The secret key that encrypts updates on a variety of Intel processors, managed to export for the first time researchers.
The key makes it possible decryption microcode updates provided by Intel to resolve vulnerabilities and other types of errors. Having an encrypted copy of an update may allow malicious factors to reverse it and learn exactly how to exploit the security gap it fixes. The key can also allow a chip to be updated with other microcodes, although this custom version could not go through the reboot.
The key can be extracted for any chip - be it Celeron, Pentium or Atom - based on its architecture Intel Goldmont.
The quest for discovery began three years earlier, when the Goryachy and Ermolov found a critical vulnerability known as Intel SA-00086, which allowed them to execute code of their choice within the independent core of the chip, which included a subsystem known as Intel Management Engine. Intel fixed it error and a patch was released, but because the chips can always be reverted to an older firmware version and then utilized, there is no way to effectively eliminate the vulnerability.
Five months ago, the trio was able to use the vulnerability to access Red Unlock, a service feature built into an Intel chip. The company's engineers use this mode to detect microcode errors before a chip is released to the public. The researchers named their tool Chip Red Pill, because it allows researchers to experience the internal functions of a chip that is usually out of bounds. The technique works using a USB cable or a special Intel adapter that feeds data to a vulnerable CPU.
Access to a Redmlock-based Goldmont CPU allowed researchers to export a special ROM area known as MSROM. From there, they began the arduous process of reverse microcode engineering. After months of analysis, they were able to discover the update process and the RC4 key it uses. The analysis, however, did not reveal the signature key that Intel uses to cryptographically prove the authenticity of an update. This discovery has raised many questions about safety.
Theoretically it could be possible to use the Chip Red Pill in a malicious attack, through which one could hack a device. However, for such an attack to be successful, the device must be connected. Once restarted, the chip will return to its normal state. In some cases, the ability to execute arbitrary microcode within the CPU can also be useful for attacks on encryption keys, such as those used on trusted platform modules.