Serious Intel CPU security flaw affects millions and can't be fixed

A security bug affecting many Intel systems is worse than previously thought. The bug affects the majority of Intel CPUs released in the last five years. The bug lies within the Converged Security and Management Engine (CSME), meaning it can't be fully fixed with software or firmware updates. Positve Technologies breaks down the bug and explains the risks that it potentially raises for PCs.

The issue leaves systems that are affected open to physical or local attacks. Mark Ermolov, the author of the report from Positive Technologies, says that the bug can be potentially exploited through local access, stating, "Some of them might require local access; others need physical access."

Because the issue is within the CSME, it can't be fixed without changing hardware. CSME is the "Root of Trust" for security on a platform. LaptopMag explains that "the system relies on it as a trusted source of cryptographic security," adding, "Because the flaw is in the bootROM of CSME it cannot be changed after manufacturing."

According to Positive Technologies, people that want to exploit this vulnerability will look to extract a hardware key which is used to encrypt the Chipset Key. That key is not platform-specific, meaning that a single key could be used for "an entire generation of Intel chipsets." Positive Technologies believes that extracting this key is "only a matter of time," adding "When this happens, utter chaos will reign. Hardware IDs will be forged, digital content will be extracted, and data from encrypted hard disks will be decrypted."

When ZDNet asked for a comment from Intel, Intel reaffirmed that the bug can only be exploited through physical access. It also urged people to apply the May 2019 updates.