controller Hub) on modern Intel motherboards reportedly contain a logic signal analyzer called Intel Visualization of Internal Signals Architecture (VISA), which are disabled by default on commercial systems. However, the researchers discovered several different tactics an attacker could use to activate the technology that has access to virtually all the data on a computer. The researchers were able to intercept signals on displays, keyboards, and webcams.
"With VISA, we succeeded in partially reconstructing the internal architecture of PCH and, within the chip, discovered dozens of devices that are invisible to the user yet are able to access certain critical data," the researchers wrote. In their talk, the experts demonstrated "how to read signals from PCH internal buses (for example, IOSF Primary and Side Band buses and Intel ME Front Side Bus) and other security-sensitive internal devices."
Leveraging the previously identified vulnerability INTEL-SA-00086 in the Intel Management Engine (IME) discovered by researchers at Positive Technologies, Goryachy and Ermolov demonstrated that a malicious actor could attack the computers by injecting spyware in the subsystem’s code.
"ME can intercept and modify network packets as well as images on graphics cards; it has full access to USB devices. Such capabilities mean that if an attacker finds an opportunity to execute arbitrary code inside ME, this will spawn a new generation of malware that cannot be detected using current protection tools. Fortunately, only three (publicly known) vulnerabilities have been detected in the 17-year history of this technology," the researchers wrote.
"We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed," said Positive Technologies expert Maxim Goryachy, according to a press release. "With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."
***UPDATED***This article has been updated to include the following statement from Intel.
An Intel spokesperson wrote in an email, ""This issue, as discussed at BlackHat Asia, relies on physical access and a previously mitigated vulnerability addressed in INTEL-SA-00086 on November 20, 2017. Customers who have applied those mitigations are protected from known vectors. Visualization of Internal Signals (VIS) is actually is included in our publicly-available documentation and is part of Intel Trace Hub – which is outlined in our developer manual (see section 3.1). We also talk about Trace Hub on our website."