AMD Hardware Intel

ASMedia-USB-3.x Controller with Keylogger and Malware Risks

The story is over, it seems that it was a failed try to manipulate the stock market but besides this shameless try CTS-Labs still has some valid information to offer, and it shows that ASMedia-USB-3.x controller have several security flaws which allows attackers to abuse those controllers to deliver their keyloggers or malware code.

One of the affected ASMedia chips.

Keylogger and Malware in Firmware and & Hardware

According to CTS-Labs several ASMedia-USB-3.x controller there several backdoors directly in the firmware and the hardware which makes it harder to fix the problem, however, some chips can be disabled with an BIOS update or integrated options.

The problem here is that Direct Memory Access (DMA) because every PCIe devices having access to it and those function was abused in order to execute a (not leaked) Proof-of-Concept (POC) which then manipulates several functions. A popular example here was that you could read-out passwords over thunderbolt which basically works exactly the same way.

Some experts asking CTS-Labs why there not published their findings in public.

Affected Hardware

It seems AMD hardware isn’t as affected as Intel, the ASMedia chip is since 2010/2011 a part of Intel systems while AMD SOC’s using integrated USB-controller. The latest Ryzen/Threadripper chipset processors are affected because there directly integrated the A320, B350 and X370 controllers, the X370 one seems the most critical one.

Other chips which are used on Intel platforms are ASMedia-Chips ASM1042, ASM1042A, ASM1142 & ASM1143. from time to time release some firmware upgrades for it, but none of them fixing the DMA problem so far, the official ASMedia page shows as for now also no information regarding to this attack.

The good news is that there is as for now no program in the wild which actually abuse this security vulnerability.

No response from ASMedia

It seems like that ASMedia hasn’t responded to this information (yet). It’s unclear in which form or if the affected chipsets getting firmware upgrades or not.

There is also for now no detection tool available which would help to prove or to identify more vulnerable chips.

Final Words

It’s hard to prove it without any real leak from CTS-Labs, I think they should hand over their findings and code directly to ASMedia in order to find strategies to fix this on the firmware level. It’s also unclear if ASMedia itself response to this or not since there not really known for communicating on security related problems.

To be honest it’s really shocking that there so many hardware based flaws because no one seems to actually doing a loser look on the chips before there really rolling out, hopefully this will be changes in the future and I see this as upcoming threads that more and more bad people trying to get you by infecting the hardware – which then is almost undetectable or even if it’s mostly already too late. Any AV product or other security tool here is helpless because there usually don’t have access to such low-level functions.