Black Hat 2021: Why PCIe Switches Could Be Making Your Data More Vulnerable

Since the beginning of 2020, the volume of data being created, collected, processed and stored has skyrocketed. The addition of new devices used by remote workers and other end users has pushed organizations to seek out solutions that can handle all the information they’re collecting.

Peripheral component interconnect express (PCIe) is a high-speed bus standard that has been incorporated by many organizations using switches to connect high-bandwidth peripherals. However, while it may be enabling the use of more devices and the collection of more data, it may also be broadening the attack surface and weakening cybersecurity.

Speaking at Black Hat USA 2021, Hareesh Khattri and Nagaraju Kodalapura, security researchers at Intel, presented their studies on security concerns related to the use of PCIe switches. “We think these issues are not just specific to particular designs but generally applicable to any product using PCIe devices,” Khattri said.

Limited Research Has Explored the Susceptibility of PCIe Switches

According to Khattri, “The previous work on attacking such PCIe networks has focused on the PCI express endpoint, where you design a custom PCIe device using an FPGA or some other hardware design, plug such a device into the network, and try to attack and access the system memory or attack other resources within.”

“In our work, when we were looking at server platforms, we looked at different components that are there on the board and what sorts of security attacks we can do,” Khattri explained. “One interesting thing we saw is that all the PCIe devices are connected through switches, and these switches also have capabilities and controls that can be used to attack the system.”

WATCH: Learn about the about the latest hacking tactics being employed by cybercriminals.

Khattri offered a brief explanation of PCIe switch hardware design. “It’s supposed to connect multiple PCIe devices upstream to a single PCIe port. The PCIe switch has to be configured and controlled by some software and also needs some hard-coded configuration settings,” he explained. “If it’s an even more complex design, then it can have its own microcontroller in there. So, its firmware and patches will also be stored in the same storage. In some cases, the switch also includes a PCIe device within itself, so it has a virtual PCIe endpoint.”

Researchers Can Simulate Attacks Via PCIe Switches

While there’s a certain level of convenience and flexibility built into the design of PCIe switches, they can sometimes broaden the attack surface. Intel’s researchers discovered that in some cases, the electronically erasable programmable read-only memory programming interface was being exposed.

Khattri said the researchers attempted to replicate an attack situation by exploiting the EEPROM exposure and modifying vendor and device IDs that were connected to the exposed switch. “Once we have misconfigured the EEPROM, now the EEPROM is no longer accessible because the PCIe switches, a management interface, are also gone. The device is corrupted in the EEPROM, so even if you reboot the machine, the attack is persistent and stays up processing. Somebody can physically go and reprogram the device, but in a data center that’s a very costly fix,” he said.

They continued their research, wanting to find out what else they could do by attacking these devices. “Our target really was to use these devices, since they are connecting multiple PCIe devices, to try to see if we can use these devices to attack the normal sort of rogue PCIe device attacks.”