Slashdot Mirror
The Trouble With Intel's Management Engine (hackaday.com)
szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.
Stopped reading the conspiracy rant after this delicious gem:
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
AntiFA: An abbreviation for Anti First Amendment.
Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
Ah HA!
What do you mean "if"?
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
AMD. No backdoors.
(some verification may be required)
There should be general pressure to reduce attack surfaces now that we know how prevalent and persistently-undiscovered bugs are in modern software, and this is the opposite.
Finally good security strategy doesn't overspend on a single attribute of defense, detection, recovery. Layer-skipping interfaces like this are a bigger setback for detection and recovery than they are for defense.
I agree they're getting a big pass through obscurity, and that pass needs to be revoked. But even if the system were better-documented it would remain a bad design and value-negative.
So the IME is in place in millions of desktops. Is anyone currently using any of the features? How does the software communicate with it?
Only the State obtains its revenue by coercion. - Murray Rothbard
This kind of stuff really gets the wheels turning in my head, but unfortunately the hamsters in those wheels are on the verge of death.
always listening, able to receive packets even when the device is asleep
When was the last time you saw a computer that didn't have "wake on lan", "wake on keyboard", and "wake on network"? It's not done by magic and pixie dust/
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
In my experience, on late model DDR3 and DDR4-based chipsets, the ME driver is unstable, does absolutely nothing, is now included in Windows Update so you can't ignore it unless you disable it. Some early model computers around 2009-ish will not boot if ME is turned off in the BIOS so why is there even an option in the BIOS to turn it off? NOBODY actually uses it for anything, even in most corporate IT environments. I also heard some computers can use it to turn on from a dead power off, allegedly. It's almost like Intel decided they had too much business and too much of an advantage over AMD and wanted to shot themselves in a foot a couple times.
It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't know about them. I do know it's not necessary for the ME to be running for the rest of the computer to be bootable, but if it's not then some functions may be disabled (like the playing of protected content).
If you don't like this sort of thing, buy devices that support Coreboot.
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
Step 1. Purchase a legitimate certificate from CA trusted by ME
Step 2. Broadcast DHCP announcement with domain name matching your trusted certificate
Step 3. Root dance
I trust American technology is not used for spying.
PS: BTW, likewise for Russian and Chinese tech. I'm not anti-American, after all. I'm anti-being-fooled.
How is that so hard?
Very few consumer level PCs have IME built in, Q series motherboards are a rare buy
seriously, please tell me the enterprise that only buys Intel systems? normally the decision process between "we need new computers" and "cut the cheque" is filled with several decision heads who all have different views and opinions, so what happens when some bean counter recommends buying a pallet of AMD machines because they were cheaper??
so in other-words, this was meant for customer lock in, sell the tools and then people need to be using all Intel chips in the enterprise. the question is will it work? and what is the blow back once someone cracks the management engine?
as for the conspiracy theories.. there is no box that is 100% secure, sure this could be a back door into your computer, hell it could even have been sponsored by the NSA... so what do you do?
here's the answer: WAKE UP, these are tools and nothing more than tools, why do people insist on putting their life story into these devices and online instead of using these devices like a tool. if my hammer is broken then i throw it out and get a new hammer.. if i find my hammer is reporting back my actions to anyone, i throw it out and buy one that doesn't. vote with your wallets, that is the only language these companies speak
trouble? ... everything, everywhere.
- nsa would love it
- a virus that exploits it is going to win
I bet there are chip features, like the ones Intel tried to sell as upgrade codes, such that you can enable them through this. Higher speed. More memory. Alternative instructions.
From: "Platform Embedded Security Technology Revealed: Safeguarding the Future of Technology with Intel Embedded Security and Management Engine" - "Security Applications at a Glance ...
First, the engine should be used as frequently as possible-not only when managment service is requested on the system. After all, how often do system problems happen? They do not happen every day.
Second, a successful state-of-the-art technology should not benefit only the network administrators and the employees in enterprises. It should bring values to a larger population.
There are clearly many more possibilities and opportunities to be explored on the security and management engine. In today's mobile age, the demand for secure mobile services that involve valuable assets is gaining significant momentum. As a result, the embedded engine is reborn with new security features that are serving all end users every day."
--- Pretty creepy stuff. People you would not invite into your home are inviting themselves into every aspect of your life. Management Engine is on consumer end user devices. You just don't have access to it.
You would still need Intel RST to pretend to be a browser and open the website though.
Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code
http://saveie6.com/
So Santa does.
I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.
It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
Since ME has a full-blown TCP stack it can even listen on a separate IP that can be set in the ME setup. When configured you basically own the PC, you can control power, attach IDE/CD/FDD images and remotely boot from them. If the current graphics mode is ol'DOS you can even redirect that on the Serial-Over-LAN interface without even having the full AMT (which uses VNC to redirect any graphics mode). All that is done over super-secure SOAP with no encryption by default.
If your manufacturer was competent there probably is a burried update to make it DASH-compliant and to make it not accessible without the BIOS password.
What is more it's possible to attack ME/AMT remotely with broadcasts to make it configure itself to open wide up. All you need is a certificate that's trusted, which is really not that hard.
It also has pretty neat capabilities to even filter packets in hardware, without the OS control!
Now for the intended purpose: different versions of ME/AMT behave differently in the desktop world. Missing features between generations, bugged features, broken power management. The default behaviour of taking 2 TCP ports for hosting websites that can be used to remotely control the PC itself is bad enough.
The firmware itself was confirmed by Intel to have unrestricted DMA, which pretty much can defeat any protections in software. The only way to stop it for sure is to use a dedicated NIC...
Software and APIs are really bad as well, the SDK is a collection of bolted-on turds.
It's all pretty sad really. And don't get me started on how it's implemented on laptops...
All of those exploits exist and are in the wild. Luckily they have not been cobbled together into an attack script that I am aware of, but I haven't looked for a usable version of the hacks. I mainly care that they exist, and they do. :(
http://www.slideshare.net/code...
If IME or (AMD's PSP) gets exploited, you are completely screwed, throw the motherboard out. no amount of re-flashing can get you to known good state. The advantage of the stick, as a relatively passive device and preferably read-only to the managed device, is that it can be removed/reviewed/fixed on another device. Imagine it like using an SD-Card to store a BIOS, and having no firmware other than that. to upgrade the BIOS, you remove the stick, put it on a trusted computer (you have to find one of those) and use that to do the BIOS upgrade, then you put it back in the computer, where it is read-only. This works for fixing a corrupt BIOS as well. The only capability you give to the CPU is the ability to load it's microcode on boot from this stick.
Implemented properly, with co-operation from the chip vendors that has the potential to be much more secure, but how likely is that?
ASUS already has this feature. "USB BIOS Flashback" is what it's called.
You would still need Intel RST to pretend to be a browser and open the website though.
No websites required. Computer does not even need to be turned on.
Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code
All you need is access to broadcast domain of wired or wireless network on which your victim is attached. As my attack strictly uses remote access facilities as intended to be used no exploits are required.