Discussion:
Intel's Management Engine is a security hazard, and users need a way to disable it
Add Reply
Rich
2017-05-08 23:43:48 UTC
Reply
Permalink
Raw Message
https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it?

Quoting from the URL above:

Intel's CPUs have another Intel inside.

Since 2008, most of Intel's CPUs have contained a tiny homunculus
computer called the "Management Engine" (ME). The ME is a largely
undocumented master controller for your CPU: it works with system
firmware during boot and has direct access to system memory, the screen,
keyboard, and network. All of the code inside the ME is secret, signed,
and tightly controlled by Intel. Last week, vulnerabilities in the
Active Management (AMT) module in some Management Engines have caused
lots of machines with Intel CPUs to be disastrously vulnerable to remote
and local attackers. While AMT can be disabled, there is presently no
way to disable or limit the Management Engine in general. Intel urgently
needs to provide one.

This post will describe the nature of the vulnerabilities (thanks to
Matthew Garrett for documenting them well), and the potential for
similar bugs in the future. EFF believes that Intel needs to provide a
minimum level of transparency and user control of the Management Engines
inside our CPUs, in order to prevent this cybersecurity disaster from
recurring. Unless that happens, we are concerned that it may not be
appropriate to use Intel CPUs in many kinds of critical infrastructure
systems.

...
RS Wood
2017-05-10 02:44:45 UTC
Reply
Permalink
Raw Message
Post by Rich
Intel's CPUs have another Intel inside.
and tightly controlled by Intel. Last week, vulnerabilities in the
Active Management (AMT) module in some Management Engines have
caused lots of machines with Intel CPUs to be disastrously
vulnerable to remote and local attackers. While AMT can be
disabled, there is presently no way to disable or limit the
Management Engine in general. Intel urgently needs to provide one.
This one is particularly galling because (A) it was basically predicted
ages ago that such a system would eventually be a security problem, and
(B) there's no easy way around this one. You can't just reinstall the
OS and apps, this is a weakness one level below that. Even BIOS is
higher up the food chain than this.

I miss the days when AMD was a realistic competitor to Intel. Suppose I
could make my next box out of a Raspberry Pi and go ARM...
Paul Sture
2017-05-10 05:10:31 UTC
Reply
Permalink
Raw Message
Post by RS Wood
Post by Rich
Intel's CPUs have another Intel inside.
and tightly controlled by Intel. Last week, vulnerabilities in the
Active Management (AMT) module in some Management Engines have
caused lots of machines with Intel CPUs to be disastrously
vulnerable to remote and local attackers. While AMT can be
disabled, there is presently no way to disable or limit the
Management Engine in general. Intel urgently needs to provide one.
This one is particularly galling because (A) it was basically predicted
ages ago that such a system would eventually be a security problem, and
(B) there's no easy way around this one. You can't just reinstall the
OS and apps, this is a weakness one level below that. Even BIOS is
higher up the food chain than this.
The Wintel Duopoly raises its ugly head here, because the only official
tools Intel has released to detect the problem. plus the tool to mitigate
it before the individual vendor patches arrive are Windows based.
Post by RS Wood
I miss the days when AMD was a realistic competitor to Intel. Suppose I
could make my next box out of a Raspberry Pi and go ARM...
Quite a bit of new development in the last few years has been for Intel-
only CPUs, at least to start with - Julia and Rust are a couple of
examples I have looked at myself.
--
Everybody has a testing environment. Some people are lucky enough to
have a totally separate environment to run production in.
Ivan Shmakov
2017-05-10 06:57:33 UTC
Reply
Permalink
Raw Message
Post by RS Wood
Post by Rich
Intel's CPUs have another Intel inside.
and tightly controlled by Intel. Last week, vulnerabilities in the
Active Management (AMT) module in some Management Engines have
caused lots of machines with Intel CPUs to be disastrously
vulnerable to remote and local attackers. While AMT can be
disabled, there is presently no way to disable or limit the
Management Engine in general. Intel urgently needs to provide one.
This one is particularly galling because (A) it was basically
predicted ages ago that such a system would eventually be a security
problem, and (B) there's no easy way around this one. You can't just
reinstall the OS and apps, this is a weakness one level below that.
Even BIOS is higher up the food chain than this.
I miss the days when AMD was a realistic competitor to Intel.
Except that, as [1] explains, AMD fares no better.

AMD Platform Security Processor (PSP)

This is basically AMD's own version of the Intel Management Engine.
It has all of the same basic security and freedom issues, although
the implementation is wildly different.

The Platform Security Processor (PSP) is built in on all Family 16h
+ systems (basically anything post-2013), and controls the main x86
core startup. PSP firmware is cryptographically signed with a
strong key similar to the Intel ME. If the PSP firmware is not
present, or if the AMD signing key is not present, the x86 cores
will not be released from reset, rendering the system inoperable.

To note, however, is that AMD claims the 'feature' is only
available in "select APUs" [2]:

AMD gives you a dedicated AMD Secure Processor built into select AMD
Accelerated Processing Units (APUs).

On the other hand, Purism claims to avoid Intel AMT [3, 4]:

Our solution is thus:

1. We choose Intel CPUs that do not have vPro (nor AMT.) Note that
this does not mean that we are confined to using old/pre-2008
CPUs [...]

2. We do not use an Intel networking card (we use completely
different network chipsets instead.)

3. We do not use the "corporate" version of the Intel Management
Engine (Intel ME) binary.

4. On coreboot-enabled Purism devices, we further neutralize the
Intel ME binary [...], with the intention of reverse-engineering
the remaining parts.

Also, they claim to bug Intel to "free" the ME:

We released a petition for, and continue to work with Intel to free
it entirely (what Intel is calling a "ME-less" design.)

[1] http://libreboot.org/faq.html
[2] http://amd.com/en-us/innovations/software-technologies/security
[3] http://puri.sm/learn/avoiding-intel-amt/
[4] http://puri.sm/learn/intel-me/
Post by RS Wood
Suppose I could make my next box out of a Raspberry Pi and go
ARM...
There was a thread in debian-user@ a month or so ago regarding
the proliferation of various privacy-infringing features in
modern systems, and hence the need for free software (including
Debian) to retain compatibility with older hardware. One of the
posters responded that claims of backdoors in CPUs date back to
the eighties.

Well, at least back then, the CPU vendors didn't advertise such
vulnerabilities waiting to happen as 'features'.

Personally, when a motherboard (made c. 2007) on one of my home
boxes failed this year, I've replaced it with a somewhat similar
used one (made in 2008.) Cost me less than 50 USD (including a
suitable CPU.)

Also, it apparently is based on a chipset (SB700 or something
like that) for which AMD /did/ make the specs available, and
which seems to be supported by Coreboot [5].

[5] http://coreboot.org/Supported_Chipsets_and_Devices
--
FSF associate member #7257 np. Back then -- codekk 8916 3013 B6A0 230E 334A
RS Wood
2017-06-10 02:27:55 UTC
Reply
Permalink
Raw Message
Post by Rich
Intel's CPUs have another Intel inside.
Interesting follow-up. This steaming pile just keeps getting worse.

Title: Malware uses Intel AMT feature to steal data, avoid firewalls
Author: cmn32480
Date: Fri, 09 Jun 2017 14:27:00 -0400
Link: https://soylentnews.org/article.pl?sid=17/06/09/1723243&from=rss

DannyB[1] writes:

Malware uses Intel AMT feature to steal data, avoid firewalls[2]

Microsoft's security team has come across a malware family that uses
Intel's Active Management Technology (AMT) Serial-over-LAN (SOL)
interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic
bypasses the local computer's networking stack, so local firewalls
or security products won't be able to detect or block the malware
while it's exfiltrating data from infected hosts.

and . . .

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management
Engine), a separate processor embedded with Intel CPUs, which runs
its own operating system.

Intel ME runs even when the main processor is powered off, and while
this feature looks pretty shady, Intel built ME to provide remote
administration capabilities to companies that manage large networks
of thousands of computers.

I always believed the Intel Management Engine was a bad idea[3] and a
huge target for sophisticated hackers. Your hardware. Pre-compromised
from the factory. A processor baked into your microprocessor with full
access to the hardware. It runs a secret binary blob -- and the
primary microprocessor won't run without it.

This probably isn't the last time that this will be exploited.
Probably not even be the first, given the difficulty to detect it. The
wonderful thing is that your OS isn't aware of the compromise and is
unable to interfere with it.

Original Submission[4]

Read more of this story[5] at SoylentNews.

Links:
[1]: http://soylentnews.org/~DannyB/ (link)
[2]: https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/ (link)
[3]: https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it (link)
[4]: http://soylentnews.org/submit.pl?op=viewsub&subid=20672 (link)
[5]: https://soylentnews.org/article.pl?sid=17/06/09/1723243&from=rss (link)
Huge
2017-06-10 14:00:56 UTC
Reply
Permalink
Raw Message
Post by RS Wood
Post by Rich
Intel's CPUs have another Intel inside.
Interesting follow-up. This steaming pile just keeps getting worse.
Title: Malware uses Intel AMT feature to steal data, avoid firewalls
Author: cmn32480
Date: Fri, 09 Jun 2017 14:27:00 -0400
Link: https://soylentnews.org/article.pl?sid=17/06/09/1723243&from=rss
Malware uses Intel AMT feature to steal data, avoid firewalls[2]
Microsoft's security team has come across a malware family that uses
Intel's Active Management Technology (AMT) Serial-over-LAN (SOL)
interface as a file transfer tool.
Because of the way the Intel AMT SOL technology works, SOL traffic
bypasses the local computer's networking stack, so local firewalls
or security products won't be able to detect or block the malware
while it's exfiltrating data from infected hosts.
Firewalls running on the host they protect always were a stupid idea.
--
Today is Sweetmorn, the 15th day of Confusion in the YOLD 3183
I don't have an attitude problem.
If you have a problem with my attitude, that's your problem.
RS Wood
2017-11-10 15:06:29 UTC
Reply
Permalink
Raw Message
On 10 Jun 2017 14:00:56 GMT
Post by Huge
Post by RS Wood
Post by Rich
Intel's CPUs have another Intel inside.
Interesting follow-up. This steaming pile just keeps getting worse.
Title: Malware uses Intel AMT feature to steal data, avoid firewalls
Author: cmn32480
Date: Fri, 09 Jun 2017 14:27:00 -0400
Link: https://soylentnews.org/article.pl?sid=17/06/09/1723243&from=rss
Malware uses Intel AMT feature to steal data, avoid firewalls[2]
Microsoft's security team has come across a malware family that uses
Intel's Active Management Technology (AMT) Serial-over-LAN (SOL)
interface as a file transfer tool.
Because of the way the Intel AMT SOL technology works, SOL traffic
bypasses the local computer's networking stack, so local firewalls
or security products won't be able to detect or block the malware
while it's exfiltrating data from infected hosts.
Firewalls running on the host they protect always were a stupid idea.
So, looks like the Intel IME has been effectively cracked now:
https://twitter.com/h0t_max/status/928269320064450560

Some interesting HackerNews commentary here:
https://news.ycombinator.com/item?id=15669262

Neat think about the guy who cracked it: Maxim Goryachy is apparently
focused full time on it. It's not a side job. Hey, you build it, we
break it - that's the way it goes! Wish I were running SPARC. Maybe
I'll go ARM.
RS Wood
2017-11-10 15:10:38 UTC
Reply
Permalink
Raw Message
On Fri, 10 Nov 2017 10:06:29 -0500
Post by RS Wood
https://twitter.com/h0t_max/status/928269320064450560
https://news.ycombinator.com/item?id=15669262
Here's the important bit. I knew the first paragraph, but not the
relevance of JTAGs and USB here.

//--clip
dsr_ 1 hour ago [-]

Intel CPUs have an embedded supervisory CPU called the Management
Engine. It can read all of memory, control power states on the main
CPU, and generally has super-root privileges on everything. You, an
end-user, aren't allowed to program it. The current MEs run a form of
Minix. They represent an incredible security and privacy risk, because
we don't know what code they run and it is widely believed that the NSA
or other intelligence agencies have backdoor access. Remote backdoor
access, even: the ME can talk to the network.

A JTAG is a standard minimal serial port used for debugging purposes.
You'll find them on nearly all embedded devices - routers, phones, TVs,
refrigerator controllers... usually appearing as a set of two or three
contact points. Sometimes they connect directly to a debugger.

In this case, it appears that at least some Intel CPUs have a JTAG on
the ME that can be routed through the on-CPU USB handler, and thus
physical access to the right USB ports can be used to access the
ME.

//--clip

Loading...