The Trouble With Intel's Management Engine (hackaday.com)

← Back to Stories (view on slashdot.org)

The Trouble With Intel's Management Engine (hackaday.com)

Posted by Soulskill on Friday January 22, 2016 @06:54AM from the probably-not-NOx-emissions dept.

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

70 of 106 comments (clear)

Min score:

Reason:

Sort:

Stopped reading after... by CajunArson · 2016-01-22 06:59 · Score: 5, Insightful

Stopped reading the conspiracy rant after this delicious gem:

Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:15 · Score: 4, Interesting
  
  IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
  Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
2. Re:Stopped reading after... by phishybongwaters · 2016-01-22 07:16 · Score: 1, Interesting
  
  I didn't even go past the part of the article that the submitter mangled for "The ME is always listening, able to receive packets even when the device is asleep." No, not exactly. The subsystem is able to recieve information from the network interface when the machine is hibernating or sleeping. So? Are we calling wake on lan or power saving mode an attack now? That's a basic feature of most modern devices with a network interface. Hell, my NAS box does this, it's network ready but in a powered down state with the drives spun down, but it's pingable and once you request resources from it, it wakes up and does it's job.
3. Re:Stopped reading after... by st3v · 2016-01-22 07:19 · Score: 1
  
  I agree, the fact they wrote that immediately discredits the author as technically inept. This makes the whole article a waste of time.
4. Re:Stopped reading after... by red_dragon · 2016-01-22 07:23 · Score: 4, Informative
  
  Given that the ARM core in AMD APUs conform to ARM TrustZone, which seems better documented than IME, I'd assume that yes, AMD documents it.
  
  --
  In Soviet Russia, Jesus asks: "What Would You Do?"
5. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:25 · Score: 5, Funny
  
  ...with absolutely no visibility by anyone outside of Intel or without strict NDAs...
  Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.
6. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:25 · Score: 1
  
  Stopped reading the conspiracy rant after this delicious gem:
  
  Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
  Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.
  It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.
  The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.
7. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:27 · Score: 4, Informative
  
  It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.
8. Re:Stopped reading after... by Thud457 · 2016-01-22 07:32 · Score: 1
  
  What, this little gem didn't faze you?
  
  Nobody knows exactly how ME works
  
  --
  the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
9. Re:Stopped reading after... by CajunArson · 2016-01-22 07:35 · Score: 1
  
  I'm sure the authors of the article don't know how the management engine works.
  But given their level of "competence" I'm sure they don't know how a lot of things work. So what, a piece of technology isn't governed by the level of ignorance of some blogger.
  
  --
  AntiFA: An abbreviation for Anti First Amendment.
10. Re:Stopped reading after... by WaffleMonster · 2016-01-22 07:47 · Score: 1
  
  I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
  I don't understand these types of comments which are made quite often here and elsewhere. Someone says something about Google and there is always a response about Apple or Microsoft doing x, y and z too.
  Why can't someone focus on something a specific vendor is or is not doing even if you disagree with their process or conclusions without being obligated to enumerate all other vendors who may or may not be doing the same thing?
  Why is there always that implicit assumption failure to talk about what everyone else is doing somehow constitutes acceptance when there is no basis for such a conclusion other than the imagination of the person making it.
11. Re:Stopped reading after... by lgw · 2016-01-22 07:51 · Score: 2
  
  It does more then wake on lan. Any time you have buggy code paying attention to the contents of packets in any way, you have a real attack vector. The ability to execute arbitrary code in a layer this low is something to worry about. Could an attacker use this layer to do an update to the BIOS (whatever it's called)? I don't know, but I'd like to know.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
12. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:53 · Score: 2, Informative
  
  Yeah, that's a big difference between "turn on power" and "here's a HTTP SERVER running while in sleep"
  Previous parent is intentionally deceptive trying to blur the line. Shitty.
13. Re:Stopped reading after... by Junta · 2016-01-22 07:57 · Score: 1
  
  Yes, I have witnessed a lot of 'ok, the IME thinks SOMETHING is wrong, but damned if we know what'
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
14. Re:Stopped reading after... by hairyfeet · 2016-01-22 08:02 · Score: 1
  
  Funny that you complain about conspiracies and then follow that up by falsehoods. AMD does NOT currently embed ARM chips into its CPUs, there is TALK of doing this sometime in the future for a small range of laptops aimed at the corporate market but so far that is all it is, talk. And if AMD ever does embed an ARM chip they simply licensed a standard ARM security chip design from ARM corp, last I checked it used standard crypto schemes and had specs available online, no black boxes with that design.
  As for TFA....do you REALLY blame the writer for being paranoid? We have Wikileaks revealing new nasties about the US gov daily, we have Intel that has been trying to push the market towards black boxes since Palladium and Itanic, and you have MSFT doing everything short of using WU to nuke the OS of everybody that won't jump on their new OS which preliminary traffic analysis shows to be nothing more than Big Brother in a can complete with malware style keylogging and requiring a version they won't sell you to turn off the majority of spying.
  So while TFA is probably paranoid frankly after all we've learned in the past few years....do you REALLY trust a large corp like Intel, especially one that has ties to a government, in the case of Intel Israel?
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
15. Re: Stopped reading after... by ArmoredDragon · 2016-01-22 08:21 · Score: 1
  
  Two other problems are that boot signing is an optional module in UEFI, in addition to the fact that ME is off in the factory configuration, and in order for it to do anything you have to explicitly enable it and configure a password.
  It's actually a wonderful feature to have, by the way. It still works even if the CPU is dead and you have no RAM. You can tell exactly what's wrong with a seemingly dead system through the fault logs on the web interface.
16. Re:Stopped reading after... by CajunArson · 2016-01-22 08:38 · Score: 3, Informative
  
  Maybe you should actually learn about AMD's product lineup: http://www.anandtech.com/show/...
  Yes, in the year 2012 it was a futuristic feature. Then 2013 happened. Where have you been?
  
  --
  AntiFA: An abbreviation for Anti First Amendment.
17. Re:Stopped reading after... by Burz · 2016-01-22 08:38 · Score: 2
  
  IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
  Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
  Agreed. GP is kneejerk Intel fanboy blather and automatically runs to attack AMD as if TFA intended to play favorites. Intel dominates the market and sets the trends, so stop being a baby about criticism when an article focuses on them.
  IME remains a black box, that can talk with the network and is therefore open to attack. Its not a part of the trusted computing base, but has control over it.
18. Re: Stopped reading after... by Groo+Wanderer · 2016-01-22 08:56 · Score: 1
  
  Actually no, the ME is off as far as user facing features are concerned, but if it is fully off, good luck booting your PC. The MS is always on, and contrary to Intel's public stance, when you buy a SKU with it disabled/no BIOS for it loaded/fused off (depending on whom you talk to, I have gotten all three many times), it is still there, still functional, and still not under your control.
  In short 'off' means the user facing and user accessible parts are no longer user accessible, not what most people still consider off. Intel refuses to talk about or publicly document what features are there and what are still active in each of these modes. I have asked them for this information and they said no. I have been digging on the ME for literally years, and have a fair idea of what it can do and can't do in both states.
  And I am scared sh*tless by what I found.
19. Re:Stopped reading after... by klui · 2016-01-22 09:26 · Score: 1
  
  Intel AMT is available even if the machine is powered off. https://en.wikipedia.org/wiki/...
20. Re:Stopped reading after... by Billly+Gates · 2016-01-22 10:01 · Score: 1
  
  Stopped reading the conspiracy rant after this delicious gem:
  
  Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
  Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.
  It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.
  The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.
  As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
  EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead. Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
  
  --
  http://saveie6.com/
21. Re: Stopped reading after... by Billly+Gates · 2016-01-22 10:02 · Score: 1
  
  But MS supports it and change is scary and bad so shhh. The bios is the best ever right there with running XP on a modern i7
  
  --
  http://saveie6.com/
22. Re:Stopped reading after... by Gr8Apes · 2016-01-22 10:47 · Score: 1
  
  It seems like a really good way to deal with this is to use a non-Intel firewall between you and the internet, and only whitelist inbound ports and DPI those ports. Not terribly difficult, but likely beyond any Joe/Jane Sixpack.
  
  --
  The cesspool just got a check and balance.
23. Re:Stopped reading after... by Gravis+Zero · 2016-01-22 10:47 · Score: 1
  
  I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me.
  I know, right?! Just last month someone tried to convince me that Juniper routers had a backdoor. Can you believe the crazy shit people are willing to believe? What crazy conspiracy-theory drivel will people post next, all our phones are tapped? A secret NSA building where internet traffic is recorded? I mean, that would have be a huge building.
  conspiracy-theory drivel indeed!
  
  --
  Anons need not reply. Questions end with a question mark.
24. Re:Stopped reading after... by Gr8Apes · 2016-01-22 11:01 · Score: 1
  
  Perhaps that you agree and think the author is technically inept discredits you as technically inept. UEFI has a whole new set of potential attack vectors by virtue of it being remotely accessible. UEFI has some good features, but I think I'd prefer the entire "remote accessibility" piece to be a separate optional chip. There are a few other parts that would be nice to have the same optional pluggable feature, but given that making a single chip that does it all is n factors cheaper than building n chips, that is likely to not ever happen unless someone (government?) says it will only buy such a design.
  
  --
  The cesspool just got a check and balance.
25. Re:Stopped reading after... by Gr8Apes · 2016-01-22 11:20 · Score: 4, Informative
  
  As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
  EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.
  
  BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.
  
  Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
  BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.
  Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.
  
  --
  The cesspool just got a check and balance.
26. Re:Stopped reading after... by Gr8Apes · 2016-01-22 11:21 · Score: 1
  
  But given their level of "competence" I'm sure they don't know how a lot of things work.
  You don't need to be competent in something to necessarily know it is broken or smells fishy. It certainly can help, but in this case, they are spot on. ME smells fishy for sure.
  
  --
  The cesspool just got a check and balance.
27. Re:Stopped reading after... by mikael · 2016-01-23 00:40 · Score: 1
  
  One of the old tricks of testing network software was to send randomly sized packets to the target system. Eventually something would crack. Sometimes they used function look-up tables to handle different packet types.
  
  --
  Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
28. Re: Stopped reading after... by ray-auch · 2016-01-23 02:51 · Score: 1
  
  If the power isn't disconnected by a physical switch (or pulled out) then it isn't powered off. Period.
  Not understanding that distinction may be just about ok when messing around inside a PC, but then that person goes and messes around inside a light fitting believing that it is turned of at the light switch. Live is live.
29. Re:Stopped reading after... by hairyfeet · 2016-01-24 00:15 · Score: 1
  
  And maybe YOU should bother to do a follow up as that product was CANCELED, it never came out. Or are you gonna also claim that Zen is out, since I can show you a dozen articles saying it was due in 2015? There is a REASON why you don't see shit about it in any of the CPUs/APUs currently being sold and that is because it was CANCELED.
  So next time why don't you actually try looking up a product page instead of believing "its coming real soon, promise!" press releases, dumbass.
  
  --
  ACs don't waste your time replying, your posts are never seen by me.
30. Re:Stopped reading after... by lsatenstein · 2016-01-24 01:46 · Score: 1
  
  Stopped reading the conspiracy rant after this delicious gem:
  
  Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
  Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
  I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
  Almost every computer microchip has microcode that is revisable via a module stored within the bios. Much of the chips instruction set is programmable. Intel, AMD and other vendors do have microcode updates that are presented at boot time. Linux has them. Windows has them, etc.
  And if you think that the AES instructions within the chip are safe to use, think again. I am willing to bet that the NSA has front doors into the cpu chip, such that it has the possibility to report encryption or decryption activities. I just love microcode says the global governments who love in-chip encryption instructions.
  
  --
  Leslie Satenstein Montreal Quebec Canada
IME is powerful, but a nightmare to mess with by Anonymous Coward · 2016-01-22 06:59 · Score: 3, Informative

Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
1. Re:IME is powerful, but a nightmare to mess with by Junta · 2016-01-22 07:14 · Score: 1
  
  And the specifications are locked up and restricted, preventing quality third party tools to step in for Intel's lackluster implementation.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
2. Re:IME is powerful, but a nightmare to mess with by Anonymous Coward · 2016-01-22 07:59 · Score: 1
  
  Without sitting in on an Intel meeting on the subject, I can assume that is because they are still determining where the line is between useful feature and security exploit waiting to happen. Until that line is determined, their best course of action is to not release any detailed documentation about the potential of the system and provide only their (by devs for themselves) preliminary software.
  Yes, this course of action may result in a general market rejection of the system, but that's better than making a popular feature that you have to recall every chip with it when someone notices that it gives root access to anyone who can guess a username (like BlackWidow or Batman for example...).
3. Re:IME is powerful, but a nightmare to mess with by Junta · 2016-01-22 09:02 · Score: 1
  
  I would put more money on it being a matter of them considering it a valuable differentiator for business customers, and keeping it secret mitigates risk of competing vendors popping up to compete on a level playing field.
  They aren't still determining the line, they have had this for years and years and know very well their intent and risks.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
4. Re:IME is powerful, but a nightmare to mess with by myowntrueself · 2016-01-22 09:48 · Score: 1
  
  Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
  But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
  Very painful to work with. Two apparently identical laptops had ME that worked quite differently.
  
  --
  In the free world the media isn't government run; the government is media run.
5. Re:IME is powerful, but a nightmare to mess with by Billly+Gates · 2016-01-22 09:57 · Score: 1
  
  IntelME is really for it's SOC components so they can integrate with cpu states for mobile devices and desktops. It shouldn't be open or maybe open for opensource developers who write drivers for the integrated components.
  It is a driver suite but with more cpu integration no different than geforce or ATI catalyst driver suites.
  
  --
  http://saveie6.com/
6. Re:IME is powerful, but a nightmare to mess with by CanEHdian · 2016-01-23 00:57 · Score: 1
  
  But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
  Why oh why couldn't Snowden dump some of the more useful documents the NSA has? ;cP
  
  --
  When the copyright term is "forever minus a day", live every day like it's the last.
Re:First post...but Intel already knew that by U2xhc2hkb3QgU3Vja3M · 2016-01-22 07:02 · Score: 1

I guess you use AMD.
It has been exploited. by Anonymous Coward · 2016-01-22 07:04 · Score: 2, Informative

What do you mean "if"?
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
Why is this such a mystery? by ArchieBunker · 2016-01-22 07:13 · Score: 1

So the IME is in place in millions of desktops. Is anyone currently using any of the features? How does the software communicate with it?

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:Why is this such a mystery? by Anonymous Coward · 2016-01-22 07:25 · Score: 1
  
  It's not a mystery. These are normal management features used by enterprises.
2. Re:Why is this such a mystery? by Anne+Thwacks · 2016-01-22 07:31 · Score: 2
  
  Please provide a link to the documentation.
  
  --
  Sent from my ASR33 using ASCII
3. Re:Why is this such a mystery? by EmperorArthur · 2016-01-22 07:35 · Score: 1
  
  An Anonymous Coward and Junta earlier up gave the answer. Basically it's a neat feature which "should" let Enterprise admins manage and fix a box even if the user has trashed the OS. It's all done by intercepting network packets before the OS even sees them. The problem is the tools Intel provides are apparently pretty horrid. Like cross SNMP and Netboot, but several times worse horrid. The other thing is the spec isn't open, so no one else can write tools or extend tools to use them. For example, there are many tools to make Netboot a 123 experience, but there's only Intel's tools for working with the IME.
  TLDR: Intel forces you to use there tools, but they suck.
  
  --
  So lets pretend that we've just completed writing this code, as opposed to having just completed sabotaging it -Altera
4. Re:Why is this such a mystery? by Anonymous Coward · 2016-01-22 07:41 · Score: 1
  
  - General overview
  - Implementation and Reference Guide
5. Re:Why is this such a mystery? by Junta · 2016-01-22 07:54 · Score: 2
  
  Their closed approach probably stems from them getting a bit burned on IPMI. Intel was chiefly responsible for the spec, but the first real mass market servers that had it were AMD (mainly because of Intel's preoccupation with Itanium at the time). In the server business, Intel has nearl 0% share for service processors (third parties rule that roost, excepting the fact they all must interact with IME too). As they have evolved IME, they've kept it a tight restrictive secret. This means that the functionality is restricted to Intel based systems, but the tools to use it are crap and/or buried inside third party UEFI/BMC firmware.
  Basically the industry as a whole had a moment of 'weakness' in the late 90s/early 2000s and had useful interoperable standards come out (not perfect, but serviceable and practical, IPMI and the various IETF SNMP mibs that came out around then). The big players have largely spent the time since trying to bury those standards and re-establish the previous status quo of lock in but 'standards' (looking at CIM/WS-MAN/SMASH/Redfish and Netconf, all of which emphasize vendor 'flexibility' to the point of rendering cross-vendor management with a single codepath impossible). A shame since there are issues in the old protocols that could use some fixing/enhancement.
  
  --
  XML is like violence. If it doesn't solve the problem, use more.
6. Re:Why is this such a mystery? by Anonymous Coward · 2016-01-22 08:56 · Score: 1
  
  You're confusing AMT (Active Management Technology) with IME (Intel Management Engine). AMT runs on top of ME. Even if you disable AMT, ME is still running.
Beyond my understanding. by truck_soccer · 2016-01-22 07:19 · Score: 1

This kind of stuff really gets the wheels turning in my head, but unfortunately the hamsters in those wheels are on the verge of death.
Oh noes! by BarbaraHudson · 2016-01-22 07:37 · Score: 2

always listening, able to receive packets even when the device is asleep
When was the last time you saw a computer that didn't have "wake on lan", "wake on keyboard", and "wake on network"? It's not done by magic and pixie dust/

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:Oh noes! by BarbaraHudson · 2016-01-22 07:58 · Score: 1
  
  Meant "wake on mouse." Sorry.
  
  --
  "Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
2. Re:Oh noes! by thegarbz · 2016-01-23 07:52 · Score: 1
  
  It's not done by magic and pixie dust/
  It wasn't done by a magical and highly obscure and secretive OS embedded in the CPU either.
  Actually for the most part these were done by management functions of the individual cards responsible for the devices and triggered a computer startup with a standard call to the bios without CPU involvement.
  As other people have pointed out, waking on LAN is quite different from being able to serve up a full webpage while powered off which is a part of what IME is apparently capable of.
my experience by slashmydots · 2016-01-22 07:48 · Score: 1

In my experience, on late model DDR3 and DDR4-based chipsets, the ME driver is unstable, does absolutely nothing, is now included in Windows Update so you can't ignore it unless you disable it. Some early model computers around 2009-ish will not boot if ME is turned off in the BIOS so why is there even an option in the BIOS to turn it off? NOBODY actually uses it for anything, even in most corporate IT environments. I also heard some computers can use it to turn on from a dead power off, allegedly. It's almost like Intel decided they had too much business and too much of an advantage over AMD and wanted to shot themselves in a foot a couple times.
ME details (or what I know of them) by Anonymous Coward · 2016-01-22 07:48 · Score: 1

It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't know about them. I do know it's not necessary for the ME to be running for the rest of the computer to be bootable, but if it's not then some functions may be disabled (like the playing of protected content).
1. Re:ME details (or what I know of them) by Billly+Gates · 2016-01-22 09:54 · Score: 1
  
  It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't know about them. I do know it's not necessary for the ME to be running for the rest of the computer to be bootable, but if it's not then some functions may be disabled (like the playing of protected content).
  Not necessarily.
  Intel ME only communicates and integrates other intel components inside the cpu. The audio and video you mentioned only applies to intel graphics. Since ME is a lower level integration tool the part you see is just the audio and video by the integrated. If you own a realtek audio and an Nvidia card it won't be applicable for example.
  Unless I could be wrong that is what I read up
  
  --
  http://saveie6.com/
Re:The copy writes itself by jandrese · 2016-01-22 07:49 · Score: 4, Informative

AMD calls their version of the IME the "Platform Security Processor (PSP)".

One of the side effects is that open source BIOS projects are effectively dead for desktops.

--

I read the internet for the articles.
CoreBoot by mrchaotica · 2016-01-22 07:51 · Score: 2

If you don't like this sort of thing, buy devices that support Coreboot.

--
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
1. Re:CoreBoot by cfalcon · 2016-01-22 09:16 · Score: 1
  
  So like, four old laptops that are refurbished, and nothing more recent than that on x86?
  I mean, I see your point in principle, but in practice this isn't the type of sacrifice most people can make.
2. Re:CoreBoot by Victor_0x53h · 2016-01-22 09:35 · Score: 2
  
  Coreboot does not remove ME. You may want to investigate the Libreboot project or buy a pre-flashed system from The Ministry of Freedom.
3. Re:CoreBoot by Victor_0x53h · 2016-01-22 09:48 · Score: 1
  
  I failed to suggest Libquity which ships from the US if that is more convenient.
4. Re:CoreBoot by thegarbz · 2016-01-23 07:54 · Score: 1
  
  I would but I want to *upgrade* my PC, not switch to something 5+ years old.
Three step process to owning ME equipped machines by WaffleMonster · 2016-01-22 07:57 · Score: 1

Step 1. Purchase a legitimate certificate from CA trusted by ME
Step 2. Broadcast DHCP announcement with domain name matching your trusted certificate
Step 3. Root dance
Re:Three step process to owning ME equipped machin by Billly+Gates · 2016-01-22 09:52 · Score: 1

You would still need Intel RST to pretend to be a browser and open the website though.
Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code

--
http://saveie6.com/
It's very powerful and very broken by Anonymous Coward · 2016-01-22 10:47 · Score: 2, Insightful

I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.
It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
Since ME has a full-blown TCP stack it can even listen on a separate IP that can be set in the ME setup. When configured you basically own the PC, you can control power, attach IDE/CD/FDD images and remotely boot from them. If the current graphics mode is ol'DOS you can even redirect that on the Serial-Over-LAN interface without even having the full AMT (which uses VNC to redirect any graphics mode). All that is done over super-secure SOAP with no encryption by default.
If your manufacturer was competent there probably is a burried update to make it DASH-compliant and to make it not accessible without the BIOS password.
What is more it's possible to attack ME/AMT remotely with broadcasts to make it configure itself to open wide up. All you need is a certificate that's trusted, which is really not that hard.
It also has pretty neat capabilities to even filter packets in hardware, without the OS control!
Now for the intended purpose: different versions of ME/AMT behave differently in the desktop world. Missing features between generations, bugged features, broken power management. The default behaviour of taking 2 TCP ports for hosting websites that can be used to remotely control the PC itself is bad enough.
The firmware itself was confirmed by Intel to have unrestricted DMA, which pretty much can defeat any protections in software. The only way to stop it for sure is to use a dedicated NIC...
Software and APIs are really bad as well, the SDK is a collection of bolted-on turds.
It's all pretty sad really. And don't get me started on how it's implemented on laptops...
Re:Q series only by jonwil · 2016-01-22 11:23 · Score: 1

Glad I bought a h170 chipset motherboard and therefore don't have this crap.
Re:Three step process to owning ME equipped machin by Groo+Wanderer · 2016-01-22 12:40 · Score: 1

All of those exploits exist and are in the wild. Luckily they have not been cobbled together into an attack script that I am aware of, but I haven't looked for a usable version of the hacks. I mainly care that they exist, and they do. :(
Re:The copy writes itself by Anonymous Coward · 2016-01-22 14:27 · Score: 3, Informative

The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.
PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.
I don't know about the PSP specifically, but most ARM chips with TrustZone also support something called HAB (High Assurance Boot), which is basically a secure boot mechanism like TPM. It allows you to set a public key used to verify the boot image, and using e-fuses you can programmatically make the public key immutable.
But ARM chips almost always come without any firmware pre-configured. The whole thing is a clean slate. The intention is for people (usually companies) to build their own special-purpose applications using these capabilities, and usages very widely.
IME, by contrast, is just pure evil. If you're lucky, the IME controller is only tied into a particular NIC, in which case you should make sure to _never_ plug anything into that NIC--perhaps fill it with glue. That doesn't solve all the issues--theoretically an attacker could tickle bugs in the IME purely from running in user space on the main CPU--but it closes a huge security hole. Yes, attackers have remotely broken into servers via IME, in some cases just by using the default passwords.
In depth analysis of intel ME by GTO44 · 2016-01-22 14:52 · Score: 1

http://www.slideshare.net/code...
Re:The copy writes itself by _merlin · 2016-01-22 16:19 · Score: 1

If you're enabling IME with default password, you're doing it wrong. If you enable IME you should be installing your own certificates and using certificate-based authentication. If you aren't, you're stupid. I've never encountered hardware where IME is enabled by default (in fact my Dell Precision T3610 is buggy in such a way that it's impossible to enable, and there's no way to enable it on 13th-generation PowerEdge by design). There's a lot of FUD about IME, but it won't hurt you if you don't turn it on.
article is wrong about Rutkowska's recommendation. by anon+mouse-cow-aard · 2016-01-23 00:55 · Score: 1

Having already listened to Joanna Rutkowska's talk a few weeks ago, the writer got it wrong... he/she read or heard 'stick' and inferred 'USB'... no. USB is terminally insecure because the controllers necessary to operate it can be infected also (https://srlabs.de/badusb/) That's why there is a line that says SPI in it. She is talking about something like an SDcard, which has less firmware in it to corrupt. Complexity is the enemy of trust. The issue is that the new stuff is harder for white hats to access/audit/disinfect because the way the chip vendors are "securing" it is by keeping it all a secret... security by obscurity. Muzzling the good guys just gives the advantage to the bad guys.
If IME or (AMD's PSP) gets exploited, you are completely screwed, throw the motherboard out. no amount of re-flashing can get you to known good state. The advantage of the stick, as a relatively passive device and preferably read-only to the managed device, is that it can be removed/reviewed/fixed on another device. Imagine it like using an SD-Card to store a BIOS, and having no firmware other than that. to upgrade the BIOS, you remove the stick, put it on a trusted computer (you have to find one of those) and use that to do the BIOS upgrade, then you put it back in the computer, where it is read-only. This works for fixing a corrupt BIOS as well. The only capability you give to the CPU is the ability to load it's microcode on boot from this stick.
Implemented properly, with co-operation from the chip vendors that has the potential to be much more secure, but how likely is that?
Re:Three step process to owning ME equipped machin by WaffleMonster · 2016-01-25 19:15 · Score: 1

You would still need Intel RST to pretend to be a browser and open the website though.
No websites required. Computer does not even need to be turned on.

Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code
All you need is access to broadcast domain of wired or wireless network on which your victim is attached. As my attack strictly uses remote access facilities as intended to be used no exploits are required.