I want to preface this article with some important words. We publish hardware leaks when we’re about 99% confident that our sources have given us good information. The information in this exclusive, given its severe nature, demands 100% confidence, a level of confidence which we have. We also don’t take pleasure in publishing this information, but we have good reason to.
We were informed recently of a hardware vulnerability that is present in current generation Intel chips, and likely goes back as far as the 6th generation, and we’ve seen indications that even the 4th and 5th generations could be affected. It’s similar to Plundervolt but it’s not a security vulnerability per se. For those unfamiliar, Plundervolt is a security vulnerability caused by lowering the voltage in an Intel CPU low enough to compromise the SGX security system. This new vulnerability also concerns changing the voltage, but for an ends purely within hardware.
By running a simple program that doesn’t even need to be installed or by installing a driver, one can increase or decrease the CPU voltage by as much as half a volt. Now, it does require elevated to admin level permissions (at least in Windows) for this to work, but it works against both locked and unlocked CPUs and can persist through a reboot by using a signed driver, which would not prompt UAC at all. The driver method is particularly worrisome because it bypasses UAC after the initial installation (which does actually prompt UAC), unlike the method in which one just runs a program.
As such, if a system were compromised and a hacker started messing around with a CPU’s voltage, what exactly could happen? Well, let’s focus on increasing voltage first. On a CPU that normally operates at lower clock speeds and voltages, like server CPUs and low end consumer CPUs, you could expect an extra half of a volt to make things seriously toasty and perhaps significantly shorten its lifespan over a period of time due to much higher voltage than is normal. But, on much higher end, faster CPUs with high clock speeds and thus relatively high voltages out of the box, it’s possible that this kind of voltage could cause immediate damage or even death. An additional half a volt is not a joke.
Technically, an extra half volt isn’t even a limit. By fluctuating the voltage of a CPU at incredible speed, the VRM (or voltage regulator module) could accidentally overshoot the intended amount of voltage by a fair bit. This will be more effective on cheaper, lower quality motherboards than higher quality boards because a better VRM will be designed to overshoot less frequently and stick closer to the intended target. We’re not sure if this is an effective technique for damaging or killing CPUs (we don’t have a ton of experience with that), but anything that further increases the voltage is not good news.
The other side of the coin is much different. Plundervolt, of course, lowers voltage as a means to compromise SGX, but not by half a volt. Lowering voltage this much will almost certainly cause an immediate crash. While there is likely no material damage caused here, it can be seriously annoying and perhaps harder to detect than a simple program that just makes a PC turn off as soon as it boots up. Oh, and of course this exploit could be used as a vector for utilizing Plundervolt, so there’s that.
Speaking of Plundervolt, it seems like the BIOS level patches for that exploit should also patch this one. But, those patches aren’t always enabled and systems aren’t always up to date at the BIOS level; considering that 4th and 5th generation CPUs never got Plundervolt patches, as they are not vulnerable, systems using those CPUs could be very vulnerable to the new exploit. So, as long as Plundervolt is a threat, this vulnerability is too, and it is arguably just as bad, except, instead of information being stolen, CPUs can be damaged or killed and systems can be prevented from operating at all. While this bug is not apocalyptic, the material cost here certainly should not be understated.
We sent an email to Intel’s PR people about this issue and we did get a reply, but it was just a request for more information on who exactly told us about this vulnerability and what it is called (which was impossible to fulfill because it has no official name). No official comment, sadly. But surely their security team is working hard at this moment trying to figure out what exactly is going on.
What we want Intel to do is to get the ball rolling on a fix, or at least start enforcing Plundervolt patches far, far more seriously. Remember how a lot of new 10th gen Comet Lake laptops initially didn’t get unlocked voltage alteration but now do? Intel needs to tell its partners to stop doing that because the stakes have been raised. Normal users wouldn’t have feared Plundervolt stealing data, but some nasty malware could be a concern this time around. We’re not saying everyone’s Intel-based machines are going to be fried, obviously, but this could be used to maliciously damage systems.
We hope Intel will get to work on patching this ASAP, and we would also like to see other CPU designers make sure that their CPUs aren’t vulnerable to the same kind of exploit.
