IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Intel CPU flaw could enable hackers to attack PCs, cars, and medical devices

Vulnerability found in Pentium, Celeron, and Atom processors

Security researchers have discovered a bug in Intel CPUs that could enable a hacker with physical access to obtain enhanced privileges on the system.

According to a report by researchers at Positive Technologies, the problem exists in the Pentium, Celeron and Atom processors of the Apollo Lake, Gemini Lake and Gemini Lake Refresh platforms. These processors are used in both mobile devices and embedded systems, meaning everything from ultrabooks to Internet of Things (IoT) devices are affected.

Mark Ermolov, the security researcher at Positive Technologies who discovered the vulnerability alongside Dmitry Sklyarov (also from Positive Technologies) and Maxim Goryachy (an independent researcher), said one example of a real threat is lost or stolen laptops that contain confidential information in encrypted form.

“Using this vulnerability, an attacker can extract the encryption key and gain access to information within the laptop. The bug can also be exploited in targeted attacks across the supply chain. For example, an employee of an Intel processor-based device supplier could, in theory, extract the Intel CSME firmware key and deploy spyware that security software would not detect,” he said.

Ermolov added that the flaw vulnerability is also dangerous because it facilitates the extraction of the root encryption key used in Intel PTT (Platform Trust Technology) and Intel EPID (Enhanced Privacy ID) technologies in systems to protect digital content from illegal copying.

Related Resource

Why faster refresh cycles and modern infrastructure management are critical to business success

The connection between modern server infrastructure and business agility

Title of whitepaper on background of blue and grey trapezoids with a green line diagonally down the page Free download

“For example, a number of Amazon e-book models use Intel EPID-based protection for digital rights management. Using this vulnerability, an intruder might extract the root EPID key from a device (e-book), and then, having compromised Intel EPID technology, download electronic materials from providers in file form, copy and distribute them,” he said.

He added that the flaw is a debugging functionality with excessive privileges, which is not protected as it should be. To avoid problems in the future and prevent the possible bypassing of built-in protection, manufacturers should be more careful in their approach to security provision for debug mechanisms, according to the firm

The problem led to Intel issuing a security advisory. The flaw (CVE-2021-0146) is a high-severity privilege-escalation problem and is rated 7.1 out of 10 on the CVSS vulnerability severity scale.

“Hardware allows activation of test or debug logic at runtime for some Intel processors which may allow an unauthenticated user to potentially enable escalation of privilege via physical access,” said the advisory.

Users can fix the flaw by downloading and installing UEFI BIOS updates published by the end manufacturers of the respective electronic equipment (notebooks or other devices).

Featured Resources

Mastering retention

Turning user behaviour insights into retention strategies

Free Download

Dell PowerEdge with AMD

IT applications and infrastructure are the prime catalyst for new revenue creation

Free Download

Building for success with off-premises private cloud

Leveraging co-location facilities to execute your cloud strategy

Free Download

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Free Download

Recommended

The future of work is already here. Now’s the time to secure it.
Whitepaper

The future of work is already here. Now’s the time to secure it.

21 Sep 2022
What is the Computer Misuse Act?
Policy & legislation

What is the Computer Misuse Act?

2 Sep 2022
IT Pro News in Review: Fujitsu quantum computing, IT expenditure forecast, Intel co-invests in new plant
Business strategy

IT Pro News in Review: Fujitsu quantum computing, IT expenditure forecast, Intel co-invests in new plant

26 Aug 2022
Podcast transcript: Solving the semiconductor shortage
components

Podcast transcript: Solving the semiconductor shortage

26 Aug 2022

Most Popular

46 US states call for Meta monopoly lawsuit to be reinstated
mergers and acquisitions

46 US states call for Meta monopoly lawsuit to be reinstated

20 Sep 2022
Anonymous hacks Iranian government and state broadcasters
cyber attacks

Anonymous hacks Iranian government and state broadcasters

22 Sep 2022
Why collaboration is key to digital transformation
Sponsored

Why collaboration is key to digital transformation

13 Sep 2022