KEY POINTS

  • Intel has issued a patch for the problem that makes the hack more difficult but does not eliminate it
  • The problem is in the ROM and would allow hackers to steal the encryption key
  • The problem is similar to that recently identified in the BootROM of the Apple mobile platform

Enterprise security firm Positive Technologies warned Thursday computers with Intel chipsets made in the past five years are vulnerable to hacking because of a flaw in the read-only memory that cannot be fixed.

Intel has issued a patch that makes it more difficult to accomplish the hack, but doesn’t fully eliminate the vulnerability, the company said.

“This vulnerability jeopardizes everything Intel has done to build the root of trust and lay a solid security foundation on the company's platforms,” Positive Technologies said in a blog post.

Positive Technologies said the flaw enables hackers to compromise platform encryption keys, allowing them to access licensed content like movies or videos from Netflix, steal temporary passwords to bank accounts and set themselves up as point-of-sale payment terminals to siphon funds into their own accounts. The flaw also opens the way for industrial espionage.

““The vulnerability resembles an error recently identified in the BootROM of Apple mobile platforms, but affects only Intel systems,” Mark Ermolov, lead specialist of OS and hardware security, said in a press release. “Both vulnerabilities allow extracting users' encrypted data. Here, attackers can obtain the key in many different ways.

“For example, they can extract it from a lost or stolen laptop in order to decrypt confidential data. Unscrupulous suppliers, contractors, or even employees with physical access to the computer can get hold of the key. In some cases, attackers can intercept the key remotely, provided they have gained local access to a target PC as part of a multistage attack, or if the manufacturer allows remote firmware updates of internal devices, such as Intel Integrated Sensor Hub.”

Short of buying a new computer made with a 10th-generation or higher chipset, Positive Technologies recommended disabling the Intel encryption of data storage devices and to analyze entire systems to determine whether they’ve been compromised.