Slashdot Mirror
Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)
A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Sure, and there's no way it could be used by three letter agencies, ever.
This has been known for years and is present on Intel and AMD. What year is this?
From the article:
We have no physical separation between the components that we can trust and the untrusted ME components, so we can't even cut them off the mainboard anymore.
Why do you trust the main CPU, if you don't trust the ME chip?
I don't like the idea of a computer inside my computer I don't have any control over.
I find the article a little on the high side of paranoia, however. Yes, it is possible to have unnamed people from unnamed places get in and get data from your system. The article does go out of it's way to point out that this isn't very likely. The firmware running the second CPU is heavily encrypted and hash-checked at runtime. Making it unlikely to be broken until the heat-death of the universe or we finally figure out the P=NP thing.
Conversely, I'd like to know what's going on under the cover Intel. If this is in the stuff I bought, I figure I have a legal right to be able to access it and run an audit on it. Without having to go through you. Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.
I'm sure it can be used, just like the rest of the hardware "can be used."
But these things in one form or another have been around for over two decades and everyone who has ever set up real server hardware from scratch knows they're there and their existence has never been a secret. (The closed-source code they run, on the other hand...) It's not even "news" that chipset manufacturers have started to integrate these systems directly into CPUs.
The earliest one of these I remember was called iLOM on a Sun Systems but I'm sure they predate that. Just LOM and ILO are other names I've seen.
Once desktops started to need active runtime heat management, many of them got a "systems management" co-processor that helped with thermal/power control.
Personally I'd be just as worried about whatever firmware is running on the ethernet card these days... which is to say, not very, because there's not much to be done about it, unless you have the reason and time to invest in completely open hardware from top to bottom and the willingness to live within the limitations that might entail. So while I would normally suggest the mildly paranoid just not use the onboard ethernet ports, I can't say I really trust ethernet cards, either.
Also since there are so many gaping holes just staring me in the face in commercial OSes when it comes to (software) VPN and WPA drivers, I figure it'll be a long, long time before I can get around to finessing things down to the metal, if ever.
Someone had to do it.
Ironically, RC scores better in blind taste tests than Coca-Cola and Pepsi.
I use AMD's 8 core CPUs extensively for video editing/encoding and other tasks that benefit from a fast multicore CPU. Intel makes CPUs that offer comparable, or better, performance, but they are significantly more expensive.
Intel's dominance has been largely the result of illegal tactics. They are the Microsoft of the CPU world. Every OEM has been told by Intel "If you buy from anyone other than us, then, in the future, you may find that we are unable to supply you with the parts you need"
The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue.
The plain truth is that there is no necessary correlation between spending on R&D and useful results. It is an unfortunate modern delusion that spending vast amounts of money is somehow meritorious in itself. You see government officials doing it all the time. "We have spent $50 billion of [your] money on this, so congratulate us on a job well done!"
I am sure that there are many other solipsists out there.
Exactly so. For years I used to wonder which was more important: hardware or software. It was after the Alpha debacle that I came to understand that neither is very important compared to marketing.
I am sure that there are many other solipsists out there.
I'm calling bullshit on this assertion. Willamette, the first NetBurst CPU, was released in 2000. The Alpha intellectual property wasn't sold to Intel until 2001. Now, it's true that Alpha became Compaq's property in 1998, but considering the lead time required from initial design to tape out to production, I simply cannot believe that NetBurst had an Alpha back-end.
While true, it's also true that without doing any R&D you tend to find yourself short on new products.
Give me $5bn on R&D and I promise I'll give you a more valuable new product opportunity than if you give me $5m
I don't promise I'll give you a positive ROI ;)