Israeli researchers have recently identified a cybersecurity weakness that threatened a significant portion of computers worldwide.
The mistake, which infected billions of computers, servers, and devices, allowed hackers to break into their inner workings by exploiting a mechanism called System Management Mode (SMM).
Researchers Benny Zeltser and Yehonatan Lusky from Intel's Security Research lab identified the problem and managed to repair it.
The problem was scheduled to be revealed during two of the most important cybersecurity conferences, Black Hat and DefCon, in August 2022, but due to computer manufacturers requiring more time to repair it, the presentation was delayed.
Now, after manufacturers managed to completely eliminate the threat from their computers, the findings would be presented at the Israeli cybersecurity conference, BlueHat IL, which will take place at the end of March.
Every computer or server is operated by an operating system, but it is not always under control. Occasionally, the processor (the chip that powers the computer) enters a mode called System Management Mode or SMM, in which it handles the connection of hardware to the software running on the computer, such as when using a mouse or keyboard.
This is a sensitive mode in which control is not given to the operating system because any possible error may cause irreversible damage or access to sensitive information on and about the computer.
Zeltser and Lusky found that the SMM process could be manipulated, and change the original request sent to the computer. Weaknesses like these are known as "time-of-check to time-of-use" or TOCTOU.
To illustrate, imagine sending a request through your bank's app to transfer $20 to someone else, but a hacker changes the request and transfers $20,000 to another account.
Through this process, a hacker can gain full control over the computer or server they entered without requiring administrator permissions. In simple terms, it is possible to cause the computer to grant full access to all the data on it, including encrypted data, to anyone who wants it.
Until now, it was thought that this attack was only possible in theory, but the two Israeli researchers will show how it could be done.
Zeltser and Lusky, and their team at Intel’s Haifa headquarters are in charge of attempting to hack into the company’s hardware in order to locate and prevent possible cybersecurity breaches.
"The discovery was made during the early days of the COVID pandemic when we were all working from home," the researchers told Ynet. "We were sitting together on Teams and looking at a piece of code that seemed interesting to us. We identified the problem in the code and wondered if we could exploit it using a hack we were familiar with. To our sorrow and joy, it worked."
"We wondered how widespread this was so we decided to examine several more computers and found the same problem afflicted them as well," they explain. "In fact, we discovered that it was a global breach that was unprecedented."
The researchers found the breach in the computers of eight very large manufacturers, meaning it could affect many users worldwide. However, while such weaknesses exist, they sometimes require conditions to activate them.
In the breach that was located, the only thing the hacker needed to do was gain access to the computer. "It was enough to be affected by a phishing attack (for example, because you clicked on a spoofed email or message with a malicious link). the hacker then gained access and could have full control," Zeltser said.
"Within a few seconds, the hacker could have obtained permission to do whatever he wanted on the computer. In addition, no anti-virus program could identify the hacker or the breach. The hacker could steal money, gain access to accounts, and even ruin the computer,” he said
The researchers call the breach “RingHopper” because of its ability to turn any ordinary user into a computer administrator.
"This allows you to change anything on the computer, even on Linux. The only computers that do not suffer from the problem are made by Apple," the researchers said.
"It’s not every day that a researcher encounters such a widespread problem," Uri Bar, director of Intel's Security Research lab in Haifa, said.