Vulnerabilities in the firmware of your PC, the underlying code that executes before anything else when you power it on and governs the boot-up process, have long been a prime target for hackers seeking a surreptitious entry point. While vulnerabilities are rare in a specific PC manufacturer’s firmware, they can be widespread in the chips used across hundreds of millions of PCs and servers. Researchers have unearthed a longstanding vulnerability in AMD processors that could permit malicious code to infiltrate a PC’s memory, potentially rendering the device more efficiently cleaned than repaired.
At the annual Defcon hacker convention, IOActive’s researchers Enrique Nissim and Krzysztof Okupski will present a groundbreaking finding: a vulnerability in AMD chips dubbed Sinkclose. Hackers could exploit the vulnerability to execute their own code in System Administration Mode, a privileged mode on AMD processors intended to be secure and isolated within the firmware’s designated area. IOActive’s researchers caution that the vulnerability affects almost all AMD chips dating back to at least 2006, potentially even earlier.
While Nissim and Okupski caution that exploiting the Sinkclose bug demands prior significant access to an AMD-based PC or server, they acknowledge that once achieved, the vulnerability would permit attackers to embed malware at a much more profound level. Researchers at IOActive caution that any PC equipped with vulnerable AMD chips may be susceptible to a bootkit infection, which can evade antivirus software and remain undetectable by the operating system, granting hackers unauthorised access and surveillance capabilities. When PC manufacturers incorrectly implement AMD’s Platform Secure Boot safety feature, as was the case for the majority of devices studied by the researchers, malware infections introduced through Sinkclose may be more difficult to detect and remediate, potentially persisting even after reinstalling the operating system.
Consider malicious actors, such as nation-state hackers or other entities intent on maintaining unauthorized access within your system. According to Okupski, the digital footprint will remain, even if individuals take steps to erase their online presence. “Designed to be virtually imperceptible and extremely resistant to patching, this malware requires a highly invasive approach to removal: physically accessing a PC’s casing, connecting an SPI Flash programmer directly to specific memory chips, and meticulously scanning the affected area.”
“In a dire scenario, Nissim advises that you might as well discard your computer altogether.”
AMD acknowledged IOActive’s findings and thanked the researchers for their work, stating it has “released mitigation measures for AMD EPYC datacenter products and AMD Ryzen PC products, with embedded product mitigations to follow shortly.” The company specifically noted that it released patches for its EPYCs designed for data-center servers earlier this year. AMD has refused to provide details about its plan to address the Sinkclose vulnerability at this time, nor will it specify which products are impacted or when repairs will be made; instead, it directed users to a comprehensive list of affected items on its website’s security bulletin page.
