Slashdot Mirror
Intel Shows RealVNC Embedded In the BIOS
LWATCDR writes "At Intel Developer Forum, Intel and RealVNC demoed RealVNC integrated at the BIOS level. Using VNC, one can now power down, power up, reboot, go into the BIOS, and even mount disk images on the network. All of this has been available for a while using IPMI but now it can be done using the open standard VNC. It is available now on Q57 and Q67 motherboards. One can just imagine how useful this could be in a data center, school, or any other system with a large number of computers. Let's hope AMD joins in."
So..... we've had someone (I forget if it was AMD or Intel teaming up with trend micro to look for malware at the lowest possible hardware level) and then in teh same week an announcement about how you can have remote visuals for your WHOLE system from outside the O/S ?
While its useful if your server decides to hang and you don't know why - but this exists in DRAC cards and other forms of remote management for systems which NEED it. I don't think i've ever had to access the bios of a consumer level device remotely before, or even thought i'd be a wildly good idea...
So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea! - hey, at least they could do it remotely? (maybe!)
- http://www.milkme.co.uk
So, let's see... Intel is trying to extend their binary-only ugly turd of a software blob called BIOS to include applications. Yeah, that's REALLY useful. Give me the source of the BIOS and a license so I can build and distribute it with alternative stuff and maybe I'll call it useful. Otherwise it evil and useless. I don't want it at all and I hope it doesn't catch on.
Kinda useless without security layer like SSL.
Can we get this using UltraVnc and not RealVNC. the half screen size feature is nice and RealVNC does not support this.
Using VNC, one can now power down, power up, reboot, go into the BIOS, mount disk images on the network
"A door is what a dog is perpetually on the wrong side of" - Ogden Nash
Most BIOS interfaces are still actual text interfaces or simply text interfaces converted to pseudo-windows graphics. Anything a BIOS does can easily be controlled with a keyboard and a text screen. How about implementing an SSH server instead of the unencrypted VNC protocol? Enter the admins' public keys, then protect key storage and BIOS flashability with a DIP switch or a jumper. While you're at it, extend PXE so that it can verify cryptographic signatures against public keys in flash memory.
I suggested this and other ways of using VNC embedded hardware like this years ago. It will be great to have keyboard, mouse, video - hope they also add virtual CD/DVD or USB to get the machine loaded remotely.
It is shame that it maybe to late with VBLOCK and ESX system taking hold.
I just about guarantee there will be backdoors built in so that the "Nanny State" can view any screen at any time. Combine this with IPv6 giving each device an Internet accessible IP address. How sad.
Look like about what we have had for years on server gear. I do hope you can disable that 6 digit key bit (making it worthless for servers and off hours). Has this not been around since version 6 and they are on version 8 now?
No sir I dont like it.
Or at least something very like it - vPro.
While IPMI is well-established on the server, so far no form of BIOS-level remote control seems to be doing particularly well on the desktop. It's damn difficult to find definitive statements from any major OEM concerning which lines support it, there's a plethora of versions with varying levels of sophistication, some of which require proprietary software in order to use.
That in itself isn't the end of the world, but even tracking down suitable proprietary software can be like pulling teeth!
Myself, I think that the majority of companies being targeted with this are the huge organisations with offices and staff everywhere - but they tackled the problem 10 years or more ago, they've got a whole stack of solutions and processes already in place and so something which doesn't really bring anything particularly useful to the table isn't all that interesting.
Dell, HP, IBM & others have similar remote KVM solutions for their servers.
Not sure about all of them, but in Dell's case they wrap the whole VNC connection in SSL first.
Why VNC? Why not SSH?
By the way this was on SGI workstations and it was awesome. I still remember the first time I went into the SGI BIOS setup only to be greeted with a shell. That blew my mind.
Entertainment companies will make the first best use of it. Browser, Flash, and now BIOS cookies. Tada!
Hey, that's great Intel. But, when can we get off the shelf motherboards with a EFI instead of a legacy BIOS? What's the hold up?
Using VNC, one can now ... power up,
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
What I'm worried about is:
1) Its not going to be "open standard VNC" but some weird kluge that operates strictly on layer 2 and requires "special" probably windows only software, that at least doesn't require ip to work.
2) Or, to have the VNC interface not interfere with the "real" LAN card, it'll have two interfaces, either via VLAN which will invariably be messed up, or two phy interfaces, which will invariably be swapped and double my buildout costs. Or the extreme hackery of the lan port means it'll be one version of windows only hardware, never to be used on a different version of windows or linux or anything else; a "win-lancard".
3) To protect me from the latest windows worm that locks people out of their bios using this tech, my ISP will "save me" by blocking all standard port VNC traffic and any traffic analysis VNC traffic on alternate ports. Thanks guys, for removing VNC from the list of usable software. I feel so much better now.
4) Many non-technical users are going to get scammed by brightly flashing internet ads advertising security and safety at a cost for this. Right next to the equally snake oil "your computer is broadcasting your ip address" ads.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
It's doing exactly what an IBM BladeCentre MM has been doing for over a decade?
Exciting... Hopefully they won't limit you to Java VNC like IBM.
Uhm... Patents? Software Patents? Who wants to bet there are dozens of patents on this technology already applied for by Intel? We already know VNC's patents, but not when you add "in the BIOS" to the end of it.
This will be very useful in the Enterprise space, with no need to resort to HP iLO or Dell's DRAC, or IBM's management processor.
Nothing to see here but us trolls...move along...
VNC is not the pinnacle of security to begin with, unless they changed it, the default password limitation in VNC use to be at least only 8 characters. And if they haven't it just gives a much easier method of compromising a system.
RealVNC at the GPL level, which i suspect is what we're testing with, has no encryption. IPMI, which is billed as standard on most enterprise grade servers on the other hand, comes with the option of key based crypto.
Good people go to bed earlier.
Cool! I use VNC hooks for recording user sessions. Is it a full install? ie. key stroke and pointer location code too?
Having to work for a living is the root of all evil.
OEM's like Dell and HP have the DRAC's and ALOM "add-in" cards that they sell at various prices ranging from $99 upwards of $650. Yet Intel is talking about enabling features the OEM's are charging premiums for in the BIOS for free. This could have a backlash effect from the channel partners...
I'm hoping that by default it's disabled and requires enabling+password to work.
However, isn't VNC an insecure protocol? Perhaps it had a default SSL layer or something like that (I suppose then it would need an ability to update the cert as well) then it would be a safer solution.
Using VNC, one can now ... power up,
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box.
DRAC and BMC cards have been able to do this for years - you can very easily set IP information for the controller, DHCP, static, or otherwise. This wouldn't work terribly different than DRAC/BMC/ILO cards work right now, as they work completely independently of the rest of the system and guest OS.
Finally a good post and I am all out of mod points!
Flexible bare-metal recovery for Linux/UNIX
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
I suspect that like IPMI, if you enable this new system, then as long as the "big red switch" is on (i.e., the motherboard is getting the power it would need to respond to the momentary "power on" switch), then the network card will also be powered and able to send and receive.
The real trick is the very first time power on...if this new feature is set to "on" by default, and the NIC is set to use DHCP, then you can just drop ship new systems to wherever they are needed and then start the remote configure. Of course, that would be a really bad default, as the security holes it opens are profound. Imagine a company that doesn't use this feature, but doesn't disable it correctly...any internal hacker could then "watch" the initial OS install, and possibly be given remote admin access, allowing them to trojan the machine.
Using VNC, one can now ... power up,
Before I VNC in to power up the box, I need DHCP running so I have an IP address to connect to. No problemo, I'll just power up the box to get a DHCP address before I power up the box to power up the box. Its turtles all the way down.
I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).
I use this tech on a number of lenovo desktops. It works pretty good, though I have had some reliability issues. Isn't this standard with all vPro capable hardware. BTW this has some amazing potential when working with our India based IT support, especially for a small company.
Currently, they have this tied to AMT. That only works with a pure Intel implementation (integrated Intel nic, chipset, etc). AFAIK, it's even *specefically* only the 'desktop' chipsets that bother putting in the bits. So your EP/EN/EX platforms are not invited to the party at all, even *if* your vendor didn't put Emulex or Broadcom down. They specifically segmented this off as 'desktop/laptop', and said 'IPMI' is the server equivalent (which covers most of the base capabilities, but omits KVM and has delegated that to proprietary extensions, as real men need nothing more than Serial (even windowws admins).
XML is like violence. If it doesn't solve the problem, use more.
I bought my latest server board from Intel specifically because it supports this, and it does work well -- full KVM over VNC, can boot from bios all the way to desktop regardless of the OS, it's basically exactly like sitting at the console, but you can be anywhere.
However, I had a few issues with the design:
1) Setting up encryption for VNC was a pain... I had to dig around on intel's site to find some corporate management software before I could install a x509 certificate and connect to the encrypted port using RealVNC
2) RealVNC Viewer Plus ($$) is required if you want the ability to have full AMT (all the cool remote disk mounting, system power control etc). Some of this you can get via the web interface though (via a different port).
Apart from the setup pains though, it's very cool tech. I was also able to perform a full GUI install of Fedora on my US server from my laptop in Norway, using an ISO file on the laptop for the install (yes, you read that correctly... you can mount a local disk file on the remote machine and the bios make's it appear as a local disk! But again, that required the AMT features, and RealVNC Plus :P).
The system works by intercepting IP packets on the motherboard network interface (so you must connect via that port, not just any network port), and redirects connections to a selection of ports (all configurable) to support remote management via VNC, http/https, or a few other protocols. This means you can connect in and check out the desktop at full rez even when someone's using the machine, or even work on fixing issues even though a kernel oops. Basically, as long as the network to the port stays up, you have access to full console control.
Who says mailing lists don't drive development?
http://www.realvnc.com/pipermail/vnc-list/2002-October/034111.html
Alright! I have my hard-to-detect avenue for exploit. What a great vector! Thanks, Intel!
"Flyin' in just a sweet place,
Never been known to fail..."
"now it can be done using the open standard VNC"
there are no less than four open-source IPMI projects
I'll take it you've never heard of Wake-on-LAN. Third-party services such as LogMeIn actually can turn on remote machines as long as there is another computer on the network with LogMeIn installed. That doesn't even require an IP address. It's a packet addressed to the MAC of the NIC (which is why the originating packet needs to be on the same network).
Yeah but thats cheating. You need an extra box and a WOL compatible switch, right? If I'm allowed to cheat and have stuff other than the as advertised VNC, then I can just specify a robot arm poised to punch the power switch. Or default the bios to always power up on restoral of AC and hook up to innumerable remote rebooter products and home automation products.
I have noticed over the years that the concept of a power switch has been removed. The only thing my cable settop box does when its "off" is output a black screen. The giant office printer at work merely shuts off the LCD backlight when its switched off. Its all about making the greenies think they're saving KWH while not actually doing anything.
"Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
Yes, another reason to not use intel, I mean, in a perfect world it would be awesome since you don't have truckloads of haxorRs and government agencies on the line to poke at your stuff, a cute little world where military research facilities don't get breached. How do we know intel is going to lose this info, how do we know someone else puppet (aka government) developed this and is using intel as a proxy. VNC is open source, so wheres the source of this implementation? Why VNC and not RDP? I use VNC but I acknowledge that RDP is better.
It may be useful on a data center anyway and I hope AMD keeps away from this unless for some reason, some government rules that this help to "think of the children while keeping the turririst away" and get shoved anyway.
Time to hoard on pre-brigbrother hardware gear.
In other news: Tin foil industry have seen a rise in trading in the late afternoon.
I want a bios that can only be upgraded in an upgrade mode. After the upgrade it defaults to a non upgrade mode; thus, the only way to upgrade the bios is to reboot and set the upgrade mode in the bios, then boot an os with an app to upgrade the bios. It would also be nice to warn and stop with a continue question while in the update mode. This should be much harder to compromise than current bioses that can be written from the OS. Its a dream and will probably never happen but wouldn't it be nice. I also look forward to having UEFI bioses (I know some have it but very few.) I realize for arrays of computers this would be cumbersome maybe have the options to turn this behavior on. I've worried about compromised bioses ever since you where allowed to update the bios from the os. VNC in the bios seems like a big security hole.
Shouldn't that be UEFI or something that isn't archaic trash? Then again, this is the PC we're talking about.
Yay, finally Windows malware can be assisted by BIOS level rootkits.
It's called AMT, and I've been running one of these for over a year on my $120 vPro motherboard.
As of AMT 6.0, you can control every aspect of the pc, including interacting with the bios screen, from remote.
http://en.wikipedia.org/wiki/Intel_Active_Management_Technology
VNC subsystem -> VNC Driver
Multiple systems can share a physically functional NIC. A bad driver in the OS layer does not stop the NIC in a different environment from using it.
I only look human.
My mother is a halfling and my dad is an ogre, so that makes me an Ogreling
I believe all you need for WOL is access to a system on the same broadcast domain as the target system. I'm pretty sure it's also possible to send the magic packet through a router but I have no experience with doing so. At home I use wake-on-LAN through my pfSense firewall or an app on my iPhone. Basically, if you have the capability to VNC into a machine you should also have the capability to use WOL.
I'm sorry, but this isn't really anything that new, it's just new to the end-user market. Server systems (that are in use in datacenters) have been using tools like this for years. HP's iLO and iLO2 are wonderful at it, but other's such as Dell etc also have their comparable services, all usable via a web browser session even...
This is great that it's finally available to the end user, but it's hardly new functionality...
we already have KVM over IP which are independent systems and it's important that they are independent! when you get hacked the hackers, they can flash the BIOS which would be an insanely bad if they did this to a system with KVM over IP on MB.
why KVM over IP on MB is a gigantic security issue:
* BIOS memories are large have entire programs (see remote access forever using "unflashable" BIOS)
* BIOS KVM over IP cannot be on an internal network only
** you can hack a KVM over IP system on a shared connection
** a DDOS takes out your KVM over IP
* MB makers less interested in security than KVM over IP hardware people
* cant replace KVM over IP system if it's found to be insecure
Anons need not reply. Questions end with a question mark.
So when a vuln is found, which it WILL be everyone has to update their bios now? I know of alot of people who are going to be very unhappy about that idea!
Why? What's so spectacular about a BIOS update? The boot to DOS and load the new BIOS from floppy is a thing of the past. My girlfriend upgraded her BIOS the other day. Didn't even notice. Ok that's a lie, she did notice. A window came up giving her a list of 2 drivers and a new BIOS, she clicked ok. That was it. The update utility for her computer is memory resident, so in theory it could be done as silently as a windows update.
The only critical part is still a potential for a bricked machine due to a dodgy update, but between the few seconds the update took making a power outage unlikely, and the way companies like Gigabyte have released motherboards with multiple BIOSes as backups just in case an update goes screwy, is that much of a concern?
Exactly. All that is required is that the packet reaches the intended destination. The easiest way to do that on a TCP/IP network is the magic packet sent to one of the broadcast addresses (either network specific i.e. 192.168.0.255 or the general purpose one: 255.255.255.255). Every switch knows how to handle network broadcasts (and every hub, though I haven't seen an actual network hub in ages since small switches are commodity hardware now, transmits every packet to every connected port).