Debugging mechanism in Intel CPUs allows seizing control via USB port

Modern Intel CPUs contain a debugging interface, accessible via USB 3.0 ports, that can be used to obtain full control over a system and perform attacks that are undetectable by current security tools. A talk on the mechanisms needed for such attacks, and ways to protect against them, was given by experts from Positive Technologies on December 28 at Chaos Communication Congress (33C3) in Hamburg, Germany.

“These manufacturer-created hardware mechanisms have legitimate purposes, such as special debugging features for hardware configuration and other beneficial uses. But now these mechanisms are available to attackers as well. Performing such attacks does not require nation-state resources or even special equipment,” noted Positive Technologies researchers Maxim Goryachy and Mark Ermolov in their talk.

The duo analyzed and demonstrated one of these mechanisms in their presentation. The JTAG (Joint Test Action Group) debugging interface, now accessible via USB, has the potential to enable dangerous and virtually undetectable attacks. JTAG works below the software layer for the purpose of hardware debugging of the OS kernel, hypervisors, and drivers. At the same time, this CPU access can be abused for malicious purposes.

On older Intel CPUs, accessing JTAG required connecting a special device to a debugging port on the motherboard (ITP-XDP). JTAG was difficult to access for both troubleshooters and potential attackers.

However, starting with the Skylake processor family in 2015, Intel introduced Direct Connect Interface (DCI), which provides access to the JTAG debugging interface via common USB 3.0 ports. No software or hardware manipulations are required to make target computers vulnerable—merely having the DCI interface enabled is sufficient. As the researchers found, this can be accomplished in several ways, and on many computers, DCI is enabled out-of-the-box and not blocked by default.

The talk at 33C3 included a video demonstrating how easily attackers can abuse this mechanism to obtain full CPU access. Goryachy and Ermolov speculated that this mechanism in Intel CPUs could lead to a whole new class of Bad USB–like attacks, but at a deeper and even more dangerous level than their predecessor.

In their concluding remarks, the researchers proposed a number of protective measures based on use of Boot Guard and forbidding activation of the debugging interface.