With chips in four out every five PCs made since 2010, few companies are as pervasive in modern computing as Intel. That's why an advisory released Monday, May 1, confirming a remotely exploitable vulnerability in all non-server business hardware made in the last seven years has sent shockwaves through the technology world.
SemiAccurate, a technology news site that claims to have warned Intel of the situation years ago, even asserts that it would be possible for a sophisticated hacker to adapt the exploit for use against consumer PCs.
The vulnerability in question affects the Active Management Technology (AMT) firmware, which is the software that controls the chip. Here, a program responsible for applying firmware security updates to managed networks of business computers was found to give access to unauthenticated users. Alarmingly, this vulnerability totally bypasses the operating system and presents a huge "insider threat" due to ease of local exploitation.
At present, all business non-server hardware is affected locally and much is affected remotely. This can and will be weaponized to attack many managed networks, both small and large, and automate the exploitation of this vulnerability. Remote hijacking computers with this vulnerability actually seems pretty easy, too.
How serious this really is now depends in part on so-called original equipment manufacturers (OEMs) that use Intel chips, such as Lenovo and Dell, releasing patches fixing the vulnerability in their products. Yet these patches can only work if users install them, a haphazard prospect at best.
So far, Cisco, Dell, Lenovo have issues statements about this vulnerability and if their products are infected or not. Intel also has a list of desktop boards affected. There's no word yet from HP, IBM, Oracle, etc.
SemiAccurate further cautions that such updates are rarely even produced for older PCs no longer covered by warranty. This means that any managed network containing at least one Intel-based computer more than two or three years old may well remain at serious risk.
Moreover, there are some indications that the attack may also be applicable to consumer PCs, as mentioned before. In theory, a safeguard is provided by the fuses used to designate a chip's identity as being for either commercial or personal use. Yet this safeguard, in practice, depends on all parties playing by the rules. A hacker seeking to illegally gain access to a computer network, on the other hand, could potentially confuse a consumer PC — and its user — into installing the exploitable firmware services in question. Such an attack would be particularly difficult to detect, as it would be unlikely to show up as malware.
The imposing difficulty of satisfactorily guarding against this exploit points to the need to encourage hardware diversity in an increasingly concentrated industry. It also illustrates why nation-state level cybersecurity organizations like the NSA should shift from weaponizing zero-day vulnerabilities to working to mitigate their potential impact. The many technology companies affected would likewise do well to take the opportunity to substantially improve their patch pipeline to end users.
Given the extraordinary range of hardware at risk, effectively neutralizing this exploit will require extraordinary efforts, if indeed it is possible at all.