For a better understanding of what’s going on, start with the debugging interface created by the Joint Test Action Group (JTAG). This standard was originally designed to test printed circuit boards once they were manufactured and installed, but has since expanded to processors and other programmable chips. Scenarios for using the interface include forensics, research, low-level debugging, and performance analysis.
More:
Intel makes its Pentium processors more appetizing with Hyper-Threading
The interface itself resides within the processor and programmable chips. In turn, JTAG-capable chips have dedicated pins that connect to the motherboard, which are traced to a dedicated 60-pin debugging port on a system’s motherboard (ITP-XDP). This port enables testers to connect a special device directly to the motherboard to debug hardware in relation to drivers, an operating system kernel, and so on.
But now the JTAG debugging interface can be accessed through a USB 3.0 port by way of Intel’s Direct Connect Interface “debug transport technology.” When a hardware probe is connected to the target Intel-based device, the USB 3.0 protocol isn’t used, but rather Intel’s protocol is employed so that testers can perform trace functions and other debugging tasks at high speed. Using a USB 3.0 port means testers aren’t forced to break into the PC to physically connect to the XDP debugging port.
Intel’s Direct Connect Interface appears to be embedded in the company’s sixth-generation motherboard chipsets, such as the 100 Series (
pdf), and its processors. It’s also used in the new seventh-generation Kaby Lake platform as well, meaning hackers have two generations of Intel-based PCs to infest and possibly render useless, such as by re-writing the system’s BIOS.
As the presentation revealed, one way of accessing the JTAG debugging interface through the USB 3.0 port is to use a device with a cheap Fluxbabbitt hardware implant running Godsurge, which can exploit the JTAG debugging interface. Originally
used by the NSA (and exposed by Edward Snowden), Godsurge is malware engineered to hook into a PC’s boot loader to monitor activity. It was originally meant to live on the motherboard and remain completely undetectable outside a forensic investigation.
The problem is, most sixth and seventh-generation Intel-based PCs have the Direct Connect Interface enabled by default. Of course, hackers need to have physical access to a PC in order to take control and spread their malicious love. Typically, the debugging modules in Intel’s processors require Intel’s SVT Closed Chassis Adapter connected via USB 3.0, or a second PC with Intel System Studio installed connected directly to the target PC via USB 3.0 as well.
Goryachy noted in his presentation that the problem only resides with Intel’s sixth and seventh-generation Core “U” processors. Intel is now fully aware of the possibility although there’s no time frame of when the problem will be addressed. In the meantime, the debugging interface on affected PCs can be deactivated. Intel Boot Guard can also be used to prevent malware and unauthorized software from making changes to the system’s initial boot block.