Intel chip flaw allows researchers to steal encrypted keystrokes

Dubbed 'NetCAT', a flaw in Intel chips allows attackers track keystrokes and other kinds of information that goes through vulnerable servers

A flaw in Intel chips helps attackers abuse its data-direct I/O (DDIO) feature, found researchers at Vrije Universiteit Amsterdam and ETH Zurich. Intel has issued an alert calling users to turn off either DDIO or remote direct memory access (RDMA) in untrusted networks.

Dubbed ‘NetCAT’ by the researchers, the flaw allows attackers to drill on the DDIO feature to track keystrokes and other kinds of information that goes through vulnerable servers, giving malicious players the power to attack other users.

"NetCAT shows that network-based cache side-channel attacks are a realistic threat," said the research report. 

"Cache attacks have been traditionally used to leak sensitive data on a local setting (eg, from an attacker-controlled virtual machine to a victim virtual machine that share the CPU cache on a cloud platform). With NetCAT, we show this threat extends to untrusted clients over the network, which can now leak sensitive data such as keystrokes in an SSH session from remote servers with no local access," it explained.

The DDIO feature was introduced in 2011, which increased Intel chips’ input/output bandwidth and brought down power consumption. The threat grows significantly when it comes to data centers and cloud environments, which have both DDIO and RDMA, that allows servers to exchange data.

"As we move into the cloud, attackers are searching how to jump from the hacker’s cloud to a victim’s cloud instance," said Kevin Bocek, VP security strategy & threat intelligence at Venafi.

"A race condition in specific microprocessors using Intel (R) DDIO cache allocation and RDMA may allow an authenticated user to potentially enable partial information disclosure via adjacent access," said the Intel alert. 

Intel recommended users to "limit direct access from untrusted networks" where DDIO and RDMA are enabled.

"In scenarios where Intel DDIO and RDMA are enabled, strong security controls on a secured network are required, as a malicious actor would need to have read/write RDMA access on the target machine using Intel DDIO to use this exploit," the company’s additional advisory report said.

"Security teams need the visibility, intelligence, and automation for machine identities not just in the old-fashioned data centre but across the fast moving cloud landscapes that DevOps teams are building. Machine identities like SSH and TLS keys and digital certificates are the key ingredient that makes the difference between a friendly cloud and the hacker’s cloud," said Bocek.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews