Intel is doing a dog and pony show about vPro Security but their CPUs are fundamentally insecure. The problem is that all this user facing fluff and PR is built on an insecure and broken foundation whose problems the company is knowingly ignoring.
SemiAccurate has been trying to get answers from Intel for years about a serious problem with their trusted boot process, the foundation that every one of their new technologies are built on. This includes things that drop user security like the so called, “Intel Small Business Advantage” (SBA), and other related vPro features like today’s Intel Authenticate. There are actually two problems with the whole idea, what Intel promises as secure and how they message it.
Starting with the hardware side, everything is based on what is called Secure Boot (SB) which has various components form the hardware TPM to firmware to software running on Windows, and sadly only on Windows. Starting at the beginning of the process gets us to SB, basically a chain of trust wherein the hardware can check its status at power on and verify that it is correct and secure. From there each step in the process can verify that the next step is the correct one, secure, and present. The whole process is done through cryptographic signing and is fundamentally based on the premise that the first step is OK.
Intel’s problem is that the first step in the chain is not OK and has not been for years. If the first step, SB, is not actually secure, the rest is meaningless fluff for uneducated consumers and corporate sourcing drones. That would be you. Hint: It isn’t secure, it is utterly broken. Worse yet when confronted with this rather severe problem, Intel reacted in the usual way, they buried their heads in the sand and denied the problem.
The reason SemiAccurate says this is that after we wrote the rather scathing piece on Intel’s SBA, their security people were a tad incensed about it. They wanted to talk to SemiAccurate to set the record straight and correct our misguided thoughts. We agreed to chat. Please note that this talk was with the engineers and actual security personnel, not PR trained spokespeople. It was not for a story, just for educational purposes. Unfortunately they learned nothing. (Note: This talk happened years ago so it will be paraphrased for this story)
It stared out nicely enough, I asked them how SBA could be considered secure when it was based on an insecure platform. They confidently replied that I was wrong, it was fundamentally secure and they could prove it. Security people will understand at this point how abjectly broken Intel security is at this point and how unfixable the process makes it. The rest of you will need the longer version which begins with me grinning widely and asking how they could prove it.
They said that Intel had given their security implementation to several organization and certification outfits and none of them could break it. Intel had various certificates, stamps, and seals of approval to show that their stuff was indeed secure, and could show them off as needed. If this had been a 2nd grade class they would have gotten a gold star sticker on their forehead. The problem, and it is a massive one, is that you can’t prove security, you can never know what you don’t know.
There is a process in security that any serious algorithm or advance goes through and it is about the best way to validate something as not readily crackable. The short version is that you put it out in the open and the best and brightest analyze it, pound it silly, and go over it until they get bored and give up. After a few years of this the thing in question is generally considered as probably not breakable by known methods, but never listed as ‘secure’. It is NEVER done behind closed doors and NEVER done under NDA, it is a completely open process and has to be exposed to work. Go look at the process of how AES was selected and what the candidate algorithms went through for more on this, it is a fascinating process.
Going back to Intel security features we have the exact opposite. They won’t publicly document their security hardware. They won’t publicly document their security firmware. They won’t publicly document their security software. They won’t even publicly explain to the press how it works on at a high level. If you want any of this you have to sign your life away in NDAs and even then, who knows what you are actually going to get? Do you get the things you want? If not, you can’t actually say but they can probably say you tried to break it.
Intel’s gold stars are the ones they will talk about, if there was a problem, could those who found it disclose the issue? Were there any? That is less of a problem than a finite group with limited testing time not being able to break the implementation given under the test conditions. As far as security audits go this process is a bad joke which is why I smiled when Intel said they could prove it is secure. They can’t and if they had a vague clue about security, they would have known better than to say such things. They said it.
At that point I asked the question I wanted to ask from the start, “If you say it is secure and unbreakable, how do you explain that Joanna Rutkowska of Invisible Things Labs cracked it multiple times? How can you call it secure if they cracked it multiple times across multiple versions?”. Here is where I was expecting to learn something about security and Intel, boy did I, the reply was amazing.
“We have certificates that show we are secure from multiple vendors“, was the answer. “But you are not”, I replied, “It has been cracked many times so how can you claim it is secure? What am I missing?”. “We have certificates that show we are secure from multiple vendors” This sad repetition loop went on for a few more rounds until the shock wore off and I realized they weren’t joking, that was the best they could offer. For those not living in a world of deep security minutia, denial is not an effective security mechanism.
Intel as an organization had a broken, insecure basis for their security implementation coupled to multiple pieces of paper that they paid handsomely for. This was their security model. It wasn’t just broken, it was known broken and being actively ignored by the company. They didn’t just have a bug, they had a process that made sure that the fundamental building block of their security process would never be secure, could not be tested by independent agents, and anyone who worked with Intel would be prevented from disclosing flaws they found. It took Invisible Things, an outside not working in the system, to expose the serious problem with Intel ‘security’.
Two very bright people cracking the best Intel has to offer, a SB chain that is deployed across billions of PCs worldwide, is pretty frightening. If they can do it, imagine what a state sponsored team of hackers with comparatively unlimited resources could do? If you think any of these flaws is not in the hands of every state organization in the world dedicated to such things, you are wrong. SemiAccurate has information that at least one of these flaws was brought to Intel by one such organization before a patch was even considered. The ‘bad guys’ know, the ‘good guys’ know, and Intel knows too.
The chirpy conversation went downhill from there, not because there was nothing more to talk about, but mainly because Intel security personnel flatly and completely denied they had a problem even when presented with direct evidence of cracks. They would not admit that secure boot was ever broken, and could not actually discuss anything substantive, just repeated how secure they were certified as. Surreal is one word to describe it, the rest are not complementary. Intel Secure Boot/Trusted Computing is fundamentally neither one, has been broken multiple times, and worse yet, the problem seem to be utterly ignored by Intel.
The second overarching issue is not a technical one but a messaging and PR one. Like most mainstream news outlets, political campaigns, and advertising agencies, Intel knows fear sells. Their marketing campaign around upselling organizations ‘professional’ SKUs of CPUs is based on it. They cripple sub-i5 CPUs for business by artificially fusing off AES-NI, if you don’t pay more you can’t encrypt at speed on a laptop so bye-bye full disk encryption. Intel marketing understands the issue well and exploits it ruthlessly.
If you look at their so called secure offering for business, it is a marketing message at best, prevents security at worst. The SBA packages have been one of the worst offenders, promising security to buyers while in reality preventing it. Why? The package mandates Windows, an unsecurable OS. Go look at security appliances and devices, how many not directly made by Microsoft are based on that operating system? Think there is a reason for it? Intel is mandating insecurity to run their ‘valuable bundle offering’, and then basing it on a known insecure hardware platform.
With yesterday’s breathless claims about how “Intel Transforms the Workplace with Latest 6th Generation Intel® Core™ vPro™ Processors”, the talk was all about triple factor authentication. If one is good, three is better you unwashed consumer you, one is clearly more than three! Actually it is all built on Secure Boot which is not actually secure. If you can break the root the rest is meaningless. Intel could have a 17 factor authentication process including a note from the user’s mother, a Texas-style belt buckle with name and picture etched on it, and initials monogrammed on your socks. It would do no more good than a two digit PIN because the basis for it all is utterly compromised.
And that is the problem with Intel and their so called security efforts like vPro, Unite, Intel Authenticate, and all the rest, they are never going to be secure no matter what BS Intel throws out in press releases. The company will not address fundamental problems with their security mechanisms and the products they produce and ‘certify’ are insecure. This problem has been going on for years, TXT/SB has been cracked again and again, and they won’t do anything about it.
When TXT was cracked it took Intel three years to patch it, and that was only because of outside influences which forced them to take action, left on their own they never would have fixed it. How many more of these are lurking? Intel claims they are utterly and provably secure despite multiple presentations detailing problems and how to crack several versions of this virtual For Knox. When confronted about it, subjects are changed, problems are denied, and certificates are proudly wielded. Once you add triple factor authentication and Windows, Intel is invulnerable, and they have proof!S|A