Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)

← Back to Stories (view on slashdot.org)

Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)

Posted by msmash on Wednesday June 15, 2016 @06:45AM from the 'citation-needed' dept.

A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

22 of 368 comments (clear)

Min score:

Reason:

Sort:

No need to verify story by ranton · 2016-06-15 06:54 · Score: 4, Informative

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?

--
-- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
1. Re:No need to verify story by thegarbz · 2016-06-15 09:24 · Score: 4, Informative
  
  Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
  Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?
  I'd like to go the other way, why are we adding an "unverified" disclaimer to something that has been known about for many years? Intel aren't hiding anything. The existence of this miraculous CPU is documented on their website and it's function is accessible using their provided tools. Heck AMD do it too they just happen to call it PSP instead of IME. The only thing they are hiding is what's in their firmware which everyone has done for a long long time.
Old news by psergiu · 2016-06-15 06:55 · Score: 5, Informative

https://libreboot.org/faq/#int...
https://libreboot.org/faq/#amd
Both Intel and AMD had this for years - read above links ...

--
1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
1. Re:Old news by dissy · 2016-06-15 07:14 · Score: 4, Informative
  
  The ME [Intel Management Engine] also has network access with its own MAC address through an Intel Gigabit Ethernet Controller.
  How would I not notice this in my router or edge device logs?
  Mainly only by not looking.
  That may sound stupid at first glance, but the fact Intel AMT articles keep popping up a decade later written as some form of surprise that the feature exists seems to prove most people don't bother looking.
  ME/AMT utilizes HTTPS by default on port 16993, can support HTTP by default on port 16992, and VNC protocol on I believe it's default port (I've never had to specify an alternate port in the VNC client to connect)
  Also of note is that older ME versions don't let you upload your own SSL certificate for HTTPS, and although I may be wrong but I'm fairly sure VNC by default is not encrypted either.
  This means someone in your posistion of control over the core and edge network would both see this traffic if looking, and potentially be able to setup a MITM to obtain the ME/AMT login credentials fairly easily depending on your desktop admins setup.
  Normally LAN to LAN traffic over a proper switched network is relatively safe, seeing that an ARP storm to a switch for redirecting LAN traffic would ALSO be noticed by you the network admin, and ideally has been proactively prevented as well.
  For desktop admins and/or network admins without this knowledge or skill however, if the LAN doesn't prevent or log/notify about such things, ideally the ME/AMT hasn't been enabled either.
  Only those with a tiny amount of knowledge (just enough to be dangerous) are likely to shoot themselves in the foot with a horribly insecure setup.
true by dissy · 2016-06-15 07:05 · Score: 5, Informative

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

Uh, the claims are quite true. I've been using these features at work for about a decade to perform remote OS installs and HD re-imaging at remote locations, where the on-site staff only pop in a new blank HD.
All Core i7 CPUs have this in them standard, and many i5's too especially at the higher end.
[PDF] Datasheet on the MEBX management engine:
http://download.intel.com/supp...
[PDF] How to enable and use the AMT active management engine:
http://www.intel.com/content/d...
And here is the SCS software used on another computer to control an AMT enabled computer:
http://www.intel.com/content/w...
RealVNC works with an AMT enabled computer out of the box too and with all the normal features you would expect like remote keyboard/video/mouse control, redirected drives, etc. But isn't a free program.
Other VNC clients seem to be hit or miss but even when they work you only get remote KVM, you'd have to use the built-in AMT web server to configure drive redirection and issue power on/off/reboot commands.
There is a similarly limited VNC client included in the SCS software link above, and a second web browser window will let you do the rest, even if slightly clunky, but still for free.
1. Re:true by dissy · 2016-06-15 07:55 · Score: 5, Informative
  
  Because it is not enabled by default.
  You need to know how to get to the configuration menu, then enable the engine, then assign it a method to access the network (either static IP on a unique MAC, or to piggyback on the host OS's MAC), and set a password.
  Only then are the ports opened for the HTTPS interface on port 16993 to continue the rest of the setup or use AMT.
  On boot (where you normally can hit Delete or a function key to enter bios setup), hold down control-p to get to the ME setup menu.
  Assuming you aren't at work or something and using your own computer, you'll see it is disabled.
2. Re:true by kheldan · 2016-06-15 08:49 · Score: 3, Informative
  
  This is all true. You can disable the ME coprocessor in BIOS settings. You also aren't required to install the ME driver in your (Windows) OS in order for Windows to function.
  
  Could the ME coprocessor/firmware be compromised by an attacker? Maybe. But it can all be disabled. It's firmware could also be hacked out of the BIOS entirely without compromising the operation of the rest of the system.
  
  The ME is mainly for remote administration/management of corporate systems. It allows access to the machine remotely even in the event of a hardware failure, like the HDD failing completely. It can bring the system out of a completely powered-off state, so long as the box is still connected to the mains and the switch in the back is still 'on'. But so far as I know it's not necessary for the rest of the computer to operate.
  
  --
  Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
3. Re:true by dissy · 2016-06-15 09:58 · Score: 4, Informative
  
  You forgot the part where you write Intel a big fat check to use the feature. Intel charges big bucks for vPro software and these features are part of vPro and you can't enable them without the vPro software. IIRC it's all tied to a digital signature that Intel controls and you can't even look at it without giving Intel money.
  I didn't forget it, because that isn't true.
  The control software is free. I didn't pay for my web browser, VNC client, or the intel SCS client (I even have you the download link)
  The firmware is already included in any vPro CPU, you turn it on by holding control-p at boot.
  I've even played with this feature at home on my own hardware before deploying it at work. Other than having purchased the computer/CPU, there is no further cost.
  I'm not sure where you got your information from but it is certainly incorrect.
4. Re:true by dissy · 2016-06-15 10:48 · Score: 4, Informative
  
  With RealVNC - can I remote into a machine which is still at the bios / boot stage?
  Yup, AMT can provide remote access when the system is in any of its sleep states from s0 (fully on) down to s5 (powered off), so long as the system is plugged in and has power available.
  You will see the whole BIOS bootup sequence, including seeing and able to send the usual interrupt keys like del or F9 or whatever to get to BIOS setup.
  I've had some older HP workstations be a little funky between the BIOS setup and the OS taking using the GPU. Generally I'll see a screen flash and get disconnected, after which VNC reconnects immediately and all is well again.
  Newer HPs we have haven't done this that I recall, nor have the Dells or my home built franken-pc so guessing it's a fixed bug with older AMT versions?
  In fact one of the main purposes of ME is to change the power state, meaning you can turn the main system on or off or reboot it just from there.
  That's how I re-image a remote system after a hard drive failure.
  I have someone on-site power off the system and replace the hard drive with a new one, then let me know.
  I then connect to the remote system via ME/AMT and setup a dvd-rom redirect to an ISO image on my PC, start the AMT VNC server and connect to it from my PC, lock the remote systems keyboard so anyone local can't over-type me, and then instruct the remote system to power on.
  Then during boot if the remote system gets stupid and tries to boot from the new blank HD and stops, I can issue a reboot command and use the F11 boot menu from the BIOS to point it to the DVD drive. Usually that part just works though (like I said, all related to the older HPs)
  Once the linux image boots and runs clonezilla, it's just an [enter]-[yes]-[yes] away from writing the backup image back to the new HD.
  You can of course point to an OS install media instead and do that manually, I just tend to try and avoid that for installers using a mouse, since over remote links that can suck pretty bad. Over LAN it seems nice and responsive however.
  Once done I do a normal "shutdown -h now", disable the DVD drive redirect, and power the system back on. Once I see the windows loading screen I'll disconnect VNC and shut down the VNC server in the AMT, and logout of the https interface.
  Since I let AMT piggyback on the host MAC and IP, it basically intercepts any tcp ports it is using instead of passing that info up the stack to the OS.
  I don't leave VNC running in the AMT just in case the host OS needs to run a VNC server on the default port for any reason - plus nothing good can really come from leaving it running when not needed.
  ME uses https over port 16993, which isn't likely to be used on the OS (or if so, too bad for that app I guess)
  If you already have RealVNC and a Core i7 at home to play with, boot the i7 and hit control-p where you normally would hit delete or a function key, and you'll be in the ME setup menu.
  You can enable both ME and AMT (they are separate sub-systems) and play around.
Yawn, by Obfuscant · 2016-06-15 07:06 · Score: 3, Informative

I've used this kind of thing on Dell servers for, umm, a decade or so? It means I can have headless high-density boxes (four independent systems in a 2U rackmount, e.g.) in my computing center and when a user wedges one of them I can reboot it remotely. I can look at system status, see failed components, and do all kinds of things that I couldn't otherwise do at all. "The system is wedged" is very unsatisfying as a diagnosis. Being able to run a remote console that shows that the swap has gone to 0 and the system is busy killing things tells me right away that someone is using all the memory is great. And then telling the iDrac to "reset the system" ... priceless.
It may use the same physical interface, but it has its own address, and it can be disabled if someone is ultra-paranoid about it.
Re:Just as well by spire3661 · 2016-06-15 07:11 · Score: 5, Informative

Intel market cap: $150 Billion

AMD market cap: $3.54 Billion

That is a lot of kiddie gamers........

The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue. AMD is a sad joke compared to Intel. They are not peers, hell they arent even really competitors. If they were sodas AMD would be RC Cola, to Intel's Coca-Cola, not Pepsi.

--
Good-bye
Poorly written FUD by Anonymous Coward · 2016-06-15 07:12 · Score: 3, Informative

The author's claims that the ME lacks the ability to be audited and that backdoors cannot be removed are patently false.
- The ME is as many have pointed out an ARC processor. There are known disassemblers for ARC and there are few custom instructions (read: beyond standard ISA) - two that I'm aware of.
- The bootrom verifies the flashrom and provides some minimal cryptography and verification related routines. This is a mask ROM, not updatable. The flashrom is overwritten when you flash the bios, hence the main OS and binaries (threadx btw) are overwritten. This would remove any backdoor.
- The ME region of the BIOS is a FAT16 filesystem.
- The ME binaries are unencrypted, PE executables and contain signature verification sections to prevent unauthorized code from loading.
- The only encrypted contents of the filesystem are data files that the binaries use.
Now all this being said, there is a way to load additional modules from the main CPU's operating system through HECI (north bridge interface), however this again requires cryptographic signing.
Source: Former Intel engineer. Additionally none of these are details that cannot be pieced together from Intel published documents and 5 minutes with a hex editor/disassembler.
Re:Just as well by marcansoft · 2016-06-15 07:18 · Score: 5, Informative

... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.
Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?
Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).
Sleep tight.
Re: Just as well by ArmoredDragon · 2016-06-15 07:20 · Score: 4, Informative

Umm no, they don't. Maybe back in 2000 to around 2008, after Intel went with that netburst shit, but not anymore. Every datacenter I've managed for the last 3 years has almost no AMD gear at all.
TROLOLOLOLO!!!! by Thud457 · 2016-06-15 07:21 · Score: 1, Informative

This is the same FUD from Hack-a-day from last Janumanary

DUPE ALL THE THINGS!
Anononymous poster, check!
Be sure to mine the +5 comments from old stories for cheap karma!

--
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
Re: Love and use AMT by ArmoredDragon · 2016-06-15 07:24 · Score: 5, Informative

I use AMT a lot as well, and have for years. My main question here is: How the fuck is this even remotely news material? Furthermore, why is it presented as some sort of conspiracy? Intel advertises this as a feature and never made any attempt to hide it. AMT is also off by default, by the way.
The only Intel feature I'm at all concerned about is SGX, which by design can't be audited, and has nothing to do with anything mentioned in TFS.
"No surveillance or other purposes" -- really? by l2718 · 2016-06-15 07:38 · Score: 5, Informative

If the only goal was simply to provide low-power functionality, the coprocessor would be fully controlled by the operating system (ultimately, by the owner of the machine).
In fact, the main goal is to provide remote administration capabilities (what they call Intel Active Management Technology). In other words, the idea is to allow a remote administrator to take over the machine in a way that is independent of and invisible to the main operating system and processor. This serves a legitimate purpose in an "enterprise" environment (one person administers a large number of diverse machines) -- for example it allows taking back control of a cracked machine, or recovering critical data from memory after OS crashes. However, this feature is not useful for a privately administered single-user machine.
Finally, by definition a remote administration feature is a back door. This one is incredibly dangerous: a rootkit running on the coprocessor is entirely invisible to the operating system, has its own independent network access, and can monitor the disk, the memory and all other peripherals. In principle the remote management features must be activated via the System BIOS and you can set a password there, but really your only measure of safety against this back door is your trust that there are no bugs in Intel's code.
Why isn't Intel allowing you to replace the firmware? Because it's hard to ensure that the owner of the machine is the one initiating the firmware replacement. The real troubling point is that Intel isn't allowing you to disable this feature with a hardware switch. Hardware switches (jumpers on the motherboard) are a way of controlling the system available only to the physical owner of the machine. Having a hardware switch would satisfy both the enterprise and security-concious customers.
Re:Just as well by mdouglas · 2016-06-15 07:50 · Score: 5, Informative

AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?
Re:Just as well by lister+king+of+smeg · 2016-06-15 07:56 · Score: 5, Informative

AMD is a cheap knockoff whose entire design philosophy revolves around avoiding patent and copyright lawsuits from Intel. Its in house technology is extremely inferior. The only good thing they can possibly do for the market now is to completely open up all development resources.
And, let's bring back the alpha chip. It already is superior to Intel. Always has been.
And GODDAMMIT! Where's our 3D printers that can print homemade computers? We were supposed to have that shit 30 years ago.
Really...
Its not like they are the one that made the AMD_64 instruction set that was then in turn licensed to intel...
While its manufacturing technique is inferior that is because the brain-dead executives sold off their fab and they now have to contract with someone else to do it.
As for bringing back ALPHA it may have been superior then they stopped developing it in 2001. Intel/AMD have come a long way in 15 years.

--
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Re:Just as well by MachineShedFred · 2016-06-15 09:00 · Score: 4, Informative

This is such overblown pap - the only way to provision Intel AMT / vPro is to either have physical access to the keyboard during reboot, or to have a certificate signed by a trusted provider specifically for provisioning AMT / vPro if you would like to do it over the network. And no, you can't add in your own self-signed nonsense because the CAs that can do this are in the AMT firmware. If you don't get a cert from Verisign / Comodo / etc., the firmware tells you to stick it up your ass and refuses to provision.
Having done manual provisioning, scripted provisioning, and network provisioning in a technology trial for using vPro on a network with ~55,000 PCs spread across the continent, I can say that Intel thought about this "back door" and made it so that you have to go through some extraordinary work in order to use it. And, even then, unless you paid for full-blown vPro on each and every PC, you get access to basically what you could have done with Wake-on-LAN back in the day, with a few extras. With vPro you can do remote control and remote virtual disk mounts, but doing so causes big flashing red and yellow bars on the border of the screen letting a local user know someone's doing it.
Moreover, Intel has been actively marketing this functionality for over 5 years to big business as a way to cut software costs for costly (and shitty) remote control solutions that don't work when the OS is fucked. To think that this is some super secret clandestine operation is complete horseshit.
What an overblown piece of trash this 'article' is.

--
Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
Re:Just as well by Archtech · 2016-06-15 09:16 · Score: 3, Informative

I have always suspected that Itanium was merely a piece of FUD intended to discourage users from buying Alpha systems - which actually worked, and performed extremely well. (First time I tried out an Alpha running VMS, I ran a standard benchmark. Every time I ran the benchmark I just saw the command prompt come up immediately. Eventually I realised that the benchmark was running to completion faster than the terminal could move its carriage mechanism).

--
I am sure that there are many other solipsists out there.
Re:Just as well by sjames · 2016-06-15 09:44 · Score: 3, Informative

In practice, they do well with heavy parallel computation, especially when measured on a cost per performance basis. It helps that quad socket designs are cheaper for AMD as well.