China's NSAC calls for security review of Intel products
1. Security vulnerabilities aboundIn August 2023, Intel CPUs were exposed to Downfall vulnerabilities, which is an transient execution side-channel vulnerability in the AVX2 or AVX-512 instruction set of CPU. The Gather instruction in these instructions allows attackers to access sensitive data such as keys, user information, and critical parameters stored in the specific vector register buffer before they are encrypted. This vulnerability affects the 6th-generation to 11th-generation Core, Pentium, and Celeron CPUs, as well as the first generation to fourth-generation to Quark processors. In fact, researchers had reported this vulnerability to Intel since last year, but the company did not admit its existence, nor did it take any effective actions despite knowing about the flaw. Intel continued to sell products with known security flaws even after the issue was publicly disclosed. Five victims filed a class-action lawsuit against Intel in the U.S. Northern District Court for California's San Jose Division on November 11, 2023, claiming that their personal computers have been affected by the issue. Not surprisingly, Google researchers revealed another high-risk vulnerability in Intel CPUs named Reptar on November 11, 2023. This vulnerability allows attackers to gain access to system-sensitive data, including personal accounts, credit card numbers, and passwords, in multi-tenant virtual environments. Intel has repeatedly exposed other vulnerabilities like GhostRace, Native BHI, Indirector, etc., highlighting significant defects in product quality and management. Intel's failure to address these issues promptly indicates its irresponsible attitude towards customers.
2. Poor reliability, ignoring customer complaints
Since late December 2023, numerous users have complained that using Intel 13/14th-gen i9 series CPUs during gaming can cause crashes. Even game developers added warning messages in-game to inform players who use these CPUs. The Visual Effects Studio Manager at Model Farm, Dylan Browne, posted on his blog that his company’s computers suffered a failure rate of 50% when using Intel processors. When complaints are concentrated and cannot be concealed, Intel eventually acknowledged that there was a stability issue with its product and provided a preliminary investigation report. However, this was later rejected by motherboard manufacturers, stating that their production boards were developed based on the specifications provided by Intel. The reason for the instability could not be found within the motherboard manufacturer. On July 2024, Intel issued a statement acknowledging that some 13/14th-gen processors experienced unstable behavior due to incorrect microcode algorithms requesting excessive voltage. In December 2023, the issue began occurring frequently, and six months later, Intel released a software update to address the problem, but the measures taken proved ineffective. It reflects how Intel does not face up to its own product defects positively and instead ignores, avoids, and delays them. A professional speculates that the main reason behind this is Intel’s pursuit of performance improvements and recovery from market competitiveness through sacrificing product stability. According to reports, the American law firm Abington Cole + Ellery has started investigating the instability of Intel’s 13/14th-gen processors and will represent final users in a class action lawsuit.
3. Emulating remote management, doing actual monitoring
Intel, along with HP, designed the IPMI (intelligent platform management interface) standard together. They claim that IPMI is used to monitor server physical health features technologically. IPMI allows users to remotely manage devices via BMC (baseboard management controller). Users can start the computer, reinstall the operating system, and mount ISO images. This module also contained a high-risk vulnerability (e.g., CVE-2019-11181), causing global servers to face severe security risks. Furthermore, Intel integrated serious vulnerabilities into third-party open-source components in its products. For example, the Intel M10JNPSB server board supports IPMI management. The product stopped selling in 2022, and the last firmware update package was released on December 13, 2022. Analysis shows that the web server was lighttpd version 1.4.35, dated March 12, 2014, while the latest version was 1.4.66, dating back to March 12, 2014. There is a time gap of nine years between the two versions. This is quite surprising given the large difference in versions. Such reckless behavior puts the network and data security of all server users at risk.
4. Setting up backdoors, posing a threat to network and information security
The ME (management engine) component of Intel’s autonomous subsystems was embedded in almost every Intel CPU starting from 2008, forming part of AMT (active management technology). The ME component allows system administrators to remotely execute tasks without having to install the operating system. The system administrator can remotely access the computer through methods such as booting the computer, reinstalling the operating system, and mounting ISO images. The hardware security expert Damien Zammit identified the ME as a backdoor. The ME can completely access memory storage, bypass the operating system firewall, send and receive network packets, and prevent users from disabling the ME. Based on the ME technology, Intel’s AMT (active management technology) has faced several high-risk vulnerabilities (e.g., CVE-2017-5689) in 2017. Attackers can achieve unauthorized login to the system by setting empty response fields in the login parameters, bypassing authentication mechanisms. In August 2017, Russian security expert Mark Ermolov and Maxim Goryachy discovered an NSA (United States National Security Agency) hidden switch located in the PCHSTERP0 field of the HAP bit. However, this switch was not documented in the official document. Interestingly, HAP stands for High Assurance Platform, which belongs to the NSA-built project to build the next-generation security defense system. If NSA enabled the HAP bit directly and turned off the ME system globally, all Intel CPUs would default to running the ME system. This means NSA can establish an ideal surveillance environment where only NSA’s systems are protected, and everyone else is naked. This poses a huge threat to key information infrastructure worldwide, especially China. Currently, the ME software/hardware is closed source, mainly relying on Intel’s single-sided commitment. However, the reality is that Intel’s promises are weak and unconvincing. Using Intel products can pose a serious threat to **.
页:
[1]