We started Monday with a new vulnerability in Intel Skylake architecture processors. The vulnerability of Intel processors has been dubbed Sleep Attack. This vulnerability is present in Intel x86 processors that have a sleep mode. This vulnerability is quite complex and apparently it could only be exploited physically, so the risk is low.
Sleep Attack is based on the fact that when the processor is suspended, the DRAM memory continues to be powered. When the CPU 'wakes up' it sends a command to the DRAM to reactivate it. The firmware in this process detects that the DRAM has power and skips some bits of code. Specifically, the firmware code verification process is skipped.
[amazon box=»B0883NPQST» title=»Intel Core i5-10400″ star_rating=»none» template=»table»]Intel suffers a new vulnerability called Sleep Attack
Because the process bypasses code verification, an attacker could exchange normal firmware code for code of their own. After this code modification, since you have access to the code execution. Now you can bypass and disable protections or access any personal information on the system.
The good news about this vulnerability is that the code is extremely difficult to exploit, since physical access is required. In laptops, this vulnerability could be exploited, although it is not easy. Information could be attacked and stolen without the need for a password. An attacker, on the other hand, could install a rootkit that would allow access to the system remotely.
More information about it
An example is when customs is carried out at an airport. Most travelers close their laptop and go to sleep (S3). If the device is seized by the adversary agency upon landing, the disk's encryption keys remain in memory. The adversary can remove the bottom cover and connect a flash emulator like the spispy to the flash chip. They can wake up the machine and provide it with their firmware via spispy. This firmware can scan memory to locate the OS screen lock process and disable it, and then allow the system to resume normally. They now have full access to the unlocked device and its secrets, without requiring the owner to provide a password.
Another example is a hardware implant that emulates the SPI flash. The iCE40up5k used in one of the spispy variants easily fits inside or under an SOIC-8 package, allowing a persistent attack in this state. Since the FPGA can easily distinguish between a cold boot and system validation resuming from sleep, the device can provide a clean version of the firmware with the correct signature when it is being validated or read by a tool like flashrom, and only provide the modified version during a resume from sleep. This type of implant would be very difficult to detect through software, and if done right, it would not look out of place on the motherboard.
Source: THP
