The newly discovered approach to exploitation can be applied to attacks on devices equipped with Intel Pentium, Celeron, and Atom processors from the Denverton, Apollo Lake, Gemini Lake, and Gemini Lake Refresh series. Production of these chips has ended, yet they remain in embedded systems, such as automotive electronics, and in ultra-mobile devices, including e-readers and mini-PCs. Intel was notified in accordance with the responsible disclosure policy but rejected the described problem and refused to take measures to eliminate or reduce the threat level.

The main exploitation vector involves supply chain attacks. Attackers can embed spyware at the assembly or repair stage without altering the hardware. “This approach requires no soldering or any other physical modification,” said Ermolov. “Local access is enough to retrieve the encryption key and inject malicious code into Intel CSME firmware. These implants often slip under the radar of Intel Boot Guard, virtualization-based security (VBS), and antivirus solutions. They can operate unnoticed, capture user data, lock devices, erase or encrypt files, and carry out other destructive actions.”

A secondary risk involves exploiting these formerly patched flaws to bypass DRM safeguards, which can grant unauthorized access to content from various streaming services. The newly identified method also circumvents some Amazon e-reader protections, allowing threat actors to copy data on devices powered by vulnerable Intel Atom processors. Attackers can also use these tactics to access data on encrypted storage devices like hard drives or SSDs. This approach can target laptops or tablets built on the at-risk processors.