Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net)

Posted by msmash on from the 'citation-needed' dept.

A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

71 of 368 comments (clear)

  1. Just as well by rossdee · · Score: 3, Interesting

    That my PC has an AMD CPU

    1. Re:Just as well by Anonymous Coward · · Score: 5, Funny

      Breaking: A user with AMD-powered computer found happy. More at 11PM.

    2. Re:Just as well by Anonymous Coward · · Score: 2, Interesting

      Except AMD chips appear just as problematic.

      https://libreboot.org/faq/#amd

    3. Re:Just as well by spire3661 · · Score: 5, Informative

      Intel market cap: $150 Billion

      AMD market cap: $3.54 Billion

      That is a lot of kiddie gamers........

      The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue. AMD is a sad joke compared to Intel. They are not peers, hell they arent even really competitors. If they were sodas AMD would be RC Cola, to Intel's Coca-Cola, not Pepsi.

      --
      Good-bye
    4. Re:Just as well by marcansoft · · Score: 5, Informative

      ... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.

      Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?

      Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).

      Sleep tight.

    5. Re: Just as well by ArmoredDragon · · Score: 4, Informative

      Umm no, they don't. Maybe back in 2000 to around 2008, after Intel went with that netburst shit, but not anymore. Every datacenter I've managed for the last 3 years has almost no AMD gear at all.

    6. Re:Just as well by zamboni1138 · · Score: 2

      One of the best turkey sandwich's in town comes from a place that serves Royal Crown products.

      And this business has been successful and expanding for 30 years.

    7. Re:Just as well by mdouglas · · Score: 5, Informative

      AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?

    8. Re:Just as well by lister+king+of+smeg · · Score: 5, Informative

      AMD is a cheap knockoff whose entire design philosophy revolves around avoiding patent and copyright lawsuits from Intel. Its in house technology is extremely inferior. The only good thing they can possibly do for the market now is to completely open up all development resources.

      And, let's bring back the alpha chip. It already is superior to Intel. Always has been.

      And GODDAMMIT! Where's our 3D printers that can print homemade computers? We were supposed to have that shit 30 years ago.

      Really...
      Its not like they are the one that made the AMD_64 instruction set that was then in turn licensed to intel...
      While its manufacturing technique is inferior that is because the brain-dead executives sold off their fab and they now have to contract with someone else to do it.
      As for bringing back ALPHA it may have been superior then they stopped developing it in 2001. Intel/AMD have come a long way in 15 years.

      --
      ---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
    9. Re: Just as well by loufoque · · Score: 3, Interesting

      What makes you think x86 is not already Alpha under the hood?

    10. Re:Just as well by sjames · · Score: 3, Interesting

      Don't forget, AMD brought us x86_64. Otherwise, Intel would probably still be pushing 32 bit Xeon to the masses and ultra expensive Itanic for 64 bit.

      AMD CPUs perform well as long as you don't use the Intel compiler. Unfortunately, most benchmarks are compiled with Icc complete with the built in sandbag code.

    11. Re:Just as well by Anonymous Coward · · Score: 2, Insightful

      Ironically, RC scores better in blind taste tests than Coca-Cola and Pepsi.

    12. Re:Just as well by zdzichu · · Score: 2

      You are fscked up the same way by AMD: https://libreboot.org/faq/#amd

      --
      :wq
    13. Re:Just as well by Anonymous Coward · · Score: 2, Insightful

      I use AMD's 8 core CPUs extensively for video editing/encoding and other tasks that benefit from a fast multicore CPU. Intel makes CPUs that offer comparable, or better, performance, but they are significantly more expensive.

      Intel's dominance has been largely the result of illegal tactics. They are the Microsoft of the CPU world. Every OEM has been told by Intel "If you buy from anyone other than us, then, in the future, you may find that we are unable to supply you with the parts you need"

    14. Re:Just as well by wierd_w · · Score: 2

      shit, secondary processors have been inside PCs since the 80s.

      Remember things like "A20 gate" in old pcs? It was a hack on the AT keyboard controller. It was introduced to solve an addressing issue with ram above 1mb in real mode.

      Using secondary chips to do things in memory is an ancient idea. The amiga relied on it quite heavily in fact.

      Own a Wii? There's a secondary ARM core nicknamed "scarlet" in there, running beside the PPC core.

      While having this system compromised by malware is a worrisome prospect, having it opened up for clever sideband processing tasks could be very beneficial to PCs in the future. Right now it is just a system management interface. In the future, that system could enable all sorts of neat stuff. granted, some of the things it can enable are not pleasant. A great many are, however.

      Why the scaremongering? Fear sells eyeballs, and eyeballs make money.

      Nothing to see here. Move along.

    15. Re:Just as well by loonycyborg · · Score: 2

      But you need to always remember that more money isn't automatically more work done. In practice access to more money leads to their inefficient use. Also, 4 times as much R&D isn't that much if you take possible inefficiency of spending into account. And market capitalization is very subjective measure.

    16. Re:Just as well by mschwanke97402 · · Score: 2

      AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel. Intel made the mistake of not releasing their 64 bit earlier, and they easily could have, so AMD gets the bragging rights. There are quite a few articles about the whole deal.

      Now the lower level bits and pieces that make it all work down deep, AMD has not done a decent core design on their own in years and years, Intel keeps churning out great new core designs every 2-3 years. That's why Intel outsells AMD by far, except perhaps, at the lower performance/price points. You know, in all those budget PCs and the XBox One and PS4.

    17. Re:Just as well by SumDog · · Score: 2

      SD cards have a 32-bit micro-controller on them. They're used to mark bad sectors and keep writes from being on adjacent memory locations (disturbing memory locations a lot on SD cards can corrupt data). There's a talk out there somewhere, where a researcher reprograms the SD cards on-board processor, while keeping it functioning as an SD card. In theory, you could take a 25GB card, have it report it's 15GB and write a small program to make a copy of all writes to a hidden part of the card for retrial later.

    18. Re:Just as well by MachineShedFred · · Score: 4, Informative

      This is such overblown pap - the only way to provision Intel AMT / vPro is to either have physical access to the keyboard during reboot, or to have a certificate signed by a trusted provider specifically for provisioning AMT / vPro if you would like to do it over the network. And no, you can't add in your own self-signed nonsense because the CAs that can do this are in the AMT firmware. If you don't get a cert from Verisign / Comodo / etc., the firmware tells you to stick it up your ass and refuses to provision.

      Having done manual provisioning, scripted provisioning, and network provisioning in a technology trial for using vPro on a network with ~55,000 PCs spread across the continent, I can say that Intel thought about this "back door" and made it so that you have to go through some extraordinary work in order to use it. And, even then, unless you paid for full-blown vPro on each and every PC, you get access to basically what you could have done with Wake-on-LAN back in the day, with a few extras. With vPro you can do remote control and remote virtual disk mounts, but doing so causes big flashing red and yellow bars on the border of the screen letting a local user know someone's doing it.

      Moreover, Intel has been actively marketing this functionality for over 5 years to big business as a way to cut software costs for costly (and shitty) remote control solutions that don't work when the OS is fucked. To think that this is some super secret clandestine operation is complete horseshit.

      What an overblown piece of trash this 'article' is.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    19. Re:Just as well by hairyfeet · · Score: 4, Interesting

      There is actually quite a lot of us because if you were to do a blind A/B test with an FX-8 versus an i5? You wouldn't be able to tell which is which....but your wallet would know the difference.

      My FX-8320E when paired with an R9 280 and 16GB of RAM plays all my games with so much bling that I have gotten killed on several occasions because I was too busy gawking at the pretty to notice the enemy coming up behind me, runs very very cool (on air the highest I have ever hit is 122F with all 8 cores slammed doing A/V work) and the whole system, with an SSD and 3TB HDD? Less than $550 after MIR.

      When you add to this the fact that AMD has been opening their docs, just as the FOSS community asked them to do, giving massive amounts of code to the community with Vulkan being just one of many, no DRM chips like TPM, oh and you can get their chips for often less than a third an equivalent Intel chip? Its really not a hard choice to make.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    20. Re:Just as well by MachineShedFred · · Score: 2

      That's because the design considerations for a console are very different from a desktop PC.

      Price is far more of a factor when you are selling the hardware at a loss, and it's undisputed that AMD products are inexpensive in comparison to Intel.

      --
      Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    21. Re:Just as well by Archtech · · Score: 3, Insightful

      The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue.

      The plain truth is that there is no necessary correlation between spending on R&D and useful results. It is an unfortunate modern delusion that spending vast amounts of money is somehow meritorious in itself. You see government officials doing it all the time. "We have spent $50 billion of [your] money on this, so congratulate us on a job well done!"

      --
      I am sure that there are many other solipsists out there.
    22. Re:Just as well by Archtech · · Score: 3, Informative

      I have always suspected that Itanium was merely a piece of FUD intended to discourage users from buying Alpha systems - which actually worked, and performed extremely well. (First time I tried out an Alpha running VMS, I ran a standard benchmark. Every time I ran the benchmark I just saw the command prompt come up immediately. Eventually I realised that the benchmark was running to completion faster than the terminal could move its carriage mechanism).

      --
      I am sure that there are many other solipsists out there.
    23. Re:Just as well by Archtech · · Score: 4, Insightful

      Exactly so. For years I used to wonder which was more important: hardware or software. It was after the Alpha debacle that I came to understand that neither is very important compared to marketing.

      --
      I am sure that there are many other solipsists out there.
    24. Re:Just as well by dunkelfalke · · Score: 2

      One would hear the difference. I used to be an AMD only guy for more than a decade, but then Core2Duo came out and suddenly I was able to have a fast CPU without a fan. And even now I have a passive cooled i5 - same cooler BTW as the Core2Duo from years ago.

      --
      "It's such a fine line between stupid and clever" -- David St. Hubbins, Spinal Tap
    25. Re:Just as well by sjames · · Score: 3, Informative

      In practice, they do well with heavy parallel computation, especially when measured on a cost per performance basis. It helps that quad socket designs are cheaper for AMD as well.

    26. Re:Just as well by Anonymous Coward · · Score: 2, Interesting

      Alpha engineers went to AMD, I think to build the 64 bit processors. Those were great, but Intel kept them out of the market with anti-competitive deals and by rigging benchmarks, it seems.

    27. Re:Just as well by reboot246 · · Score: 2

      Maybe the NSA has already done that "extraordinary work" you speak of.

    28. Re:Just as well by TeknoHog · · Score: 4, Interesting

      AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel.

      Ideas are a dime a dozen. It's the actual implementation that makes a difference in the real world. If the idea were so obvious, you'd think that Intel would have been in a much better position to bet on the new idea, with all their resources.

      It's interesting that after about 14 years of AMD64, we are still haunted by x86-32 in many places with closed binary-only software. For instance, Skype on Linux was only released as a 32-bit binary, so you had to maintain all these ugly compatibility libraries. I wonder how much of this is due to the AMD origins of the architecture, and the subsequent slowness of the Intel and Microsoft camp to adopt it.

      --
      Escher was the first MC and Giger invented the HR department.
    29. Re:Just as well by Roman+Mamedov · · Score: 2

      What makes you think the firmware in your PCIe WiFi card also can't access all main memory

      Something which is called an IOMMU.

      https://en.wikipedia.org/wiki/...
      Memory is protected from malicious devices that are attempting DMA attacks and faulty devices that are attempting errant memory transfers because a device cannot read or write to memory that has not been explicitly allocated (mapped) for it. The memory protection is based on the fact that OS running on the CPU (see figure) exclusively controls both the MMU and the IOMMU. The devices are physically unable to circumvent or corrupt configured memory management tables.

    30. Re:Just as well by _merlin · · Score: 2, Interesting

      I tried to like Alpha, I really did. But it was impossible to like. The DEC Alpha workstations were horribly unreliable - you often had a third of your workstations out of service at any given time due to power supply or mainboard failures. They used far too much power and ran too hot. And Sun UltraSPARC quickly leapfrogged them in performance. Add to that the annoying ISA and horrible weak memory model that made it really hard to do any concurrency, and no-one wanted to touch it. NetBurst was basically an x86 front-end bolted onto an Alpha back-end, and it became evident very quickly that it was a dead end, just like Alpha itself. Alpha got high clock speeds, but not much else.

    31. Re:Just as well by Fragnet · · Score: 2

      Depends what you're encoding. Intel chips with onboard HD graphics have QuickSync for H264 encoding and decoding. I expect it'll go 10 bit soon too. The encoding and decoding performance is quite stunning.

    32. Re:Just as well by Bengie · · Score: 3, Interesting

      AMD didn't come up with x86-64, a specific person that AMD hired came up with it. And immediately after that person left, AMD created the netburst version of their CPUs. I was reading that with the new AMD Zen, AMD pretty much left everything up to the engineers and had them start over with a clean slate. Only time will tell, but from what I'm reading, it will likely pay off in spades.

    33. Re:Just as well by yusing · · Score: 2

      Hell, Commodore 1541 floppy drives contained their own 6502 for an on-board DOS. Programming the drive was a hot topic for years.

      --

      "You must try to forget all you have learned. You must begin to dream." -- Sherwood Anderson

    34. Re:Just as well by inode_buddha · · Score: 2

      Um, no. Compaq bought DEC, and was in turn bought out by HP. WTF did anyone get the idea that intel bought alpha???

      --
      C|N>K
    35. Re:Just as well by Anonymous Coward · · Score: 2, Insightful

      NetBurst was basically an x86 front-end bolted onto an Alpha back-end

      I'm calling bullshit on this assertion. Willamette, the first NetBurst CPU, was released in 2000. The Alpha intellectual property wasn't sold to Intel until 2001. Now, it's true that Alpha became Compaq's property in 1998, but considering the lead time required from initial design to tape out to production, I simply cannot believe that NetBurst had an Alpha back-end.

    36. Re:Just as well by Cederic · · Score: 3, Insightful

      While true, it's also true that without doing any R&D you tend to find yourself short on new products.

      Give me $5bn on R&D and I promise I'll give you a more valuable new product opportunity than if you give me $5m

      I don't promise I'll give you a positive ROI ;)

    37. Re:Just as well by Archtech · · Score: 4, Interesting

      Working at DEC in 1992-3, I never saw anything like that. The Alpha computers I used were exactly like their VAX predecessors except that they ran a whole lot faster. No unreliability, no overheating. Perhaps your experience was running Ultrix, which was always an unhappy compromise - like all proprietary version of Unix.

      My assessment, as a 20-year DEC employee, was that Alpha was perhaps the greatest hardware achievement the company ever brought off.

      --
      I am sure that there are many other solipsists out there.
    38. Re:Just as well by _merlin · · Score: 2

      That's quite a bit earlier than my experience with them - I only dealt with Alpha workstations (not servers), running Ultrix (not VMS), and towards the end of their run. It's possible they'd gone downhill by then.

    39. Re:Just as well by TeknoHog · · Score: 2

      I sometimes think that AMD's genius isn't what they added, but what they dropped by design. If it had been up to Intel, x86-64 would have a 64-bit "real mode", an even more complicated TSS, and yet another incompatible segmentation type.

      This. AMD64 feels cleaner in some sense, though I'm not qualified to comment on the details of memory management. For example, consider the x32 initiative that was floated around the Linux community in the past few years: using the AMD64 ISA with only 32-bit pointers. The idea was that it would speed up a lot of software, and the 4 GB limit per process would not hurt most users. To me this seemed like a step backwards: just as we finally got a nice flat memory space, these guys want to go back to something like segmentation or PAE for a small performance increase.

      --
      Escher was the first MC and Giger invented the HR department.
    40. Re:Just as well by NotAPK · · Score: 2

      You're absolutely right, we can't.

      But do not be surprised that some people want to talk about it. And certainly do not be surprised when foreign nations decide not to buy US hardware and software. I'm not saying Chinese hardware is any more innocent, that's not the point I'm making, the decision that the NSA made (was anyone consulted?) to subvert the security of every PC on the planet will have repercussions. And this will have significant impact on the IT economy of the US.

      As an individual wanting to use a trusted computing platform, for my own computing needs and those of my small business, I now have to look far and wide for hardware I can trust. Personally I'm keeping a close eye on the Russian effort to shrug off x86 dependence.

  2. Nefarious Headline for Practical Feature by Anonymous Coward · · Score: 3, Funny

    This is key to enabling low-power functionality in Intel CPUs - think quick boot and quality testing. It doesn't have any surveillance or other purposes.

    1. Re:Nefarious Headline for Practical Feature by BlackPignouf · · Score: 2, Insightful

      Sure, and there's no way it could be used by three letter agencies, ever.

    2. Re:Nefarious Headline for Practical Feature by skids · · Score: 4, Insightful

      I'm sure it can be used, just like the rest of the hardware "can be used."

      But these things in one form or another have been around for over two decades and everyone who has ever set up real server hardware from scratch knows they're there and their existence has never been a secret. (The closed-source code they run, on the other hand...) It's not even "news" that chipset manufacturers have started to integrate these systems directly into CPUs.

      The earliest one of these I remember was called iLOM on a Sun Systems but I'm sure they predate that. Just LOM and ILO are other names I've seen.

      Once desktops started to need active runtime heat management, many of them got a "systems management" co-processor that helped with thermal/power control.

      Personally I'd be just as worried about whatever firmware is running on the ethernet card these days... which is to say, not very, because there's not much to be done about it, unless you have the reason and time to invest in completely open hardware from top to bottom and the willingness to live within the limitations that might entail. So while I would normally suggest the mildly paranoid just not use the onboard ethernet ports, I can't say I really trust ethernet cards, either.

      Also since there are so many gaping holes just staring me in the face in commercial OSes when it comes to (software) VPN and WPA drivers, I figure it'll be a long, long time before I can get around to finessing things down to the metal, if ever.

      --
      Someone had to do it.
    3. Re:Nefarious Headline for Practical Feature by slew · · Score: 2, Funny

      On one hand, I think this whole thing is overblown. On the other hand, playing devil's advocate, the TLAs can't access a machine that is powered down; this potentially allows them to turn it on remotely.

      There are many levels of "powered-down". Many enterprise PC have had wake-on-lan and pxe-boot for a while. Often these are simply controlled via bios settings (which we know are completely secure against TLAs)...

      Quick shut the barn doors, the horses have escaped!

  3. No need to verify story by ranton · · Score: 4, Informative

    Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

    Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?

    --
    -- All that is necessary for the triumph of evil is that good men do nothing. -- Edmund Burke
    1. Re:No need to verify story by thegarbz · · Score: 4, Informative

      Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

      Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?

      I'd like to go the other way, why are we adding an "unverified" disclaimer to something that has been known about for many years? Intel aren't hiding anything. The existence of this miraculous CPU is documented on their website and it's function is accessible using their provided tools. Heck AMD do it too they just happen to call it PSP instead of IME. The only thing they are hiding is what's in their firmware which everyone has done for a long long time.

  4. Old news by psergiu · · Score: 5, Informative

    https://libreboot.org/faq/#int...

    https://libreboot.org/faq/#amd

    Both Intel and AMD had this for years - read above links ...

    --
    1% APY, No fees, Online Bank https://captl1.co/2uIErYq Don't let your $$$ sit in a no-interest acct.
    1. Re:Old news by dissy · · Score: 4, Informative

      The ME [Intel Management Engine] also has network access with its own MAC address through an Intel Gigabit Ethernet Controller.

      How would I not notice this in my router or edge device logs?

      Mainly only by not looking.

      That may sound stupid at first glance, but the fact Intel AMT articles keep popping up a decade later written as some form of surprise that the feature exists seems to prove most people don't bother looking.

      ME/AMT utilizes HTTPS by default on port 16993, can support HTTP by default on port 16992, and VNC protocol on I believe it's default port (I've never had to specify an alternate port in the VNC client to connect)

      Also of note is that older ME versions don't let you upload your own SSL certificate for HTTPS, and although I may be wrong but I'm fairly sure VNC by default is not encrypted either.

      This means someone in your posistion of control over the core and edge network would both see this traffic if looking, and potentially be able to setup a MITM to obtain the ME/AMT login credentials fairly easily depending on your desktop admins setup.

      Normally LAN to LAN traffic over a proper switched network is relatively safe, seeing that an ARP storm to a switch for redirecting LAN traffic would ALSO be noticed by you the network admin, and ideally has been proactively prevented as well.

      For desktop admins and/or network admins without this knowledge or skill however, if the LAN doesn't prevent or log/notify about such things, ideally the ME/AMT hasn't been enabled either.

      Only those with a tiny amount of knowledge (just enough to be dangerous) are likely to shoot themselves in the foot with a horribly insecure setup.

  5. What the fuck? by 110010001000 · · Score: 3, Insightful

    This has been known for years and is present on Intel and AMD. What year is this?

  6. "Trusted" by Fwipp · · Score: 5, Insightful

    From the article:

    We have no physical separation between the components that we can trust and the untrusted ME components, so we can't even cut them off the mainboard anymore.

    Why do you trust the main CPU, if you don't trust the ME chip?

  7. Here's the thing by H3lldr0p · · Score: 3, Insightful

    I don't like the idea of a computer inside my computer I don't have any control over.

    I find the article a little on the high side of paranoia, however. Yes, it is possible to have unnamed people from unnamed places get in and get data from your system. The article does go out of it's way to point out that this isn't very likely. The firmware running the second CPU is heavily encrypted and hash-checked at runtime. Making it unlikely to be broken until the heat-death of the universe or we finally figure out the P=NP thing.

    Conversely, I'd like to know what's going on under the cover Intel. If this is in the stuff I bought, I figure I have a legal right to be able to access it and run an audit on it. Without having to go through you. Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.

    1. Re:Here's the thing by Obfuscant · · Score: 3, Interesting

      I don't like the idea of a computer inside my computer I don't have any control over.

      Then you are destined for a life of unhappiness. Most of the I/O processing in your "computer" is done by dedicated computers that you have no control over. The video card, the network card, the IEEE1394 or USB.b The disk drives. Even the audio. Things that have DMA so they an access memory without the CPU knowing about it...

      You may look at the device and see a part number that you can look up, but dollars to donuts that the part is programmable in some way that makes it be what it is. FPGA, perhaps. Or just a microprocessor with firmware in EEPROM.

      I figure I have a legal right to be able to access it and run an audit on it.

      If they make it so you can "audit" it (whatever that means) then they've made it accessible to bad guys, too.

      Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.

      How do you imagine that this "unauditable" CPU is hindering you from reselling the computer? I'm really fascinated to hear the reasoning behind that.

  8. Love and use AMT by meadow · · Score: 4, Interesting

    I love AMT. AMT is definitely one feature of the Dell Optiplex small form-factor systems that I like to use for my headless home servers. Its like having a built-in Cyclades serial console server. For running headless systems its almost essential.

    The only thing I don't like about it is that you need to have Windows installed to be able to update it as part of the updates released by Dell.

    1. Re: Love and use AMT by ArmoredDragon · · Score: 5, Informative

      I use AMT a lot as well, and have for years. My main question here is: How the fuck is this even remotely news material? Furthermore, why is it presented as some sort of conspiracy? Intel advertises this as a feature and never made any attempt to hide it. AMT is also off by default, by the way.

      The only Intel feature I'm at all concerned about is SGX, which by design can't be audited, and has nothing to do with anything mentioned in TFS.

    2. Re: Love and use AMT by meadow · · Score: 2

      Maybe the next /. story will be how all mobile devices have a secret, hidden OS called the bootloader that can be compromised by three-letter agencies...

    3. Re: Love and use AMT by dfsmith · · Score: 2

      Did you know that some doors—maybe even your door—can be opened by using a MASTER KEY! This, and other secret conspiracies, at 11...

  9. true by dissy · · Score: 5, Informative

    Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

    Uh, the claims are quite true. I've been using these features at work for about a decade to perform remote OS installs and HD re-imaging at remote locations, where the on-site staff only pop in a new blank HD.

    All Core i7 CPUs have this in them standard, and many i5's too especially at the higher end.

    [PDF] Datasheet on the MEBX management engine:
    http://download.intel.com/supp...

    [PDF] How to enable and use the AMT active management engine:
    http://www.intel.com/content/d...

    And here is the SCS software used on another computer to control an AMT enabled computer:
    http://www.intel.com/content/w...

    RealVNC works with an AMT enabled computer out of the box too and with all the normal features you would expect like remote keyboard/video/mouse control, redirected drives, etc. But isn't a free program.

    Other VNC clients seem to be hit or miss but even when they work you only get remote KVM, you'd have to use the built-in AMT web server to configure drive redirection and issue power on/off/reboot commands.
    There is a similarly limited VNC client included in the SCS software link above, and a second web browser window will let you do the rest, even if slightly clunky, but still for free.

    1. Re:true by dissy · · Score: 5, Informative

      Because it is not enabled by default.

      You need to know how to get to the configuration menu, then enable the engine, then assign it a method to access the network (either static IP on a unique MAC, or to piggyback on the host OS's MAC), and set a password.

      Only then are the ports opened for the HTTPS interface on port 16993 to continue the rest of the setup or use AMT.

      On boot (where you normally can hit Delete or a function key to enter bios setup), hold down control-p to get to the ME setup menu.
      Assuming you aren't at work or something and using your own computer, you'll see it is disabled.

    2. Re:true by kheldan · · Score: 3, Informative

      This is all true. You can disable the ME coprocessor in BIOS settings. You also aren't required to install the ME driver in your (Windows) OS in order for Windows to function.

      Could the ME coprocessor/firmware be compromised by an attacker? Maybe. But it can all be disabled. It's firmware could also be hacked out of the BIOS entirely without compromising the operation of the rest of the system.

      The ME is mainly for remote administration/management of corporate systems. It allows access to the machine remotely even in the event of a hardware failure, like the HDD failing completely. It can bring the system out of a completely powered-off state, so long as the box is still connected to the mains and the switch in the back is still 'on'. But so far as I know it's not necessary for the rest of the computer to operate.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    3. Re:true by dissy · · Score: 4, Informative

      You forgot the part where you write Intel a big fat check to use the feature. Intel charges big bucks for vPro software and these features are part of vPro and you can't enable them without the vPro software. IIRC it's all tied to a digital signature that Intel controls and you can't even look at it without giving Intel money.

      I didn't forget it, because that isn't true.

      The control software is free. I didn't pay for my web browser, VNC client, or the intel SCS client (I even have you the download link)

      The firmware is already included in any vPro CPU, you turn it on by holding control-p at boot.

      I've even played with this feature at home on my own hardware before deploying it at work. Other than having purchased the computer/CPU, there is no further cost.

      I'm not sure where you got your information from but it is certainly incorrect.

    4. Re:true by dissy · · Score: 4, Informative

      With RealVNC - can I remote into a machine which is still at the bios / boot stage?

      Yup, AMT can provide remote access when the system is in any of its sleep states from s0 (fully on) down to s5 (powered off), so long as the system is plugged in and has power available.

      You will see the whole BIOS bootup sequence, including seeing and able to send the usual interrupt keys like del or F9 or whatever to get to BIOS setup.

      I've had some older HP workstations be a little funky between the BIOS setup and the OS taking using the GPU. Generally I'll see a screen flash and get disconnected, after which VNC reconnects immediately and all is well again.
      Newer HPs we have haven't done this that I recall, nor have the Dells or my home built franken-pc so guessing it's a fixed bug with older AMT versions?

      In fact one of the main purposes of ME is to change the power state, meaning you can turn the main system on or off or reboot it just from there.

      That's how I re-image a remote system after a hard drive failure.

      I have someone on-site power off the system and replace the hard drive with a new one, then let me know.
      I then connect to the remote system via ME/AMT and setup a dvd-rom redirect to an ISO image on my PC, start the AMT VNC server and connect to it from my PC, lock the remote systems keyboard so anyone local can't over-type me, and then instruct the remote system to power on.

      Then during boot if the remote system gets stupid and tries to boot from the new blank HD and stops, I can issue a reboot command and use the F11 boot menu from the BIOS to point it to the DVD drive. Usually that part just works though (like I said, all related to the older HPs)

      Once the linux image boots and runs clonezilla, it's just an [enter]-[yes]-[yes] away from writing the backup image back to the new HD.

      You can of course point to an OS install media instead and do that manually, I just tend to try and avoid that for installers using a mouse, since over remote links that can suck pretty bad. Over LAN it seems nice and responsive however.

      Once done I do a normal "shutdown -h now", disable the DVD drive redirect, and power the system back on. Once I see the windows loading screen I'll disconnect VNC and shut down the VNC server in the AMT, and logout of the https interface.

      Since I let AMT piggyback on the host MAC and IP, it basically intercepts any tcp ports it is using instead of passing that info up the stack to the OS.
      I don't leave VNC running in the AMT just in case the host OS needs to run a VNC server on the default port for any reason - plus nothing good can really come from leaving it running when not needed.

      ME uses https over port 16993, which isn't likely to be used on the OS (or if so, too bad for that app I guess)
      If you already have RealVNC and a Core i7 at home to play with, boot the i7 and hit control-p where you normally would hit delete or a function key, and you'll be in the ME setup menu.
      You can enable both ME and AMT (they are separate sub-systems) and play around.

  10. We have technology to validate such claims. by jellomizer · · Score: 2

    Place the PC in a faraday cage. Record any radio transmission that is large enough to cross distance.
    Have a PC (lets go with Non-Intel) hooked up and set up to be a point to point network connection. Monitor all traffic being sent from the PC.
    Put barebones (say really old version of Linux on it)

    If something is unexpected then we have a theory to work on. Otherwise is is just some nut trying to get us to use AMD or something.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  11. Yawn, by Obfuscant · · Score: 3, Informative
    I've used this kind of thing on Dell servers for, umm, a decade or so? It means I can have headless high-density boxes (four independent systems in a 2U rackmount, e.g.) in my computing center and when a user wedges one of them I can reboot it remotely. I can look at system status, see failed components, and do all kinds of things that I couldn't otherwise do at all. "The system is wedged" is very unsatisfying as a diagnosis. Being able to run a remote console that shows that the swap has gone to 0 and the system is busy killing things tells me right away that someone is using all the memory is great. And then telling the iDrac to "reset the system" ... priceless.

    It may use the same physical interface, but it has its own address, and it can be disabled if someone is ultra-paranoid about it.

    1. Re:Yawn, by mlts · · Score: 2

      It makes life easy for monitoring as well. Some box loses its network connection, getting a console just means going to the iDRAC/iLO web port, logging on, seeing what is going on, and getting the NIC unstuck. It also is nice to load an ISO and install the machine from scratch if the box is a one-off and not worth making a PXE boot mechanism for what it is doing. Or, just boot the ISO stashed as a virtual CD, point it to a kickstarter file, and call it done.

  12. Poorly written FUD by Anonymous Coward · · Score: 3, Informative

    The author's claims that the ME lacks the ability to be audited and that backdoors cannot be removed are patently false.

    - The ME is as many have pointed out an ARC processor. There are known disassemblers for ARC and there are few custom instructions (read: beyond standard ISA) - two that I'm aware of.
    - The bootrom verifies the flashrom and provides some minimal cryptography and verification related routines. This is a mask ROM, not updatable. The flashrom is overwritten when you flash the bios, hence the main OS and binaries (threadx btw) are overwritten. This would remove any backdoor.
    - The ME region of the BIOS is a FAT16 filesystem.
    - The ME binaries are unencrypted, PE executables and contain signature verification sections to prevent unauthorized code from loading.
    - The only encrypted contents of the filesystem are data files that the binaries use.

    Now all this being said, there is a way to load additional modules from the main CPU's operating system through HECI (north bridge interface), however this again requires cryptographic signing.

    Source: Former Intel engineer. Additionally none of these are details that cannot be pieced together from Intel published documents and 5 minutes with a hex editor/disassembler.

  13. It's not new, most servers had this years ago... by Fallon · · Score: 2

    This is not new & lots of others sell similar functionality Dell DRAC, HP ILO... Those usually have dedicated Ethernet ports, but generally function the same way. I've been helping our workstation guys roll out Intell vPro for remote administration of laptops & workstations. It operates in a powered down state & can do 802.1x authention to the network while the OS is powered down. So ya, there is definately an out of band processor there that can wake the system up & do remote control type stuff. It's a feature Intel is selling & marketing.

    Can't comment on the ability of it to do arbitrary memory reads & what not, but that isn't suprising in thoery. It's much less scary than the article is making it out to be, although it is another attack surface to concerned with just like RDP or SSH.

  14. "No surveillance or other purposes" -- really? by l2718 · · Score: 5, Informative

    If the only goal was simply to provide low-power functionality, the coprocessor would be fully controlled by the operating system (ultimately, by the owner of the machine).

    In fact, the main goal is to provide remote administration capabilities (what they call Intel Active Management Technology). In other words, the idea is to allow a remote administrator to take over the machine in a way that is independent of and invisible to the main operating system and processor. This serves a legitimate purpose in an "enterprise" environment (one person administers a large number of diverse machines) -- for example it allows taking back control of a cracked machine, or recovering critical data from memory after OS crashes. However, this feature is not useful for a privately administered single-user machine.

    Finally, by definition a remote administration feature is a back door. This one is incredibly dangerous: a rootkit running on the coprocessor is entirely invisible to the operating system, has its own independent network access, and can monitor the disk, the memory and all other peripherals. In principle the remote management features must be activated via the System BIOS and you can set a password there, but really your only measure of safety against this back door is your trust that there are no bugs in Intel's code.

    Why isn't Intel allowing you to replace the firmware? Because it's hard to ensure that the owner of the machine is the one initiating the firmware replacement. The real troubling point is that Intel isn't allowing you to disable this feature with a hardware switch. Hardware switches (jumpers on the motherboard) are a way of controlling the system available only to the physical owner of the machine. Having a hardware switch would satisfy both the enterprise and security-concious customers.

    1. Re:"No surveillance or other purposes" -- really? by sjames · · Score: 2

      Older schemes where the BMC couldn't access the system memory were safer. One safety feature would be to replace memory access with specific interfaces (serial and a general access port used by SMM) and their own independent network interface (allowing effective vlan isolation with no need for the honor system). To complete the picture, the BMC could emulate a USB device connected on the MB to an actual USB chip. At least that way they would need to compromise 2 firmware images to get anywhere.

  15. I think this is oversold as a risk by cfalcon · · Score: 3, Interesting

    I'm of the opinion that management features need to get data from the motherboard, and each mobo manufacturer would have to be complicit for this potential attack to affect everything (assuming a bug or backdoor exists). *IF* there's a backdoor in the ME, and *IF* all (or at least YOUR) motherboard manufacturers are complicit, even *THEN* a good external firewall would stop most conceivable attacks.

    It really is unfortunate that it is so clouded with mystery and seemingly waiting for a clever enough exploit.

    If you are concerned a little, ensure that AMT is disabled.
    If you are concerned a little more, consider grabbing an AMD next time. While AMD has similar things, Intel seems like it is both more featured and a larger attack surface, so an AMD exploit might be absent or would take longer to surface.
    If you are concerned moderately, ensure that external sources can never successfully send a packet to your PC, by use of an external firewall that is trusted.
    If you are concerned a lot, exclusively use open source products from before the mandatory inclusion of the ME. Have one to act as your firewall / router (maybe running OpenBSD or Trisquel), and another to do productivity on. You'll be limited on the power of the chip, of course.

    Frankly, I think it is wise to distrust the ME a little bit. Especially because, as part of Intel chips, it is going to be in so many places- it is a lot of faith to put in untested code. But for the ME to be able to hurt or help you, the motherboard has to support its features, and there are a lot of motherboards, a lot of BIOSes- it is still a pretty diverse setup, and many don't support AMT at all.

  16. Coreboot has been trying to work around this stuff by LaughingRadish · · Score: 2

    The Coreboot people have been trying to work out how to deal with this stuff for a long time. See https://www.coreboot.org/Intel.... They're trying to work out how to disable it, but progress is not that good.