Now it is possible to reverse engineer encrypted Intel CPU code to write custom firmware or finding vulnerabilities

A group of specialists managed to extract the secret key to encrypting updates on a wide variety of Intel CPUs, a finding that could have significant impact on the industry. This key allows you to decrypt microcode updates released by Intel for bug fix and other issues.

A decrypted copy of an update would allow threat actors to reverse engineer and learn every aspect of the repaired vulnerability and security patch. Attackers could also release fake updates, fully exposing Intel users, mentions the report shared with Ars Technica.

Researcher Maxim Goryachy, responsible for the finding, mentions that it is not yet possible to determine the actual impact of this possible attack, although it is a fact that this could be used for malicious purposes.

It all started a few years ago, when the researcher found a critical flaw in Intel that allowed arbitrary code to be executed on the Intel Management Engine. The company fixed this flaw with the release of a patch, although users can reset the chips to previous versions, another way to say that there is no way to permanently eliminate the flaw.  

A few months ago, experts found a way to exploit this flaw to access “Red Unlock”, a service mode integrated into Intel chips used for microcode debugging prior to chip launch. Researchers developed a tool to access this debugger, allowing them to experiment with its inner workings through a USB cable or a special Intel adapter.

By testing this method on a Goldmont-based CPU, experts were able to extract a special ROM area known as MSROM, from where it was possible to reverse engineer the microcode. After months of research, experts discovered how the upgrade process and the RC4 key used by Intel worked; this process did not reveal the key the company uses to demonstrate the authenticity of an update.

At the moment threat actors cannot use this method to remotely hack an exposed CPU, unless the failure is exploited in chains with other failures that have not yet been discovered. Malicious hackers also could not use this flaw to infect the supply chain of vulnerable devices, although it is possible to deploy attacks involving physical access to compromised devices.