News [ZDNet] Researchers discover and abuse new undocumented feature in Intel chipsets

UsandThem

Elite Member
May 4, 2000
16,068
7,380
146
Intel has had a rough couple of years with security bugs / concerns.

I hope their next CPU architecture totally fixes all of them.
 
  • Like
Reactions: maddogmcgee

VirtualLarry

No Lifer
Aug 25, 2001
56,229
9,990
126
Backdoors, backdoors, and more backdoors, in the Evil Empire's chips. Is anyone really surprised? Does the emperor know he needs a new wardrobe?

Nintendo started as a playing-card company, that moved into electronics and video games. Maybe Intel will be a computer chip company, that moves into making playing cards instead. 'cause they're not so great at creating chips, apparently, with any sort of usable security.

Or perhaps they should move their base of operations to Wisconsin, and start making Swiss Cheese. Something that they're already good at.
 

ozzy702

Golden Member
Nov 1, 2011
1,151
530
136
Backdoors, backdoors, and more backdoors, in the Evil Empire's chips. Is anyone really surprised? Does the emperor know he needs a new wardrobe?

Nintendo started as a playing-card company, that moved into electronics and video games. Maybe Intel will be a computer chip company, that moves into making playing cards instead. 'cause they're not so great at creating chips, apparently, with any sort of usable security.

Or perhaps they should move their base of operations to Wisconsin, and start making Swiss Cheese. Something that they're already good at.


I wouldn't be the least bit surprised to find out that the U.S. government required all these backdoors and security vulnerabilities. The past couple years certainly haven't been good for Intel. It's been a great opportunity for AMD to catch up which in turn is great for us all. Hopefully both AMD and Intel will double down on security and we'll have both competition and secure devices.
 
Last edited:
  • Like
Reactions: NTMBK

IntelUser2000

Elite Member
Oct 14, 2003
8,686
3,785
136
This quote is from the researcher:
As Ermolov said yesterday, VISA is not a vulnerability in Intel chipsets, but just another way in which a useful feature could be abused and turned against users.

Mere 10 years ago such problems weren't even considered. For Spectre and Meltdown a google report said disabling it altogether might be the only safe choice.

There was another report that said the biggest reason for security breaches and customer information loss is due to employees of the company themselves.

The problem is the combination of fast decline in trust and over abundant reliance on computers. Total security is impossible. It requires the designers be paranoid from the concept stage to production. Seems to be just a step away from the dystopian future where absolutely everyone is seen as a criminal and an enemy.

The real losers are always the people trying to live in a lawful, honest way.
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.
 
  • Like
Reactions: beginner99

fleshconsumed

Diamond Member
Feb 21, 2002
6,483
2,352
136
I'm dumping my intel hardware for Ryzen, in part because of these security holes/backdoors. Screw that.
 

Shivansps

Diamond Member
Sep 11, 2013
3,835
1,514
136
This is very similar to those AMD exploits that needed physical access and flashing with evil firmware, meh. At least no one is blaming the source of the information this time.
 

amd6502

Senior member
Apr 21, 2017
971
360
136
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.

If you truly care about security never ever ever EVER plug your androde telephone into your computer, whether it is to recharge or the convenience of uploading photos.

A compromised androde or iphone in the USB does count as physical access. And you can pretty much count on the possibility that it is infected (acorn socs are one of the lousiest for security, and they don't get patched or maintained as much as x86).. Heck the old ARM 2 cpus were bullet proof and secure, which is not something you can say for modern day ARM socs; I pine for these days: https://www.theinquirer.net/inquirer/news/3064969/acorn-computers-risc-os-finally-goes-open-source
 
Last edited:

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
This is very similar to those AMD exploits that needed physical access and flashing with evil firmware, meh. At least no one is blaming the source of the information this time.

The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.
 

Shivansps

Diamond Member
Sep 11, 2013
3,835
1,514
136
The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.

the first point was the only real issue (and with a good reason, as you said is against industry standards), the others were not know or just expeculations at that time. The general reaction to that "security problem" in the public was not normal and beyond anything i seen in my life, to the point there was people saying that was all a lie and went as far as to search for the stock photos they used with the green screen, that was too much.

Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.
 
Last edited:

maddie

Diamond Member
Jul 18, 2010
4,723
4,628
136
the first point was the only real issue (and with a good reason, as you said is against industry standards), the others were not know or just expeculations at that time. The general reaction to that "security problem" in the public was not normal and beyond anything i seen in my life, to the point there was people saying that was all a lie and went as far as to search for the stock photos they used with the green screen, that was too much.

Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.
Please don't try to validate the 'company' that tried that stunt. It's very disingenuous to attack the response to their 'operation'.
 

Hitman928

Diamond Member
Apr 15, 2012
5,182
7,633
136
Anyway, i said the same back in that day and im going to say the same again now, to me anything that needs physical access for wharever reason, and even worse, firmware flashing, is not a security leak(Specially in a world with daily side channel exploits.), there is a tons of things i can do with physical access, specially if i can bring the system down for firmware flashing.

I agree that the exploit reveal itself isn't a big deal given that it's already patched and requires physical access, but I think the more interesting part is that it was discovered in a completely undocumented part of the chip.
 
  • Like
Reactions: Shivansps

beginner99

Diamond Member
Jun 2, 2009
5,208
1,580
136
Requires physical access. It might be bad for people who run highly-sensitive, air-gapped networks that are under attack from physical intrusion. Or maybe an infected USB could carry out an attack. Spectre and Meltdown were much worse.

Agree. It at best a theoretical issue affecting large data centers and nation states but not us average Joe. Also psyhcial access is a huge part of IT security (which often gets neglected).
 

DrMrLordX

Lifer
Apr 27, 2000
21,582
10,785
136
The difference is with the AMD exploit:

- The researchers decided to tell the world about the exploit before giving AMD any real time to even investigate their claims let alone come up with fixes. This is very much against industry standards.
- Tried to make the exploit seem far more serious that it was in the wake of the Spectre reveal.
- Claimed at least certain attack points were unfixable or would take a very long time (AMD had fixes out pretty quick in the end).
- Tried to use it to promote their startup.

Because of these reasons, people started to question who they were and their motivation. I think the first point was probably the biggest issue.

I'm kind of wondering if the VISA exploits will ever be fixable (in existing hardware). AMD's problems, as you stated, could be patched.