Yuriy Bulygin knows all about computer vulnerabilities. He spent most of his career at Intel Corp. studying security flaws in chips, including several years as the company’s chief threat researcher, until last summer. So you can believe him when he says he’s found something new: His latest research, set to be published on May 17, shows hackers can exploit previously disclosed problems in microprocessors to access a computer’s firmware—microcode that’s stored permanently inside processors and other chips—to get to its most sensitive information. “The firmware has access to basically all the secrets that are on that physical machine,” he says.
The hacking technique Bulygin found exploits the Spectre vulnerabilities, initially unearthed by Google and other researchers and disclosed earlier this year. The tech giant discovered that millions of computers and smartphones could be compromised by Spectre, which takes advantage of glitches in how processors try to predict what data they believe users will need next, and fetch it in advance. Bulygin’s technique goes a step further by enabling hackers to read data from a particular type of firmware called system management mode memory. The code is linked to access rights that control key functions of the machine, including shutting down the central processing unit if the computer gets too hot or letting administrators configure the system. With access to the SMM memory, hackers can get essentially any data they want.
Cloud computing services may be at the greatest risk, Bulygin says, because the glitch could be used to breach protections for keeping companies’ data separate on physical servers. The hackers who access those systems’ firmware can not only move between the databases and steal information but also look through the firmware’s own code to reveal some of the servers’ most heavily defended secrets, including encryption keys and administrative passwords.
Bulygin now heads Eclypsium Inc., a startup focused on protecting against threats to firmware. It attracted $2.5 million in seed funding from Intel and venture capital company Andreessen Horowitz in October. (Bloomberg LP, which owns Bloomberg Businessweek, is an investor in Andreessen Horowitz.) Until now, most cybersecurity outfits have focused on protecting software and networks, not the guts of the machines. Spies have known about risks to firmware for ages; a perusal of the classified National Security Agency documents that Edward Snowden leaked shows intelligence services have been attacking it for decades using tools called implants. Those can be anything, including malicious code or chips designed to hijack circuit boards to modify firmware and other legitimate code.