Serious Intel CPU security flaw affects millions and can't be fixed

By Sean Endicott
published

A security bug with many Intel systems can't be fixed except by replacing a CPU.

Intel stickers
Intel stickers (Image credit: Windows Central)

What you need to know

  • It's been discovered that a security bug affecting many Intel systems is worse than initially thought.
  • The bug lies within the Converged Security and Management Engine, meaning it can't be fully fixed with software or firmware updates.
  • To fully fix the issue, people would have to replace the CPU of their device.

A security bug affecting many Intel systems is worse than previously thought. The bug affects the majority of Intel CPUs released in the last five years. The bug lies within the Converged Security and Management Engine (CSME), meaning it can't be fully fixed with software or firmware updates. Positve Technologies breaks down the bug and explains the risks that it potentially raises for PCs.

The issue leaves systems that are affected open to physical or local attacks. Mark Ermolov, the author of the report from Positive Technologies, says that the bug can be potentially exploited through local access, stating, "Some of them might require local access; others need physical access."

Because the issue is within the CSME, it can't be fixed without changing hardware. CSME is the "Root of Trust" for security on a platform. LaptopMag explains that "the system relies on it as a trusted source of cryptographic security," adding, "Because the flaw is in the bootROM of CSME it cannot be changed after manufacturing."

According to Positive Technologies, people that want to exploit this vulnerability will look to extract a hardware key which is used to encrypt the Chipset Key. That key is not platform-specific, meaning that a single key could be used for "an entire generation of Intel chipsets." Positive Technologies believes that extracting this key is "only a matter of time," adding "When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

When ZDNet asked for a comment from Intel, Intel reaffirmed that the bug can only be exploited through physical access. It also urged people to apply the May 2019 updates.

Sean Endicott
Sean Endicott
News Writer and apps editor

Sean Endicott brings nearly a decade of experience covering Microsoft and Windows news to Windows Central. He joined our team in 2017 as an app reviewer and now heads up our day-to-day news coverage. If you have a news tip or an app to review, hit him up at sean.endicott@futurenet.com (opens in new tab).

13 Comments
  • Time to go fully AMD.
  • Think of the number of Intel systems out there in the corporate world.
    AMD needs to appeal to that segment too.
  • There's more than likely at least one similar issue with AMD chipsets. Intel chips are more frequently and thoroughly screened for vulnerabilities like this because they are by far the market leader. Similar issue that Windows had compared to Mac OS back in the early 2000's.
  • Maybe, but maybe not. Most of the flaws found over the past few years in Intel chips can be attributed to Intel sacrificing security for speed. This is why the mitigations have come at such a major performance detriment as they have shut off various Intel features, such as hyper-threading. With many of the flaws found recently, AMD was not affected because they did not follow this same methods of cutting corners. While there will always be design oversights, there is a real question as to how many of Intel's problems were "oversights" and how many of them were just ignored in order to keep pushing the envelop.
  • And yet, AMD could be accused of doing the same thing: AMD processors vulnerable to two new types of side-channel attacks https://www.windowscentral.com/amd-processors-vulnerable-two-new-types-s...
  • I feel a class-action coming up
  • Man, this is tough! I struggled long and hard with the decision of purchasing a SPX, and I am hence typing this post on it. I still use my Intel PC for development and heavy lifting, but I'm glad I chose the SPX as my new everyday driver.
  • MS needs to replace all those Intel CPUs for free or offer a free laptop to all affected.
  • Microsoft does? Why not Intel? It is, after all, their component that is the issue.
  • Lol right. I don't understand the automatic "it's Microsoft's fault" blaming that happens.
  • OK, than by that logic since my laptop is made by Dell, they should replace the CPU. 🙄. It an Intel product, they are responsible for any flaws in their product.
  • Intel need to send replacements to everyone who has the chips, not good enough intel!!!
  • Very convenient that only 10th gen CPUs aren't affected. Very Convenient!!