Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)

Posted by msmash on from the 'citation-needed' dept.

A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

14 of 368 comments (clear)

  1. Just as well by rossdee · · Score: 3, Interesting

    That my PC has an AMD CPU

    1. Re:Just as well by Anonymous Coward · · Score: 2, Interesting

      Except AMD chips appear just as problematic.

      https://libreboot.org/faq/#amd

    2. Re: Just as well by loufoque · · Score: 3, Interesting

      What makes you think x86 is not already Alpha under the hood?

    3. Re:Just as well by sjames · · Score: 3, Interesting

      Don't forget, AMD brought us x86_64. Otherwise, Intel would probably still be pushing 32 bit Xeon to the masses and ultra expensive Itanic for 64 bit.

      AMD CPUs perform well as long as you don't use the Intel compiler. Unfortunately, most benchmarks are compiled with Icc complete with the built in sandbag code.

    4. Re:Just as well by hairyfeet · · Score: 4, Interesting

      There is actually quite a lot of us because if you were to do a blind A/B test with an FX-8 versus an i5? You wouldn't be able to tell which is which....but your wallet would know the difference.

      My FX-8320E when paired with an R9 280 and 16GB of RAM plays all my games with so much bling that I have gotten killed on several occasions because I was too busy gawking at the pretty to notice the enemy coming up behind me, runs very very cool (on air the highest I have ever hit is 122F with all 8 cores slammed doing A/V work) and the whole system, with an SSD and 3TB HDD? Less than $550 after MIR.

      When you add to this the fact that AMD has been opening their docs, just as the FOSS community asked them to do, giving massive amounts of code to the community with Vulkan being just one of many, no DRM chips like TPM, oh and you can get their chips for often less than a third an equivalent Intel chip? Its really not a hard choice to make.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    5. Re:Just as well by Anonymous Coward · · Score: 2, Interesting

      Alpha engineers went to AMD, I think to build the 64 bit processors. Those were great, but Intel kept them out of the market with anti-competitive deals and by rigging benchmarks, it seems.

    6. Re:Just as well by TeknoHog · · Score: 4, Interesting

      AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel.

      Ideas are a dime a dozen. It's the actual implementation that makes a difference in the real world. If the idea were so obvious, you'd think that Intel would have been in a much better position to bet on the new idea, with all their resources.

      It's interesting that after about 14 years of AMD64, we are still haunted by x86-32 in many places with closed binary-only software. For instance, Skype on Linux was only released as a 32-bit binary, so you had to maintain all these ugly compatibility libraries. I wonder how much of this is due to the AMD origins of the architecture, and the subsequent slowness of the Intel and Microsoft camp to adopt it.

      --
      Escher was the first MC and Giger invented the HR department.
    7. Re:Just as well by _merlin · · Score: 2, Interesting

      I tried to like Alpha, I really did. But it was impossible to like. The DEC Alpha workstations were horribly unreliable - you often had a third of your workstations out of service at any given time due to power supply or mainboard failures. They used far too much power and ran too hot. And Sun UltraSPARC quickly leapfrogged them in performance. Add to that the annoying ISA and horrible weak memory model that made it really hard to do any concurrency, and no-one wanted to touch it. NetBurst was basically an x86 front-end bolted onto an Alpha back-end, and it became evident very quickly that it was a dead end, just like Alpha itself. Alpha got high clock speeds, but not much else.

    8. Re:Just as well by Bengie · · Score: 3, Interesting

      AMD didn't come up with x86-64, a specific person that AMD hired came up with it. And immediately after that person left, AMD created the netburst version of their CPUs. I was reading that with the new AMD Zen, AMD pretty much left everything up to the engineers and had them start over with a clean slate. Only time will tell, but from what I'm reading, it will likely pay off in spades.

    9. Re:Just as well by Archtech · · Score: 4, Interesting

      Working at DEC in 1992-3, I never saw anything like that. The Alpha computers I used were exactly like their VAX predecessors except that they ran a whole lot faster. No unreliability, no overheating. Perhaps your experience was running Ultrix, which was always an unhappy compromise - like all proprietary version of Unix.

      My assessment, as a 20-year DEC employee, was that Alpha was perhaps the greatest hardware achievement the company ever brought off.

      --
      I am sure that there are many other solipsists out there.
  2. Love and use AMT by meadow · · Score: 4, Interesting

    I love AMT. AMT is definitely one feature of the Dell Optiplex small form-factor systems that I like to use for my headless home servers. Its like having a built-in Cyclades serial console server. For running headless systems its almost essential.

    The only thing I don't like about it is that you need to have Windows installed to be able to update it as part of the updates released by Dell.

  3. Re:This isn't New by GameboyRMH · · Score: 1, Interesting

    I'd be surprised if the spooks don't have an exploit for it for targeted use, but as you point out, nothing has been found in the wild for all these years, so the cost/benefit is obviously not good enough for your average blackhat. Software-only APTs are good enough and don't rely on proprietary hardware features.

    There was a conspiracy theory going around when it was new that the IME included a GSM modem (and presumably a hidden SIM card tied to a subscription paid for by the Illuminati) and could be used for out-of-band remote control of your computer.

    --
    "When information is power, privacy is freedom" - Jah-Wren Ryel
  4. Re:Here's the thing by Obfuscant · · Score: 3, Interesting

    I don't like the idea of a computer inside my computer I don't have any control over.

    Then you are destined for a life of unhappiness. Most of the I/O processing in your "computer" is done by dedicated computers that you have no control over. The video card, the network card, the IEEE1394 or USB.b The disk drives. Even the audio. Things that have DMA so they an access memory without the CPU knowing about it...

    You may look at the device and see a part number that you can look up, but dollars to donuts that the part is programmable in some way that makes it be what it is. FPGA, perhaps. Or just a microprocessor with firmware in EEPROM.

    I figure I have a legal right to be able to access it and run an audit on it.

    If they make it so you can "audit" it (whatever that means) then they've made it accessible to bad guys, too.

    Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.

    How do you imagine that this "unauditable" CPU is hindering you from reselling the computer? I'm really fascinated to hear the reasoning behind that.

  5. I think this is oversold as a risk by cfalcon · · Score: 3, Interesting

    I'm of the opinion that management features need to get data from the motherboard, and each mobo manufacturer would have to be complicit for this potential attack to affect everything (assuming a bug or backdoor exists). *IF* there's a backdoor in the ME, and *IF* all (or at least YOUR) motherboard manufacturers are complicit, even *THEN* a good external firewall would stop most conceivable attacks.

    It really is unfortunate that it is so clouded with mystery and seemingly waiting for a clever enough exploit.

    If you are concerned a little, ensure that AMT is disabled.
    If you are concerned a little more, consider grabbing an AMD next time. While AMD has similar things, Intel seems like it is both more featured and a larger attack surface, so an AMD exploit might be absent or would take longer to surface.
    If you are concerned moderately, ensure that external sources can never successfully send a packet to your PC, by use of an external firewall that is trusted.
    If you are concerned a lot, exclusively use open source products from before the mandatory inclusion of the ME. Have one to act as your firewall / router (maybe running OpenBSD or Trisquel), and another to do productivity on. You'll be limited on the power of the chip, of course.

    Frankly, I think it is wise to distrust the ME a little bit. Especially because, as part of Intel chips, it is going to be in so many places- it is a lot of faith to put in untested code. But for the ME to be able to hurt or help you, the motherboard has to support its features, and there are a lot of motherboards, a lot of BIOSes- it is still a pretty diverse setup, and many don't support AMT at all.