Intel CSME flaw: 5 years of chips have a truly ominous, unfixable flaw

This week a report showed an "unfixable" flaw in the Intel Converged Security and Management Engine (CSME) in Intel chips. This flaw exists in essentially every piece of Intel-released silicon from the last half-decade. A brief report was released by the folks at Positive Technologies today which aims to make the world aware of the flaw ahead of their full white paper report.

Intel CSME represents the basis for Intel hardware security tech of all sorts. CSME firmware uses EPID (Enhanced Privacy ID), which enables secure transactions (to put it in as basic a set of terms as possible). EPID allows you to securely work with Internet of Things devices, send money to your bank, buy things from internet-based stores, and etcetera.

A TPM chip is a "Trusted Platform Module", a piece of hardware that can store keys for secure transactions. Not all devices have a TPM chip. The Intel CSME system allows the storing of keys in firmware without needing a hardware TPM chip. Unfortunately, there appears to be a weakness in this setup.

"An early-stage vulnerability in ROM enables control over reading of the Chipset Key and generation of all other encryption keys," wrote Mark Ermolov of Positive Technologies. "One of these keys is for the Integrity Control Value Blob (ICVB). With this key, attackers can forge the code of any Intel CSME firmware module in a way that authenticity checks cannot detect."

The good news here is that the (encrypted) Chipset Key resides within One-Time Programmable (OTP) memory on a platform. A malicious agent would need to first extract the hardware key used to encrypt the Chipset Key inside SKS (Secure Key Storage).

"However, this key is not platform-specific," wrote Ermolov. "A single key is used for an entire generation of Intel chipsets. And since the ROM vulnerability allows seizing control of code execution before the hardware key generation mechanism in the SKS is locked, and the ROM vulnerability cannot be fixed, we believe that extracting this key is only a matter of time. When this happens, utter chaos will reign."

Intel was apparently aware of this vulnerability and issued an alert in May of 2019, but this latest report from Positive Technologies expands upon what was already disclosed. Intel made an additional statement this morning:

"Intel was notified of a vulnerability potentially affecting the Intel Converged Security Management Engine in which an unauthorized user with specialized hardware and physical access may be able to execute arbitrary code within the Intel CSME subsystem on certain Intel products," wrote an Intel representative in a statement. Intel pointed to Intel-SA-00213 advisory guidance for further information.

In other words, Intel's best advice for the moment is: Don't go losing your laptop... and make sure you keep your computers updated with the latest security software from Intel. Cross your fingers some sort of long-lasting new bit of security is crafted before "utter chaos" finds a way to take us all, basically.