Intel Chipsets' Undocumented Feature Can Help Hackers Steal Data

Positive Technologies, a vulnerability assessment, compliance management and threat analysis solutions company, announced this week that it's discovered yet another undocumented feature in Intel’s chipsets, after previously stumbling upon an undocumented mode developed by Intel specifically for the NSA. The feature, Intel Visualization of Internal Signals Architecture (VISA), could allow attackers to gain the lowest-levels of access to Intel CPUs and any data being processed by those CPUs.

Intel VISA Unveiled

Intel VISA is a “full-fledged logic signal analyzer“ that is found in the PCH (Platform Controller Hub) microchips on modern Intel motherboards and CPUs. The feature normally allows manufacturers to test and debug the chips on the manufacturing line.

VISA can be used to monitor electronic signals sent from internal buses and peripherals to the PCH. Similarly, a malicious actor could use the feature to intercept all of the data passing through the same channels.

Positive Technologies expert Maxim Goryachy said in a statement: "We found out that it is possible to access Intel VISA on ordinary motherboards, with no specific equipment needed. With the help of VISA, we managed to partially reconstruct the internal architecture of the PCH microchip."

Intel Kept VISA Secret from the Public

According to the researchers, this feature has not been publicly disclosed by Intel, which would only tell others about it under a non-disclosure agreement (NDA).

The good news is that the feature is disabled by default (unlike Intel ME, which is enabled by default on most Intel-based machines), so attackers can’t exploit VISA without first finding a way to enable it.

The bad news is that the Positive Technologies researchers found a way to disable VISA using an older Intel ME vulnerability. Intel released a firmware patch that fixes that vulnerability back in 2017, but unless your laptop maker or motherboard maker has sent your the updated firmware and you updated your system with it, your PC will remain vulnerable. This bug can’t be fixed through operating system updates.

The silver lining is that if an attacker can exploit your system through the existing Intel ME vulnerability, then there they can’t do much worse by also gaining access to VISA. However, if in the future attackers find another way to enable VISA, even on systems with patched Intel ME firmware, that could indeed expose PC users to new dangers.

The researchers said that they have found three other ways to enable VISA themselves, which they will reveal in a presentation slide on the Black Hat site in a few days. The researchers already presented this information at the Black Hat Asia 2019 cybersecurity conference, which started on March 26 and ends today.

Another question that remains is how many other undocumented modes/features that give low-level access to a user's system are there in Intel's CPUs? Intel may try to keep them secret from the public primarily so that bad actors don't learn about them either, but security through obscurity usually doesn't work. Sophisticated attackers with enough resources can learn about those secret features on their own, just as the Positive Technologies researchers did.