A flaw dubbed CVE-2021-0146 inside Intel processors was recently discovered by security researchers wherein laptops, cars, and embedded systems are said to be affected. The vulnerability allows the testing or debugging modes on Intel processor lines, permitting unauthorised access of threat actors who want to acquire full system privileges.
The vulnerability is found on the Intel processors, including Gemini Lake, Gemini Lake Refresh, and Apollo Lake platforms called Atom, Pentium, and Celeron.
It affects an extensive array of netbooks and Intel-based IoT systems bases like smart home systems and appliances, cars, and up to medical equipment.
Security experts said Intel is at the fourth rank in the IoT chip market, alongside its Intel Atom E3900 series of IoT processors affected by the CVE-2021-0146 vulnerability. Car manufacturers use the Intel Atom E3900 IoT processors series for over 30 car models, such as Tesla’s Model 3.
The flaw’s vulnerability score received about 7.1 on the Common Vulnerability Scoring System (CVSS) 3.1 scale.
A real threat begins, for example, is if a compromised device such as a laptop got stolen or lost, especially if it contains highly confidential data in encrypted form. Once threat actors find the vulnerability, they can extract an encryption key and acquire access to the device.
Moreover, the vulnerability can also be abused in targeted attacks throughout the supply chain.
Another hypothetical example is if an Intel processor-based device supplier employee extracts the Intel CSME firmware key and executes spyware that installed security software does not detect. Experts consider this example incident dangerous since it enables the extraction of root encryption keys in Intel’s Platform Trust Technology (PTT) and Enhanced Privacy ID (EPID) technologies in systems that protect digital content from being illegally counterfeited.
Experts say that the discovered vulnerability is a debugging feature with extensive privileges and is not protected as it must be. It is highly advised for manufacturers to be extra careful with security provisioning methods for debugging mechanisms to avoid future potentials of bypassing built-in protection.
Users can also install the UEFI BIOS updates published by manufacturers of electronic devices and equipment to fix discovered vulnerabilities.
