German technology publication c't reported yesterday that under certain circumstances the Pentium III's serial code can be retrieved without the user's knowledge or approval. Confirming that the hack is a possibility, Intel today reiterated that it stands behind the chip and its security feature.
Intel will launch the Pentium III this Friday, amid much hoopla and a $300 million marketing campaign. Intel is touting the chip's enhancements, but many analysts say that most users will only see small improvements.
The chip has already gained notoriety for a feature many won't even use, the serial code hard-wired into the chip. Privacy advocates have protested against the inclusion of the serial code, arguing that the feature presents an easy opportunity for marketers or those with nefarious intentions to track a user based on his or her Web behavior.
Intel argues that the feature provides another layer of security for e-commerce, and could be a valuable tool for corporations looking to track computer use. Although the processor ships with the serial code turned on, Intel provides a software program to PC makers that disables the feature and further recommends that manufacturers of BIOS (or boot-up) software include an option to enable or disable the serial number.
A hack could work like this, c't says: The chip's serial number is hard-wired in the "on" position and has to be turned "off" every time the computer is rebooted. The number is only disabled as the computer is booted up by the special software program or by the BIOS. C't editor Christian Persson says there is a window of opportunity for hackers before the serial code is turned off.
When a user "soft-boots" a computer by hitting control-alt-delete, or by "awakening" a PC from a deep sleep power-saving mode, there is a lag time before the software utility kicks in when the serial code could be read without the user's knowledge, Persson said. Disabling the chip's serial code in the BIOS is more secure, but not foolproof, he added.
In computers where the serial code is not affected by the BIOS, it is possible for a hacker to write a program--disguised as a legitimate software download or screensaver--which causes the computer to crash and then restart, according to Persson. During that period of time before the software program disables the serial code, the user could be identified.
Bypassing the software program is "not even a hack--it is too easy," Persson said.
Intel disputes that the serial code can be reset during a soft-boot, but company spokesman Tom Waldrop confirmed that the code could be read while the computer is being booted-up after the CPU has been reset. Still, Waldrop insists that any hacker who could design a program that sophisticated would be capable of wreaking much more havoc on a user's PC than simply stealing the hardware identification.
"Yes, if someone is adept enough at hacking to plant software that is quick enough to [gain the serial number during the boot-up], then yes, it could be done hypothetically," Waldrop said. "Software can be hacked around and hacked through, if someone is so motivated."
"What would they do with the number once they got it?" Waldrop continued. "If they obtain my serial number they still have to have my social security number and password. If someone could do this big a job of hacking on my PC?then that someone could easily also erase my hard drive."
Keeping the serial code on-off switch in the BIOS is ostensibly a more secure option than disabling or enabling the serial code through the software utility, because there are hundreds of variations of boot-up software depending on PC manufacturers. Still, Persson believes that not even the BIOS is impenetrable.
"It's only a matter of time," he said.
All software is capable of being hacked, but that doesn't mitigate the benefits of the serial code, Waldrop believes. "Software is hackable. Security leaves a lot to be desired. Intel has been trying to introduce hardware to strengthen security. Hardware-assisted software is more secure," he said, because hardware is unchangeable, unlike software.
Indeed, most Web sites which use the serial number to identify customers are expected to scramble the identification code, or randomly generate a new number each time a user visits the site. Still, there is nothing preventing marketers from sharing this information among themselves.
Intel believes that in a few years time, when e-commerce is more established, consumers will hand over identification information for security purposes the same way check-writers hand over a driver's license to a cashier, Waldrop said.
"When ATM's were first introduced people didn't trust them?over time, people got used to the ATM, saw the value and convenience, and now it's harder to find a live teller."
The fact that c't has already figured out a way to reveal the serial code, before the chip has even launched, should give consumers pause, Persson said.
"If I have a Trojan Horse on my computer that sends my serial number scrambled or not through the Internet and allows people to identify who I am and find information about who I am on my computer, this is a threat to privacy."