Intel VISA technology aimed at detecting flaws in processors and other microchips can be activated by attackers, which threatens the information security
On March 28, Positive Technologies experts Maxim Goryachy and Mark Ermolov spoke at the Black Hat conference in Singapore about a new technology in Intel chipsets and processors. The technology allows reading data from the memory and intercepting the peripherals' signals. Although Intel VISA is disabled by default on commercial systems, the experts found several ways to activate the technology.
The experts found out that the PCH microchips (Platform Controller Hub) on modern Intel motherboards contain a full-fledged logic signal analyzer called Intel Visualization of Internal Signals Architecture (VISA). The analyzer allows monitoring the state of internal lines and buses in real time. A similar analyzer can also be found in modern Intel processors.
The processor communicates with peripherals (display, keyboard, and webcam) via the PCH microchip, which therefore has access to almost all data on a computer.
"We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed," says Positive Technologies expert Maxim Goryachy. "With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."
Experts assume that Intel VISA is used to check Intel microchips for flaws. However, with an enormous number of parameters, VISA allows creating custom rules for capturing and analyzing signals, which can be used by attackers to access sensitive information.
At Black Hat, Maxim Goryachy and Mark Ermolov demonstrated how to read signals from internal buses (for example, IOSF Primary, Side Band, and Intel ME Front Side Bus) and other internal PCH devices. Unauthorized access to these devices allows intercepting data from the computer memory.
The experts analyzed the technology with the help of vulnerability INTEL-SA-00086 previously detected by Positive Technologies specialists in the Intel Management Engine subsystem, also integrated in the PCH microchip. This flaw in IME allows hackers to attack the computers, for example by injecting spyware in the subsystem's code. The operating system update is not sufficient to eliminate the problem—a fixed firmware version must be installed.