Lost in the Noise (Archive)

Security researchers said they've found a way to circumvent an Intel vPro security feature used to protect PCs and the programs that they run from tampering.

Invisible Things Labs researchers Rafal Wojtczuk and Joanna Rutkowska said they'd created software that could "compromise the integrity" of software loaded using the Trusted Execution Technology (TXT) that is part of Intel's vPro processor platform.

That's bad news, because TXT is supposed to help protect software - a program running within a virtual machine, for example - from being seen or tampered with by other programs on the machine. Formerly code-named LaGrande, TXT first started shipping in some Intel-based PCs last year.

Although almost no software uses the TXT technology today, the research could matter a lot to computer companies and government agencies that are thinking of using it to secure their future products.

Wojtczuk and Rutkowska said they'd created a two-stage attack, with the first stage exploiting a bug in Intel's system software. The second stage relies on a design flaw in the TXT technology itself, they said in an announcement of their work, released Monday.

The Invisible Things researchers wouldn't say exactly what system software contains one of these "first stage" bugs before they have been patched, because that information could be misused by cyber-criminals.

The "second stage" problem may be tricky to fix, however. "It is still not clear how Intel should address the problem that is exploited by the second stage of our attack," Invisible Things researcher Joanna Rutkowska said in an email interview. "Intel claims it can resolve the issue by updating the TXT specification."

The researchers conducted their attack against a program called tboot, used to load trusted versions of Linux or virtual machine modules onto the computer. They chose tboot because it is one of the few programs available that takes advantage of the TXT technology, but they did not find bugs in tboot itself, Rutkowska said.

Intel spokesman George Alfs said his company is working with the Invisible Things team, but he declined to comment further on their work, saying he didn't want to pre-empt the Black Hat presentation.

The researchers plan to give more details on their work at the upcoming Black Hat Washington security conference next month.

Because TXT isn't widely used, the work may not have much of an effect on Intel's customers, according to Stefano Zanero, CTO of Italian security consultancy Secure Network. "As of now, only a very limited subset of developers who are playing with the technology will find it interesting," he said in an instant message interview.

However, the work could end up being important if it outlines new ways attackers could compromise the vPro architecture, he added. "If it just outlines a specific vulnerability in Intel's implementation, then it's less interesting," he said.

With confidence in conditional access (CA) technology on the wane after publicized exposures of satellite TV smart cards, one vendor is touting an approach that promises to protect existing CA.

The technology could even revive the cable industry's stalled efforts to craft a common downloadable CA system (DCAS).

Star hacker

Exhibit A for smart card vulnerability is a June 2008 Wired.com conversation with celebrated hacker Chris Tarnovsky.

A figure in a corporate espionage lawsuit between News Corp. subsidiary NDS and Dish Network (formerly Echostar Communications) that erupted last April and May, Tarnovsky had remained for several years on the News Corp. payroll after building a device called a "stinger" that could communicate with any smart card, Echostar's included.

The Wired interview of Tarnovsky, who founded Flylogic Engineering in April 2007 to perform hardware and software security analysis of semiconductors, took place in his San Diego laboratory.

Posted on YouTube, the video (click here) shows Tarnovsky using common acids to expose the card's circuitry, scratching a tiny hole within the chip's data bus region, "listening" to sequential samples of the device's eight-bit bus and then describing further possible interactions with it.

"I could actually send a management message, for example, into the chip, and eavesdrop everything the chip did to decrypt the message," Tarnovsky said.

Cable (in)security

Few technologists in the cable industry frequent the kinds of spy-vs-spy infosec (information security) gatherings that feature speakers such as Tarnovsky, but secure CA is as valuable to cable as it is to direct broadcast satellite (DBS).

Comcast's $1 billion set-top agreement with Motorola in 2005, which included provisions to collaborate on and even license Motorola's MediaCipher CA, is a case in point. The $50 million (or more) that Comcast, Time Warner Cable and Cox sunk into the PolyCipher DCAS initiative is another.

While cost structures appear to have sunk PolyCipher (see "Whatever Happened to DCAS?" CT June 2008), there remains the question of actually how to tighten security, a matter made more urgent by the arrival of low-cost digital terminal adapters - also known as digital-to-analog adapters - (DTAs) and expanding home networks.

Comcast has to date selected three suppliers of DTAs: Motorola, Pace and Thomson. Obtaining the right to use of Motorola's Privacy Mode CA was part of the drill of designing these boxes, according to one (non-Motorola) vendor, who said Comcast's Conditional Access Licensing (CAL) fee amounted to a couple of hundred thousand dollars.

The question is whether Privacy Mode (should Comcast decide to activate it through firmware downloads) still renders a DTA vulnerable to compromise.

Absolutely, according to Zultan Costin, manager of North American market development for Irdeto Access. "What you have is a public storage space, where you store your security code. You have a public RAM space, where all your apps are running. And some embedded serial numbers on the chip on what you're encoding. That's it!"

Obfuscation engine

When considering a security solution for the DTA, Costin said his team initially thought it was "not possible, (that) it's way too exposed."

What changed their mind was input from new colleagues at Cloakware, a business that Irdeto acquired in early 2008. Claiming widespread deployment on set-tops, PCs, smart phones and media players, Cloakware runs security code of whatever source through an "obfuscation engine," leveraging in addition what the company's Director of Business Development Trevor Issac calls "security diversity."

The idea involves multiple iterations. "Each time you run it through that tool, what pops out is code that is functionally equivalent, but structurally different," Issac said.

Applying that practice 10 times on an installed base of 10 million set-top boxes, for instance, means that a compromised security code would only work on a million boxes. Moreover, quick renewal of the software would render that target unattainable as well. The upshot is a lot more resources needed to reverse engineer a set-top's CA.

"You've broken the hacker business model," Issac said.

The technique is equally applicable to the PC. "Most of the MSOs today are looking at home networking," said Irdeto's Costin. "And when they are looking at home networking, they are looking at DTCP/IP (digital transmission content protection over Internet protocol)."

CableLabs approved DTCP/IP in August 2007 for digital cable products. "Actually, (it's) a pretty good code," Costin said, "but it's not prepared to run unprotected."

Does this overall approach effectively fit the bill of a downloadable security? "If you have standard obfuscation technology to be applied to anybody's CA code, so it can be downloaded with open flash and RAM, you've got a new DCAS," said Costin.