During a presentation at Black Hat Asia in Singapore yesterday, two security researchers from Positive Technologies revealed how an undocumented technology inside Intel microchips might be activated by attackers. The Visualization of Internal Signals Architecture (VISA) enables data from memory to be read, and signals from peripherals to be interrupted. Its purpose appears to be that of detecting flaws in processors and microchips, but the researchers think it could be used for nefarious purposes by threat actors.
Intel VISA, what’s that?
Maxim Goryachy and Mark Ermolov spoke about the hidden technology during their Black Hat presentation, Intel VISA: Through the Rabbit Hole. VISA is a fully-fledged logic signal analyzer contained within the Platform Controller Hub (PCH) of modern Intel motherboards and say a similar analyzer can also be found in modern Intel processors. This essentially allows for the monitoring of the state of internal lines and buses in real time.
What’s the problem?
In doing what it does, the processor communicates with peripherals such as the display, or webcam and keyboard, via the PCH microchip and so has access to almost all the data on the host computer, say the researchers. But if it’s hidden and undocumented, as well as being disabled by default on all commercial systems, why the worry? Because, according to Maxim Goryachy it can easily be activated by threat actors. “We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed” Goryachy says, adding “with the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip.” An attacker might, therefore, be able to use the fact that VISA enables the creation of custom rules to capture and analyze signals to create further rules that can capture sensitive data.
Is there any proof of this?
During the Black Hat demonstration, the researchers were able to read signals from internal buses and other internal PCH devices; unauthorized access to these devices then allowed for the intercepting of data from the computer memory. They did this using a previously disclosed vulnerability in the Intel Management Engine subsystem that also exists in the PCH microchip. This flaw, the researchers say, enables hackers to attack by injecting spyware in the subsystem code.
What does Intel say?
I contacted Intel this morning and was informed by a spokesperson that as well as relying upon physical access to the device, the vulnerability mentioned was mitigated in 2017. Indeed, the firmware update for INTEL-SA-00086 is available here. “Customers who have applied those mitigations are protected from known vectors” the Intel spokesperson insisted. The researchers don’t agree, and ZDNet reports that Mark Ermolov has stated this fix isn’t enough as the firmware can be downgraded to enable attackers to enable VISA.
What do other infosecurity experts think?
I also spoke to Ian Trump, head of security at AmTrust International and a well-respected speaker on the infosecurity circuit. “I think this is spy stuff pure and simple” Trump told me, continuing “it’s particularly interesting from an espionage perspective targeting primarily peripheral communications.” However, in order to get at the VISA functionality an attacker needs that Intel Management Interface exposed. “Most organizations are going to have a ton of compensating controls in front of the Management Interface” Trump points out, concluding “it’s fascinating to see these discoveries of course but, from an attacker perspective there may be easier ways to get at the sensitive information such as implanting the five-year-old-never-updated printer with a Trojan…”