The Trouble With Intel's Management Engine (hackaday.com)

← Back to Stories (view on slashdot.org)

The Trouble With Intel's Management Engine (hackaday.com)

Posted by Soulskill on Friday January 22, 2016 @06:54AM from the probably-not-NOx-emissions dept.

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

2 of 106 comments (clear)

Min score:

Reason:

Sort:

Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:15 · Score: 4, Interesting

IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
Re:Stopped reading after... by phishybongwaters · 2016-01-22 07:16 · Score: 1, Interesting

I didn't even go past the part of the article that the submitter mangled for "The ME is always listening, able to receive packets even when the device is asleep." No, not exactly. The subsystem is able to recieve information from the network interface when the machine is hibernating or sleeping. So? Are we calling wake on lan or power saving mode an attack now? That's a basic feature of most modern devices with a network interface. Hell, my NAS box does this, it's network ready but in a powered down state with the drives spun down, but it's pingable and once you request resources from it, it wakes up and does it's job.