Security researchers from Positive Technologies discovered that starting with the Skylake family in 2015, Intel's new U-series processors contain a security flaw that make it possible to fully compromise a system via USB.
The problem lies in a new debugging system, previously this required connecting a special (and expensive) device to a debugging port on the motherboard but now the interface is accessible via any USB 3.0 port. If a target system has Direct Connect Interface (DCI) enabled by default, hackers or spies can compromise a system via a USB port without having to perform any hardware or software manipulations.
The duo analysed and demonstrated one of these mechanisms in their presentation. The JTAG (Joint Test Action Group) debugging interface, now accessible via USB, has the potential to enable dangerous and virtually undetectable attacks. JTAG works below the software layer for the purpose of hardware debugging of the OS kernel, hypervisors and drivers. At the same time, though, this CPU access can be abused for malicious purposes.
On older Intel CPUs, accessing JTAG required connecting a special device to a debugging port on the motherboard (ITP-XDP). JTAG was difficult to access for both troubleshooters and potential attackers.
However, starting with the Skylake processor family in 2015, Intel introduced the Direct Connect Interface (DCI) which provides access to the JTAG debugging interface via common USB 3.0 ports.
By using this intrusion method, a hacker can bypass all security mechanisms regardless of the OS installed. Maxim Goryachy and Mark Ermolov demonstrated the attack at the 33rd Chaos Communication Congress in Hamburg, Germany. Further details can be read at SC Magazine.