The Trouble With Intel's Management Engine

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

Stopped reading after...

[CajunArson]

Stopped reading the conspiracy rant after this delicious gem:

Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.

I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

It's very powerful and very broken

I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.

It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
Since ME has a full-blown TCP stack it can even listen on a separate IP that can be set in the ME setup. When configured you basically own the PC, you can control power, attach IDE/CD/FDD images and remotely boot from them. If the current graphics mode is ol'DOS you can even redirect that on the Serial-Over-LAN interface without even having the full AMT (which uses VNC to redirect any graphics mode). All that is done over super-secure SOAP with no encryption by default.
If your manufacturer was competent there probably is a burried update to make it DASH-compliant and to make it not accessible without the BIOS password.

What is more it's possible to attack ME/AMT remotely with broadcasts to make it configure itself to open wide up. All you need is a certificate that's trusted, which is really not that hard.

It also has pretty neat capabilities to even filter packets in hardware, without the OS control!

Now for the intended purpose: different versions of ME/AMT behave differently in the desktop world. Missing features between generations, bugged features, broken power management. The default behaviour of taking 2 TCP ports for hosting websites that can be used to remotely control the PC itself is bad enough.
The firmware itself was confirmed by Intel to have unrestricted DMA, which pretty much can defeat any protections in software. The only way to stop it for sure is to use a dedicated NIC...

Software and APIs are really bad as well, the SDK is a collection of bolted-on turds.

It's all pretty sad really. And don't get me started on how it's implemented on laptops...