New 'Platypus' attack can extract data from Intel chips, but Macs are mostly safe
Mike PetersonCredit: Platypusattack.com
A group of researchers have disclosed a new security vulnerability in Intel CPUs that can allow an attacker to extract data — but most Mac users are safe.
The so-called "Platypus" attack targets the Running Average Power Limit (RAPL) component of Intel CPUs. That's a system that lets firmware and software platforms read how much power a CPU is pulling to complete its tasks, and has long been used to track and debug performance.
In a paper published on Nov. 11, the academics detail how the Platypus attack can determine what data is being processed inside an Intel CPU by analyzing values reported via RAPL.
Using Platypus, which is an acronym for "Power Leakage Attacks: Targeting Your Protected User Secrets," the researchers found that they could infer the loaded values or data types in a CPU. Those loaded values can include passwords, sensitive documents, encryption keys, or virtually any other type of data.
The attack can also bypass the security mechanisms that typically protect those types of data. By simply looking at variations in power consumption, they can extract data while bypassing features such as kernel address space layout randomization and trusted execution environments.
Researchers, for example, were able to retrieve private RSA keys from a secure enclave by monitoring RAPL data for 100 minutes. They also managed to extract AES encryption keys in an attack targeting an Linux kernel memory space, though that exploit took 26 hours.
Platypus is a first-of-its kind attack because it can be carried out remotely, unlike other exploits that leverage CPU power read-outs. Malicious code leveraging Platypus can be embedded in malicious apps.
The attack was first disclosed by academics from the Graz University of Technology, the University of Birmingham, and the CISPA Helmholtz Center for Information Security.
Who's at risk
Linux is the most vulnerable operating system because it ships with a universal driver for interacting with RAPL. Attacks on Windows and macOS are possible, though the Intel Power Gadget app must be installed on a target device first.
Both Intel and the Linux kernel have shipped updates mitigating the attack. Intel has released a list of impacted CPUs, but noted that it wasn't aware of any attacks in the wild leveraging Platypus.
The researchers note that it's likely other chipmakers are also affected by Platypus, since almost all CPUs include an RAPL interface. That could include AMD chips, as well as ARM-based devices. However, the researchers noted that they haven't had enough time to evaluate the impact on ARM-based chips.
For users on Intel-based Macs, avoiding or uninstalling the Intel Power Gadget tool is a good way to mitigate the threat of Platypus. It's also a good idea to only download apps from the App Store or trusted developers.
Amber Neely
Bon Adamson
Andrew Orr
William Gallagher and Mike Wuerthele
Malcolm Owen
Wesley Hilliard
4 Comments
In the old days, programmers showcased brilliant ways to accomplish things with little in the way of hardware power, especially in parts of the world with less access to hardware upgrades.
Today, the most clever development is in exploitation:
Exploitation of user data in data-mining businesses (to do clever things with cleverly written algorithms, or to do terrible things they can still make tons of money on, mostly marketing)...
...and finding & exploiting security vulnerabilities (for terrible things or ego gratification... or both).