CATEGORIES
home News

Serious Intel Boot Guard Exploit Leaves Unpatched PCs Vulnerable To Firmware Attacks

by Nathan OrdSunday, November 15, 2020, 11:58 AM EDT
Intel CPU
Attackers with physical access to a device can generally do the most damage to a machine. This remains true with CVE-2020-8705, where an attacker with physical access can gain control of the system firmware while the device resumes from a sleep state. This means there could be privilege escalations, data loss, and more depending on what the primary motives of the attacker. Therefore, Intel users need to patch their systems and prevent unwanted physical access.

According to Trammell Hudson, CVE-2020-8705, or “Sleep Attack,” occurs when Intel x86 computers enter the sleep state called “S3.” The sleep state turns off the CPU but keeps the DRAM powered, so the CPU state must be restored upon receiving a wake command. When this process starts, the firmware realizes that the DRAM still has power, and some bits of code are skipped, specifically the code checking part of the firmware.

Since the code checking is skipped, the attacker must do an Indiana Jones-style swap of the normal firmware code and their own code. After this happens, they essentially have code execution and can walk through and disable protections or look for anything interesting. While this code execution path would be difficult as it requires physical access to the device, there are some possible ways for it to happen. Hudson describes a “adversarial agency” taking a laptop and extracting data without a password required. The agency could also install a rootkit for future use should they need it. Here's one described scenario:

One example is when clearing customs at an airport. Most travelers close their laptop during descent and allow it to enter S3 sleep. If the device is taken by the adversarial agency upon landing, the disk encryption keys are still in memory. The adversary can remove the bottom cover and attach an in-system flash emulator like the spispy to the flash chip. They can wake the machine and provide it with their firmware via the spispy. This firmware can scan memory to locate the OS lock screen process and disable it, and then allow the system to resume normally. Now they have access to the unlocked device and its secrets, with no need to compel the owner to provide a password.

While the possible attack methods are a little “tin-foily,” they are not outside the realm of possibility with this security exploit. To prevent an “adversarial agency” from taking control of a device, users need to patch their systems and make sure random people do not gain access to their devices. After all, the user is the first line of defense for a computer. For more info on CVE-2020-8705 click here, and be on the lookout for updates from your PC OEM or motherboard manufacturer for BIOS updates to help squash this exploit.
Tags:  Firmware, Intel, security, exploit, (NASDAQ:INTC)
TOP CONVERSATIONS
Your Next PC Platform?
More Results
KEEP INFORMED
SITE

Home

Reviews

News

Blogs

Full Site

Sitemap

CATEGORIES

PC Components

Systems

Mobile

IT Infrastructure

Leisure

Videos

COMPANY

About

Advertise

News Tips

Contact

Privacy And Terms

HotTech

MORE

Accessibility

Shop

STAY CONNECTED

Twitter

Facebook

YouTube

RSS

As an Amazon and Howl Technologies Associate, HotHardware earns a commission from qualifying purchases made on this site. This site is intended for informational and entertainment purposes only. The contents are the views and opinion of the author and/or his associates. All products and trademarks are the property of their respective owners. Reproduction in whole or in part, in any form or medium, without express written permission of Hot Hardware, Inc. is prohibited. All content and graphical elements are Copyright © 1999 - 2024 David Altavilla and Hot Hardware, Inc.
All rights reserved. Privacy and Terms - Accessibility Commitment