Brief #12: Intel's Downfall CPU Flaw, Tesla's Jailbreak and More

Mandos Brief, Week 32 2023: Intel's "Downfall" vulnerability, Tesla's unpatchable infotainment jailbreak, North Korea's cyber espionage on Russia and more.

Brief #12: Intel's Downfall CPU Flaw, Tesla's Jailbreak and More


Acoustic Side-Channel Attacks Can Decipher Keystrokes with Unprecedented Accuracy

  • Academics develop a deep learning-based acoustic side-channel attack with a 95% accuracy rate in classifying laptop keystrokes.
  • Using Zoom for training, the accuracy slightly drops to 93%.
  • Side-channel attacks exploit physical effects during data processing, potentially compromising user privacy and security.
  • The ubiquity of keyboard acoustic emanations makes them an attractive attack vector, often underestimated by users.

A groundbreaking study by researchers has unveiled a novel acoustic side-channel attack capable of deciphering laptop keystrokes with an astonishing 95% accuracy. This attack leverages deep learning and is executed by recording keystrokes using a nearby phone. When the model was trained using keystrokes recorded via the video conferencing platform Zoom, the accuracy slightly decreased to 93%, setting a new benchmark for the medium. 

Side-channel attacks, which exploit the physical effects observed during data processing, pose significant threats to user privacy and security. Such attacks could be weaponized by adversaries to extract passwords and other confidential information. The researchers emphasized the widespread nature of keyboard acoustic emanations, which are often overlooked by users. For instance, while many individuals shield their screens when typing passwords, they rarely take measures to mask their keyboard sounds. 

The study involved experiments using 36 keys of an Apple MacBook Pro, with each key pressed 25 times. The recorded data was then transformed into a mel-spectrogram, which was subsequently used to train a deep learning model named CoatNet. As a preventive measure against such attacks, the researchers suggest altering typing styles, using randomized passwords, and incorporating randomly generated fake keystrokes, especially during voice calls.

Intel's "Downfall" Vulnerability: A Deep Dive into CPU Security Concerns

  • A new vulnerability named "Downfall" affects multiple Intel microprocessor families.
  • The flaw allows attackers to steal sensitive data such as passwords, encryption keys, and private emails.
  • The vulnerability exploits a flaw in the "gather" instruction used by affected Intel CPUs.
  • Intel has released OS-level microcode software updates to address the issue.

A recent revelation in the world of cybersecurity has unveiled a significant vulnerability in Intel's CPUs, aptly named "Downfall." Discovered by a senior research scientist at Google, this flaw affects a broad range of Intel microprocessor families. The crux of the vulnerability lies in its ability to exploit a transient execution side-channel issue, impacting processors based on Intel microarchitectures from Skylake through Ice Lake.

The primary concern with Downfall is its potential to steal sensitive data. Attackers can exploit this flaw to access passwords, encryption keys, and even private data like emails and banking information. The vulnerability takes advantage of the "gather" instruction, a feature in Intel processors designed to speed up data access. However, this same feature can inadvertently leak the content of the internal vector register file during speculative execution.

The implications of this vulnerability are vast, especially considering the widespread use of Intel processors in various devices. While Intel has been proactive in releasing fixes, the sheer number of affected devices makes patching a significant endeavor. 

North Korea Targets Russian Missile Engineering Firm

  • North Korean actors compromised Russian defense organization, NPO Mashinostroyeniya.
  • Two instances of intrusion detected: one targeting an email server and another using a Windows backdoor named "OpenCarrot".
  • The email server compromise is attributed to the "ScarCruft" threat actor.
  • A separate Lazarus Group backdoor was also identified in the organization's internal network.

SentinelLabs recently uncovered a significant cybersecurity breach involving North Korea's infiltration of the Russian defense industrial base, specifically targeting a missile engineering organization named NPO Mashinostroyeniya. The investigation identified two distinct instances of compromise. 

The first was a direct attack on the organization's email server, which researchers attribute to the North Korean-affiliated threat actor known as ScarCruft. 

The second intrusion involved a Windows backdoor named "OpenCarrot", which is linked to the notorious Lazarus Group. While the exact relationship between these two threat actors remains unclear, the dual attacks suggest a coordinated effort or potential sharing of resources. 

The targeted organization, NPO Mashinostroyeniya, is a leading Russian manufacturer of missiles and military spacecraft, holding confidential intellectual property on missile technology. The nature of the attack and the entities involved underscore the strategic importance of the compromised data and the broader implications for global cybersecurity.

Windows Defender Vulnerability Allows Attackers to Hijack Update Process

  • A security feature bypass vulnerability was discovered in Windows Defender, allowing unprivileged users to hijack its update process.
  • Researchers from SafeBreach were able to use the vulnerability to sneak malware into systems, delete benign files, and trigger a denial-of-service condition.
  • An automated tool named "WDpretender" was developed to exploit these vulnerabilities.
  • Microsoft has issued a fix for the vulnerability, identified as CVE-2023-24934.

In April 2023, Microsoft patched a vulnerability in Windows Defender that could allow attackers to hijack its signature update process. This flaw, discovered by researchers at SafeBreach, could be exploited to sneak malware into systems that Windows Defender is supposed to protect. 

The researchers also found that they could manipulate Windows Defender to delete signatures of known threats and even benign files, leading to potential denial-of-service conditions on compromised systems. To demonstrate the severity of this vulnerability, the researchers developed an automated tool called "WDpretender." This tool was designed to exploit each of the identified attack vectors. Microsoft acknowledged the vulnerability and assigned it the identifier CVE-2023-24934, subsequently releasing a fix in April. 

The research was inspired by the sophisticated Flame cyberespionage campaign from 2012, where attackers inserted themselves into the Windows update process to deliver malware. The SafeBreach team aimed to replicate a similar attack without the complexities seen in the Flame campaign.

Tesla's Unpatchable Infotainment Jailbreak: Unlocking Paid Features and More

  • Researchers, including three PhD students from Germany, have discovered a persistent jailbreak for Tesla's AMD-based cars.
  • The jailbreak allows unauthorized access to in-car purchases, potentially tricking the system into thinking these features have been paid for.
  • The attack extracts a vehicle-specific cryptographic key used for authentication within Tesla's service network.
  • The vulnerability is deemed "unpatchable" on current cars, as it targets the embedded AMD secure processor inside the MCU.

A team of security researchers, accompanied by three PhD students from Germany, have unveiled a groundbreaking discovery: a persistent jailbreak for Tesla's current AMD-based vehicles. This revelation was made public ahead of their scheduled presentation at BlackHat 2023. The jailbreak exploits a known hardware vulnerability within the media control unit (MCU), granting unauthorized access to critical systems that manage in-car purchases. This could potentially deceive the car's system into believing that certain features, which usually require payment, have already been settled.

Tesla's advanced car computers, known for their integration from entertainment to autonomous driving capabilities, have recently been utilized for in-car purchases. These range from connectivity enhancements to physical features like faster acceleration or rear heated seats. The newly discovered attack can extract a vehicle-specific cryptographic key, essential for authentication within Tesla's service network. Alarmingly, this attack is considered "unpatchable" for current vehicles. This is because the vulnerability doesn't directly target a Tesla component but focuses on the embedded AMD secure processor within the MCU. The researchers have leveraged low-cost, off-the-shelf hardware to execute this attack, emphasizing its accessibility. The specifics of the attack will be detailed in the upcoming BlackHat presentation.