The Trouble With Intel's Management Engine (hackaday.com)

← Back to Stories (view on slashdot.org)

The Trouble With Intel's Management Engine (hackaday.com)

Posted by Soulskill on Friday January 22, 2016 @06:54AM from the probably-not-NOx-emissions dept.

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.

20 of 106 comments (clear)

Min score:

Reason:

Sort:

Stopped reading after... by CajunArson · 2016-01-22 06:59 · Score: 5, Insightful

Stopped reading the conspiracy rant after this delicious gem:

Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

--
AntiFA: An abbreviation for Anti First Amendment.
1. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:15 · Score: 4, Interesting
  
  IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
  Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
2. Re:Stopped reading after... by red_dragon · 2016-01-22 07:23 · Score: 4, Informative
  
  Given that the ARM core in AMD APUs conform to ARM TrustZone, which seems better documented than IME, I'd assume that yes, AMD documents it.
  
  --
  In Soviet Russia, Jesus asks: "What Would You Do?"
3. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:25 · Score: 5, Funny
  
  ...with absolutely no visibility by anyone outside of Intel or without strict NDAs...
  Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.
4. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:27 · Score: 4, Informative
  
  It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.
5. Re:Stopped reading after... by lgw · 2016-01-22 07:51 · Score: 2
  
  It does more then wake on lan. Any time you have buggy code paying attention to the contents of packets in any way, you have a real attack vector. The ability to execute arbitrary code in a layer this low is something to worry about. Could an attacker use this layer to do an update to the BIOS (whatever it's called)? I don't know, but I'd like to know.
  
  --
  Socialism: a lie told by totalitarians and believed by fools.
6. Re:Stopped reading after... by Anonymous Coward · 2016-01-22 07:53 · Score: 2, Informative
  
  Yeah, that's a big difference between "turn on power" and "here's a HTTP SERVER running while in sleep"
  Previous parent is intentionally deceptive trying to blur the line. Shitty.
7. Re:Stopped reading after... by CajunArson · 2016-01-22 08:38 · Score: 3, Informative
  
  Maybe you should actually learn about AMD's product lineup: http://www.anandtech.com/show/...
  Yes, in the year 2012 it was a futuristic feature. Then 2013 happened. Where have you been?
  
  --
  AntiFA: An abbreviation for Anti First Amendment.
8. Re:Stopped reading after... by Burz · 2016-01-22 08:38 · Score: 2
  
  IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
  Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
  Agreed. GP is kneejerk Intel fanboy blather and automatically runs to attack AMD as if TFA intended to play favorites. Intel dominates the market and sets the trends, so stop being a baby about criticism when an article focuses on them.
  IME remains a black box, that can talk with the network and is therefore open to attack. Its not a part of the trusted computing base, but has control over it.
9. Re:Stopped reading after... by Gr8Apes · 2016-01-22 11:20 · Score: 4, Informative
  
  As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
  EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.
  
  BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.
  
  Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
  BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.
  Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.
  
  --
  The cesspool just got a check and balance.
IME is powerful, but a nightmare to mess with by Anonymous Coward · 2016-01-22 06:59 · Score: 3, Informative

Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
It has been exploited. by Anonymous Coward · 2016-01-22 07:04 · Score: 2, Informative

What do you mean "if"?
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
Re:Why is this such a mystery? by Anne+Thwacks · 2016-01-22 07:31 · Score: 2

Please provide a link to the documentation.

--
Sent from my ASR33 using ASCII
Oh noes! by BarbaraHudson · 2016-01-22 07:37 · Score: 2

always listening, able to receive packets even when the device is asleep
When was the last time you saw a computer that didn't have "wake on lan", "wake on keyboard", and "wake on network"? It's not done by magic and pixie dust/

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
Re:The copy writes itself by jandrese · 2016-01-22 07:49 · Score: 4, Informative

AMD calls their version of the IME the "Platform Security Processor (PSP)".

One of the side effects is that open source BIOS projects are effectively dead for desktops.

--

I read the internet for the articles.
CoreBoot by mrchaotica · 2016-01-22 07:51 · Score: 2

If you don't like this sort of thing, buy devices that support Coreboot.

--
"[Regarding the 'cloud,'] ownership was what made America different than Russia." -- Woz
1. Re:CoreBoot by Victor_0x53h · 2016-01-22 09:35 · Score: 2
  
  Coreboot does not remove ME. You may want to investigate the Libreboot project or buy a pre-flashed system from The Ministry of Freedom.
Re:Why is this such a mystery? by Junta · 2016-01-22 07:54 · Score: 2

Their closed approach probably stems from them getting a bit burned on IPMI. Intel was chiefly responsible for the spec, but the first real mass market servers that had it were AMD (mainly because of Intel's preoccupation with Itanium at the time). In the server business, Intel has nearl 0% share for service processors (third parties rule that roost, excepting the fact they all must interact with IME too). As they have evolved IME, they've kept it a tight restrictive secret. This means that the functionality is restricted to Intel based systems, but the tools to use it are crap and/or buried inside third party UEFI/BMC firmware.
Basically the industry as a whole had a moment of 'weakness' in the late 90s/early 2000s and had useful interoperable standards come out (not perfect, but serviceable and practical, IPMI and the various IETF SNMP mibs that came out around then). The big players have largely spent the time since trying to bury those standards and re-establish the previous status quo of lock in but 'standards' (looking at CIM/WS-MAN/SMASH/Redfish and Netconf, all of which emphasize vendor 'flexibility' to the point of rendering cross-vendor management with a single codepath impossible). A shame since there are issues in the old protocols that could use some fixing/enhancement.

--
XML is like violence. If it doesn't solve the problem, use more.
It's very powerful and very broken by Anonymous Coward · 2016-01-22 10:47 · Score: 2, Insightful

I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.
It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
Since ME has a full-blown TCP stack it can even listen on a separate IP that can be set in the ME setup. When configured you basically own the PC, you can control power, attach IDE/CD/FDD images and remotely boot from them. If the current graphics mode is ol'DOS you can even redirect that on the Serial-Over-LAN interface without even having the full AMT (which uses VNC to redirect any graphics mode). All that is done over super-secure SOAP with no encryption by default.
If your manufacturer was competent there probably is a burried update to make it DASH-compliant and to make it not accessible without the BIOS password.
What is more it's possible to attack ME/AMT remotely with broadcasts to make it configure itself to open wide up. All you need is a certificate that's trusted, which is really not that hard.
It also has pretty neat capabilities to even filter packets in hardware, without the OS control!
Now for the intended purpose: different versions of ME/AMT behave differently in the desktop world. Missing features between generations, bugged features, broken power management. The default behaviour of taking 2 TCP ports for hosting websites that can be used to remotely control the PC itself is bad enough.
The firmware itself was confirmed by Intel to have unrestricted DMA, which pretty much can defeat any protections in software. The only way to stop it for sure is to use a dedicated NIC...
Software and APIs are really bad as well, the SDK is a collection of bolted-on turds.
It's all pretty sad really. And don't get me started on how it's implemented on laptops...
Re:The copy writes itself by Anonymous Coward · 2016-01-22 14:27 · Score: 3, Informative

The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.
PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.
I don't know about the PSP specifically, but most ARM chips with TrustZone also support something called HAB (High Assurance Boot), which is basically a secure boot mechanism like TPM. It allows you to set a public key used to verify the boot image, and using e-fuses you can programmatically make the public key immutable.
But ARM chips almost always come without any firmware pre-configured. The whole thing is a clean slate. The intention is for people (usually companies) to build their own special-purpose applications using these capabilities, and usages very widely.
IME, by contrast, is just pure evil. If you're lucky, the IME controller is only tied into a particular NIC, in which case you should make sure to _never_ plug anything into that NIC--perhaps fill it with glue. That doesn't solve all the issues--theoretically an attacker could tickle bugs in the IME purely from running in user space on the main CPU--but it closes a huge security hole. Yes, attackers have remotely broken into servers via IME, in some cases just by using the default passwords.