
Intel VISA Exploit Gives Access to Computer’s Entire Data, Researchers Show - DennisP
https://gadgets.ndtv.com/laptops/news/intel-visa-sa-00086-exploit-researchers-computer-data-access-2014854
======
amluto
This doesn’t discuss when the attack matters. I see at least three ways:

1\. If you can do the attack entirely over USB, then you can completely take
over a machine via USB and possibly add a very powerful firmware rootkit. The
JTAG password seems relevant here.

2\. If you get root code execution, you may be able to install a better
rootkit. This might be able to extract supposedly hardware-secured crypto
keys.

3\. The “deterministic RNG” and/or inspection of RNG signals mode might be an
interesting attack against SGX — SGX enclaves expect RDRAND to be secure. (If
you can take over the ME, I think you can break some of SGX’s platform
features, but I don’t think you break the core security guarantees.)

I think the JTAG password is the nastiest bit here.

~~~
SlowRobotAhead
I’m driving, but don’t want to forget this later... do you think you could
help me with a 30 second run down on Intel JTAG?

I assume not all chips have the same JTAG password. I assume JTAG can be
accessed via software running on the processor itself and not require explicit
physical access. I assume there is a hack that allows someone to obtain their
processor JTAG password, how that works is what I’m most interested in I
suppose.

~~~
userbinator
JTAG requires physical access.

~~~
jakeogh
How so? Hack a net-connected USB device that the target is using.

~~~
scandinavian
The net-connected device would need to be connected with a USB 3.0 debugging
cable. Also DCI would need to be enabled on the computer.

~~~
jakeogh
Can it be done via DbC?

[https://www2.lauterbach.com/pdf/dci_intel_user.pdf](https://www2.lauterbach.com/pdf/dci_intel_user.pdf)

~~~
scandinavian
Yes, as I said, if DCI is already enabled and the device is connected via. a
USB 3.0 debug cable.

It can be made like this:

[https://github.com/ptresearch/IntelTXE-PoC#preparing-the-
usb...](https://github.com/ptresearch/IntelTXE-PoC#preparing-the-usb-debug-
cable)

Or you can buy one from Intel.

------
chasil
The Core 2 series on LGA775 is the last Intel chipset where the ME can be
entirely disabled.

This VISA exploit relies in some way on SA-00086, which is a flaw in the ME
that cannot be removed in later versions.

The me_cleaner script has been able to purge these older chipsets since
October of last year. I cleaned two different HP desktops at that time, and
uploaded the modified BIOS here:

[https://github.com/corna/me_cleaner/issues/233](https://github.com/corna/me_cleaner/issues/233)

These still suffer from Meltdown and the remediation does exact a performance
penalty, but Core 2 is starting to appear as the most manageable risk of all
their products.

~~~
samat
Curious what your threat model is.

~~~
chasil
The Intel ME can be accessed over the connected ethernet even when the PC is
shut down, as long as the power supply is attached.

SA-00086 as an exploit is available through the ME.

VISA is available for access by the (compromised) ME.

This seems threatening enough to me.

~~~
rzzzt
I am always confused about this part. Are systems that don't support
vPro/AMT/MEBX also accessible over the motherboard's Ethernet connection?

~~~
chasil
As far as I know, yes.

If you run the Linux ME reporting tool and it is identified, then ME is
awaiting provisioning and commands.

Every chipset has the CPU that serves the ME, separate from the CPU.

~~~
magila
All Intel systems contain ME hardware and firmware, but most consumer systems
are not configured to support remote administration via the integrated
ethernet port.

~~~
beenBoutIT
On older Intel chips it's possible to remove the ME and have a functional CPU.
These Intel systems running Libreboot lack functional ME firmware/hardware.

------
bo1024
The scariest line to me:

> Intel doesn't publicly disclose the existence of Intel VISA and is extremely
> secretive about it

So all of my data and everything I do on my computer is flowing through this
every day, and nobody knows what it is or what it does....

~~~
kacamak
You never heard of intel IME or amd PSP?

It's a mips microprocessor inside your cpu, completely undocumented and has
access to the memory, peripherals, network interface etc.

~~~
nickpsecurity
"completely undocumented and has access to the memory, peripherals, network
interface etc. "

They were documented in the sense Intel publicly advertised them for years
under AMT and vPro as enterprise features. That's why all the discussions on
HN about whether Intel had backdoors or weakened randomness were funny. While
people were "countering misinformation" here, Intel was publicly advertising
backdoors in their chips to ease the management burden. I mean, I guess you
could call them front doors with the publicity.

The sneaky part was how they started including them in all chips without a way
to (a) buy chips without them or (b) know for sure you could turn them off. I
immediately suspected NSA paying them off given most of this started in
Trusted Computing Group activities which included classified sessions with
NSA. They were always a stakeholder in that stuff. AMD did it, too.

Our only hope for x86 now is the Chinese company that's sharing AMD's chips.
They might make a chip with no U.S. backdoors: only Chinese backdoors. If
you're worried about local government but not I.P. theft, then the Chinese
backdoors won't be any threat to you. Problem solved if the computers get here
with no interdiction. Gotta do shell games.

~~~
otakucode
I am not surprised that their inclusion was sneaky. I recall when Intel
attempted to market TPM for the first time. The reaction was swift and very
negative. Slashdot was not in favor of 'security' through including security
holes and relying upon obscurity of the information on how to exploit the
holes being the single point of failure. It was closer to when the government
was trying to mandate key escrow and Clipper chips than now and back then they
had to walk it back and not release it with a high profile. Back then the most
common worry focused on was that this would be used for hardware-based DRM in
service of the entertainment industry.

~~~
userbinator
_I recall when Intel attempted to market TPM for the first time. The reaction
was swift and very negative._

Are you sure you didn't confuse that with the processor serial number (that
Intel actually reversed their decision on)?
[https://news.ycombinator.com/item?id=10106870](https://news.ycombinator.com/item?id=10106870)

TPM was (unfortunately?) far more positively received, likely because it was
marketed as a security instead of DRM feature --- and the same goes for a lot
of other antiuser features today... the manufacturers have gotten smart about
it.

~~~
acdha
The TPM got almost universally negative negative coverage outside of the
enterprise IT space because there wasn’t an obvious benefit to anyone else and
many concerns that it would prevent alternative operating system installs,
lead to unbreakable DRM, etc.

This was unfortunate as it largely evaporated the middle ground who recognized
that without some trusted base you also can’t recover from malware or have
robust anti-theft measures. I wish the politics had been such that we ended up
with a robust open-source implementation before so much shoddy, unreviewed
code had shipped so widely.

------
detaro
[https://www.blackhat.com/asia-19/briefings/schedule/#intel-v...](https://www.blackhat.com/asia-19/briefings/schedule/#intel-
visa-through-the-rabbit-hole-13513) has link to presentation slides

Other articles: [https://www.zdnet.com/article/researchers-discover-and-
abuse...](https://www.zdnet.com/article/researchers-discover-and-abuse-new-
undocumented-feature-in-intel-chipsets/)

[https://www.theregister.co.uk/2019/03/29/intel_visa_hack/](https://www.theregister.co.uk/2019/03/29/intel_visa_hack/)

~~~
tyingq
Three videos here also: [https://github.com/ptresearch/IntelVISA-
BH2019](https://github.com/ptresearch/IntelVISA-BH2019)

~~~
rurban
And the proper paper esp.

------
userbinator
_Intel underplayed the exploit and told ZDNet that the VISA issue requires
physical access to the machines and the Intel-SA-00086 vulnerabilities have
already been mitigated._

Am I the only one here who thinks "threat model" and isn't all too worried?
Physical access = full control, I've long held that belief and am not happy
that this freedom is continually being eroded in the name of ever-increasing
ridiculous "security" (a lot of it _against_ the user, for things like DRM, as
mentioned in one of the other comments here.)

Debugging/"test mode" features are basically present in all modern CPUs. I
would not bet that Intel is the only one.

Edit: such features have been present in CPUs dating back to the late 70s, so
perhaps "modern" isn't needed: see
[http://forum.6502.org/viewtopic.php?f=8&t=3366](http://forum.6502.org/viewtopic.php?f=8&t=3366)
and
[http://e4aws.silverdr.com/hacks/6500_1/](http://e4aws.silverdr.com/hacks/6500_1/)

~~~
MrXOR
The main thing is "Why undocumented?", not threat model and physical or remote
exploit.

~~~
CodeWriter23
> The main thing is "Why undocumented?", not threat model and physical or
> remote exploit.

No, the main thing is if VISA is for qualifying chips on the production line,
why don’t they burn a fuse permanently disabling it on chips that pass QA?

~~~
smalley
VISA isn't for qualifying chips as much as it is for debugging chips including
customer returns. Long ago access to limited versions of the signals was given
to some customers under NDA and customers had the ability to set customer
fuses which would prevent Intel from unlocking the debug features. There's
also an unsupressable "debug enabled" bit hardwire to a lot of these functions
if I remember so the parent system can always see if somebody turned on the
debug functions. Turning on debug functions also usually had the effect of
disabling/corrupting important key material.

This said, its basically a giant signal mux system run into a main block,
you'd be pretty limited on what preselected signals are available at a time.
People were also reasonably careful not to give entire busses of signals at
once.

------
MrXOR
Undocumented? a bug? No, a backdoor. big brother (NSA, FSB, ...) inside[1]??
There isn't any datasheet/docs about "Intel Visualization of Internal Signals
Architecture" on Google! even documented technologies/features like Intel ME
and AMT or speculative execution (Spectre/Meltdown) are (were) backdoors, not
bugs! We need open (free) source hardwares (PCH, CPU, GPU, ...) with a
complete documentation.

[1] [https://github.com/CHEF-
KOCH/NSABlocklist/issues/31](https://github.com/CHEF-
KOCH/NSABlocklist/issues/31)

[2]
[https://software.intel.com/sites/default/files/managed/d3/3c...](https://software.intel.com/sites/default/files/managed/d3/3c/intel-
th-developer-manual.pdf)

------
_bxg1
The name VISA makes all of this extremely confusing, as there are two other
major overloaded meanings for the word

~~~
tyingq
_" Intel doesn't publicly disclose the existence of Intel VISA"_

An internal-only name leaked... _" Visualization of Internal Signals
Architecture"_

~~~
_bxg1
Yeah, I figured that out eventually, but for the first while I was mentally
following multiple possible narratives

------
everybodyknows
>VISA's documentation is subject to a non-disclosure agreement, and not
available to the general public.

\- [https://www.zdnet.com/article/researchers-discover-and-
abuse...](https://www.zdnet.com/article/researchers-discover-and-abuse-new-
undocumented-feature-in-intel-chipsets/)

Back in the 80s, such policies were dismissed as "security through obscurity".
So much change, so little progress ...

------
lima
Clickbait article. Ignore it and read the slides instead:

[https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-
Goryachy...](https://i.blackhat.com/asia-19/Thu-March-28/bh-asia-Goryachy-
Ermolov-Intel-Visa-Through-the-Rabbit-Hole.pdf)

------
huffmsa
Intel's recent string of "what the fuck" failures are what happens when a
monopolist emerges and goes unchallenged for a long enough period to become
lazy.

May the market penalize them in kind.

~~~
bo1024
The tech industry in general undervalues security (at least in my opinion). I
agree part of the reason Intel does is about being a monopolist, but I see
this as a bigger trend of fancy/shiny/innovative at the expense of
solid/secure/stable.

~~~
huffmsa
But Intel has stalled out pretty hard on fancy/shiny/innovative. They hit a
brick wall with 7nm.

~~~
wybiral
But you can still speed things up with shiny tricks like speculative
execution...

~~~
archgoon
Speculative execution (Branch Prediction) is hardly flashy. It's been present
in Intel chips (Pentium) (and just about everyone else) since the early 90s (a
quarter of a century ago). This was back when die resolution was 600 nm.

~~~
wybiral
Right, my point was that they're doing more than just reducing the nm.

------
wuschel
Out of interest: What would one consider as the most secure, commercially
available computer architecture?

Are there any open, vetted computer system out there?

How do projects such as the _Raspberry Pi_ fare in terms of security?

~~~
shakna
> Out of interest: What would one consider as the most secure, commercially
> available computer architecture?

Define your limits.

For the everyday, you won't get far. Intel, AMD and others have all been shown
to have problems like this, or at least things they specify for government
agencies.

However, tiny computer architectures like MIPS, AVR and the like probably
don't, simply because they tend to be too small. They don't have the memory
for advanced backdoor techniques... But are trivial to access their memory if
you have physical access.

Straight-up RISC-V is too new to truly trust security, but looks fairly
great... Until you realise that almost everyone is going to add their own
proprietary extensions to it, and those extensions may well include things
like VISA.

\---

The Raspberry Pi uses a Broadcom ARM chip. (Which model you get does have
different models of the particular SoC, and the two main chips are vastly
different).

I don't have enough details about the particular chip to tell, but ARM does
have it's own remote management system. It may or may not be part of what
Broadcom offers, and may or may not have undisclosed abilities to offer to
clandestine agencies.

~~~
MisterTea
> Straight-up RISC-V is too new to truly trust security, but looks fairly
> great...

Bad analogy because Risc-V is an instruction set, not a physical
microarchitecture. Back doors and side channel attacks could still be possible
when implementing risc-v as a uarch.

The same applies for any ISA be it MIPS, x86-64, Power, Arm, Spark, PA Risc,
Alpha, etc. They're just different programming languages implemented in
hardware. And like software, hardware can have bugs too, though patching is
much harder or impossible.

~~~
tyingq
Your quote cut off the parent right before they made roughly the same
observation.

~~~
int_19h
Not really - it was talking about proprietary extensions to the instruction
set, but the real problem is on implementation level. You can implement most
everything strictly to the spec, and still have vulnerable side channels.

------
chiefalchemist
> "Security researchers have discovered a previously unknown feature in the
> Intel chipsets, which could allow an attacker to intercept data from the
> computer memory. The feature called Intel Visualization of Internal Signals
> Architecture (Intel VISA) is said to be a utility that is bundled by the
> chipmaker for testing on the manufacturing lines. Although Intel doesn't
> publicly disclose the existence of Intel VISA and is extremely secretive
> about it, the researchers were able to find several ways to enable the
> feature on the Intel chipsets and capture the data from the CPU."

Am I the only one reading this and thinking - tho' not surprised - "there's a
backdoor baked into Intel chips"?

------
snvzz
Don't trust the hardware RNG, they said. And people pointed fingers and called
them paranoid while laughing.

------
nunobrito
For some odd reason Twitter does not permit that I share the link to the
security disclosure page.

I can post youtube videos, cat pictures but the link to this page gets
refused. Here is a video of what happens:
[https://media.giphy.com/media/kiB8T8qeTHCVdUM2oZ/giphy.gif](https://media.giphy.com/media/kiB8T8qeTHCVdUM2oZ/giphy.gif)

Are we in China yet?

~~~
neop1x
Just delete Twitter account and create a Mastodon account :)

~~~
nunobrito
True.

On the other side: stepping out of twitter will isolate those who call
attention to these things and just helps them to further block the population
from knowing what is happening..

------
mkup
I hope this Intel VISA Exploit will shed some light upon inner workings of
Intel Management Engine, its memory states, software modules, their
undocumented features etc.

~~~
sabas123
The slides mention that they are able to unlocked JTAG for IME cores, so I
suspect we should be finally be able to do research into it.

Personally I'm curious what doors this will open for understanding microcode.

------
ccnafr
This article appears to be blog spam after an interview ZDNet had with the
researchers, which seems to include a lot more info on this.

Appears Intel is trying too underpin this as unexploitable (shocker!!!),
citing a patch from last year. Researchers say that there are multiple ways to
turn this debug mode on besides those.

~~~
DennisP
Oops, didn't notice that. The article I posted has two links other than the
zdnet link, but they're also contained in the zdnet article. Totally support
the admins repointing to this if they want:

[https://www.zdnet.com/article/researchers-discover-and-
abuse...](https://www.zdnet.com/article/researchers-discover-and-abuse-new-
undocumented-feature-in-intel-chipsets/)

------
voldacar
Given the scale of some of the recent x86 exploits that went totally unnoticed
by massive chipmakers like Intel (thinking mainly Spectre/Meltdown but this is
pretty bad too), is it even possible to build a secure x86 processor?

Can anyone really say, given the insane pit of complexity that x86 has become?

~~~
int_19h
This one is more like a deliberate backdoor that was left not fully secured.
It doesn't seem to have anything to do with x86-the-instruction-set.

And stuff like Spectre and Meltdown is all about _how_ they chose to implement
it - specifically, optimizations. It is very possible to have an x86 CPU that
doesn't try to be "smart" at all, and just implements the x86 spec in the most
straightforward way possible... so long as you're willing to pay the perf
penalty. It looks like we don't.

------
peter_d_sherman
[https://www.blackhat.com/asia-19/briefings/schedule/index.ht...](https://www.blackhat.com/asia-19/briefings/schedule/index.html#intel-
visa-through-the-rabbit-hole-13513)

Excerpt: "The complexity of x86-based systems has become so great that not
even specialists can know everything."

We need a new CPU manufacturer. One that is built from the ground up on
transparency, auditability, accountability, and Einstein's "as simple as
possible but no simpler" maxim.

Such an entity cannot, CANNOT be a corporation.

The reason why such an entity cannot be a corporation is because a corporation
is legally bound to the legal structure in the country in which it operates,
and that legal structure may create, one way or another, a door for secret
agreements / secret hardware modifications between that company and the host
government.

In other words, transparent, ethical engineers with NO conflicts of interest
-- are no longer running the show... Corporate lawyers and Government lawyers
are.

That has to change in the future...

~~~
SlowRobotAhead
>Such an entity cannot, CANNOT be a corporation.

How would that work? You want a government designed secure processor... why
wouldn’t you figure that the reasons they are insecure now is because of gov
involvement?

If you want an open source processor... that’s cool, and corporations can/are
already do that.

Now... with any solution proposed, verify to me that the silicon as designed
is really the silicon made, esp when talking about 7nm.

~~~
pytyper2
Can I enter your factory and inspect the dies as they come off the line before
they are sealed? If yes, then you could indeed verify the silicon is as
designed. Probably just as you could take a chip that does not work and
diagnose the problem, this functionality would seem to be necessary to
successfully build a chip/chip factory in the first place. How would you
troubleshoot the manufacturing process if you couldn't audit the product for
quality/accuracy?

~~~
peter_d_sherman
Completely random inspections of product in any stage of the manufacturing
process by third parties is a good idea.

I don't know the practical reality of any company permitting that, but it's a
good idea. Some future chip manufacturing group will hopefully do that.

Audits of any form at any time by any party should be permitted, rather than
denied.

------
dchichkov
I was re-reading the 2017 AMT story, it is so strange. How is this even
possible?

[https://www.tenable.com/blog/rediscovering-the-intel-amt-
vul...](https://www.tenable.com/blog/rediscovering-the-intel-amt-
vulnerability)

------
pytyper2
If this is truly for assembly line diagnostics they should add a hardware self
destruct to the interlink with those circuits, after VISA serves the intended
purpose fry it. Is that a reasonable and technically feasible option?

------
otakucode
What exactly is 'Orange Mystery'? From the context of the article they make it
sound like it is another known vulnerability, but I went looking and can't
find anything related with that name.

~~~
scandinavian
Orange Mystery (their made up name) is an intended way to get JTAG access to
TXE if the CPU is in manufacturing mode. Something that only happens if an OEM
forgets to turn it off before shipping. This was the case with Intel Macbooks,
before it was fixed. Haven't heard of other manufactures making the same
mistake.

~~~
Avery3R
IIRC CS(TXE/ME) are implemented in the pch, not the cpu. It's also pretty
common for consumer gaming motherboard manufacturers to leave it on. I know at
least MSI and Gigabyte do

~~~
scandinavian
It's common for gaming motherboards to leave manufacturing mode on? Got any
info on that, can't find anything on google about this.

------
hiccuphippo
How do I find out if this debug mode is enabled?

------
peter_d_sherman
"VISA... it's everywhere you don't want to be..." <g>

------
JudasGoat
I mean you could look at it as a 20 channel logic analyzer for free...

------
spaceribs
Getting real tired of hearing about how our monopolistic glorious chip-maker
leaks data like a sieve, almost as if there's some sort of monetary benefit to
doing so...

------
EGreg
This is why we must all move to end-to-end encryption. We should limit
“concentrations of information” just like “Concentrations of power”.

