Intel in Denial of the Latest SGX Secure Enclave Vulnerability

By Matthew Rosenquist | Cybersecurity Tomorrow | 19 Nov 2020

Another vulnerability and exploit named VoltPillager has been published for Intel Corporation's SGX security technology.  The attack itself is simply a hardware version of a previously discovered PlunderVolt software vulnerability where voltage to the chip was manipulated to undermine SGX enclave protections.  PlunderVolt was able to recover secret information like encryption keys from Intel’s hardened security SGX vault, but a patch has been released to close the risks.  However, VoltPillager bypasses that patch by directly manipulating voltage on the hardware itself.

The hardware to accomplish this feat is very inexpensive, coming in at around $36.  It does however require physical access to the motherboard to install the hardware hacking device. 

This is where the most disturbing aspect of this narrative emerges: pure denial by Intel.  Intel has apparently stated to news outlets and the vulnerability researchers that they don’t consider this a vulnerability because, according to Intel, they aren’t responsible for whatever happens if someone opens the case of a PC or server.  Therefore, it appears they have no intentions of fixing something they choose to not classify as a vulnerability.

How convenient!  Avoid dealing with the problem by saying it isn't a problem.

Once again it appears that Intel’s legal and marketing teams are in control of security policy.  This is a classic denial of responsibility. 

The simple fact is that SGX has one purpose: to be a secure vault embedded in Intel’s chips.  That vault has been cracked.  It does not matter how, it is Intel’s responsibility.

Dodging accountability speaks volumes to how any organization views, invests, and handles product security. 

Step up.  If your super-secret SGX vault is being cracked, then it does not matter how.  Own it and figure out mitigations. 

As a shareholder and cybersecurity expert, I am gravely disappointed!

This is security, not a marketing spin-control exercise or avoid-the-liability legal game.  It is time to replace the leadership that is allowing lawyers and marketeers to define your product security policy.  You are losing valuable trust with your customers and undermining the confidence in digital technology adoption.

Resources

  1. https://www.youtube.com/watch
  2. https://www.theregister.com/2020/11/14/intel_sgx_protection_broken/
  3. https://zt-chen.github.io/voltpillager/
cybersecurity hacking Vulnerability intel exploit

How do you rate this article?


33

0
Matthew Rosenquist
Matthew Rosenquist

Cybersecurity Strategist specializing in the evolution of threats, opportunities, and risks in pursuit of optimal security for our digital world.

Cybersecurity Tomorrow
Cybersecurity Tomorrow

Cybersecurity strategy perspectives for the emerging risks and opportunities of securing our digital world. The insights of today will lead to tomorrow's security, privacy, and safety foundations.

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.
Minutes of the Federal Reserve's July Meeting Help to Slow the Relatively Large Increase in Purchasing Power of Interest Rate in September — 2022/08/18 Minutes of the Federal Reserve's July Meeting Help to Slow the Relatively Large Increase in Purchasing Power of Interest Rate in September — 2022/08/18
CryptEducator

CryptEducator

19 hours ago
5 minute read

The dangers facing Ethereum after Tornado.Cash The dangers facing Ethereum after Tornado.Cash
The Art of Tomas

The Art of Tomas

15 hours ago
4 minute read

Earn Crypto on Publish0x: You'll Want to Share This Post With your non-Publish0x Friends Earn Crypto on Publish0x: You'll Want to Share This Post With your non-Publish0x Friends
Allen Taylor

Allen Taylor

14 hours ago
1 minute read