Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Endpoint Security

Intel Responds to SGX Hacking Research

Intel has shared some clarifications on claims made by a researcher regarding the hacking of its SGX security technology.

Intel CPU attack

Intel has shared some clarifications after a researcher claimed to have made significant progress in hacking the chip giant’s Software Guard Extensions (SGX) data protection technology. 

Mark Ermolov, a security researcher who specializes in Intel products and works at Russian cybersecurity firm Positive Technologies, revealed last week that he and his team had managed to extract cryptographic keys pertaining to Intel SGX.

SGX is designed to protect code and data against software and hardware attacks by storing it in a trusted execution environment called an enclave, which is a separated and encrypted region.

“After years of research we finally extracted Intel SGX Fuse Key0 [FK0], AKA Root Provisioning Key. Together with FK1 or Root Sealing Key (also compromised), it represents Root of Trust for SGX,” Ermolov wrote in a message posted on X. 

Pratyush Ranjan Tiwari, who has a PhD in cryptography from Johns Hopkins University, summarized the implications of this research in a post on X. 

“The compromise of FK0 and FK1 has serious consequences for Intel SGX because it undermines the entire security model of the platform. If someone has access to FK0, they could decrypt sealed data and even create fake attestation reports, completely breaking the security guarantees that SGX is supposed to offer,” Tiwari wrote.

Tiwari also noted that the impacted Apollo Lake, Gemini Lake, and Gemini Lake Refresh processors have reached end of life, but pointed out that they are still widely used in embedded systems. 

Intel publicly responded to the research on August 29, clarifying that the tests were conducted on systems that the researchers had physical access to. In addition, the targeted systems did not have the latest mitigations and were not properly configured, according to the vendor. 

Advertisement. Scroll to continue reading.

“Researchers are using previously mitigated vulnerabilities dating as far back as 2017 to gain access to what we call an Intel Unlocked state (aka “Red Unlocked”) so these findings are not surprising,” Intel said.

In addition, the chipmaker noted that the key extracted by the researchers is encrypted. “The encryption protecting the key would have to be broken to use it for malicious purposes, and then it would only apply to the individual system under attack,” Intel said.

Ermolov confirmed that the extracted key is encrypted using what is known as a Fuse Encryption Key (FEK) or Global Wrapping Key (GWK), but he is confident that it will likely be decrypted, arguing that in the past they did manage to obtain similar keys needed for decryption. The researcher also claims the encryption key is not unique. 

Tiwari also noted, “the GWK is shared across all chips of the same microarchitecture (the underlying design of the processor family). This means that if an attacker gets hold of the GWK, they could potentially decrypt the FK0 of any chip that shares the same microarchitecture.”

Ermolov concluded, “Let’s clarify: the main threat of the Intel SGX Root Provisioning Key leak is not an access to local enclave data (requires a physical access, already mitigated by patches, applied to EOL platforms) but the ability to forge Intel SGX Remote Attestation.” 

The SGX remote attestation feature is designed to strengthen trust by verifying that software is running inside an Intel SGX enclave and on a fully updated system with the latest security level. 

Over the past years, Ermolov has been involved in several research projects targeting Intel’s processors, as well as the company’s security and management technologies.

Related: Chipmaker Patch Tuesday: Intel, AMD Address Over 110 Vulnerabilities

Related: Intel Says No New Mitigations Required for Indirector CPU Attack

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Hear from experts as they explore the latest trends, challenges and innovations in Attack Surface Management.

Register

Event: ICS Cybersecurity Conference

The leading industrial cybersecurity conference for Operations, Control Systems and IT/OT Security professionals to connect on SCADA, DCS PLC and field controller cybersecurity.

Register

People on the Move

Janet Rathod has been named VP and CISO at Johns Hopkins University.

Barbara Larson has joined SentinelOne as Chief Financial Officer.

Amy Howland has been named Partner and CISO at Guidehouse.

More People On The Move

Expert Insights