Skip to main content

Attacks on CPUs from USB port

Studies have found that Intel CPUs (Central Processing Unit) containing a debugging interface is accessible via USB 3.0 allowing the attacker to gain full control of the machine.
Threat ID:
CC-1093
Category:
Threat Severity:
Low
Threat Vector:
Published:
19 January 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Studies have found that Intel CPUs (Central Processing Unit) containing a debugging interface is accessible via USB 3.0 allowing the attacker to gain full control of the machine.

Affected platforms

The following platforms are known to be affected:

Core Skylake

Intel’s Skylake processor 2015 and later processors

Threat details

On older Intel CPUs, accessing the CPU required connecting a special connector to a debugging port on the motherboard which meant the machine had to be taken apart, making the circuit board difficult to access for both troubleshooters and potential attackers. However, starting with Intel’s Skylake processor family in 2015, Intel introduced the Direct Connect Interface (DCI) that provides access via USB 3.0 ports eliminating the need to dismantle the machine. The DCI must be enabled for an attack to be successful which is usually standard for machines straight from the box to have the DCI enabled, it can also be activated with the use of a flash programmer.

Initiating attacks this way means the attack will work below the software layer making it extremely difficult to identify as current security systems are not able to detect an attack of this nature.

Currently there are a number of mitigations available on the internet involving Intel’s Boot Guard feature.

Remediation steps

Type Step
  • Ensure Intel’s Boot Guard features are on and protecting the system
  • Disable the DCI interface and block future use.
  • Ensure a robust program of education and awareness training is delivered around physical security and policies are in place around sensitive machines as well as controls to limit the use of unauthorised USB devices.

Last edited: 17 February 2020 11:27 am