Is the 'Secret' Chip In Intel CPUs Really That Dangerous?

New submitter Miche67 writes: A recent Boing Boing blog post by Damien Zammit is stirring up fears, claiming Intel's x86 processors have a secret control mechanism that no one can audit or examine. And because of that, he says it could expose systems to undetectable rootkit attacks that cannot be killed.
Blogger Andy Patrizio, after talking with an Intel spokesperson, says the developer's argument has holes and he doesn't think Zammit will persuade Intel to replace the system with a free, open source option.

So, what we have is an open source crusader scaring the daylights out of people on a giant what-if scenario that even he admits couldn't happen in our lifetimes.

An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

So .. Security by Obscurity.

How nice ... Is there any history about how that has worked before?

Re:So .. Security by Obscurity.

By its very nature, you never hear about the cases where "Security by Obscurity" actually works.

Re:So .. Security by Obscurity.

That is not in any way security by obscurity. Unsurprising that some idiot mods model you up.

Speaking of "model" idiots, feel free to define the word "obscure".

Here, let me do it for you, since you obviously don't fucking get it. They're NOT explaining exactly how the hell they control this, other than claiming there are "mechanisms in place" (which you don't know), to protect the "very secure" system (which you cannot audit), via polices and procedures (which you also don't know and cannot audit).

Doesn't get any more obscure than that. For all we know right now, the "mechanism" is a cleartext password of "12345" until proven otherwise, so knock it off with the bullshit semantics already.

Re:So .. Security by Obscurity.

[msauve]

"Is there any history about how that has worked before?"

Sure, FBI sends "National Security Letter" to Intel, demanding they open the door without telling anyone. FBI then has unrestricted access to Intel systems, worldwide, but "no, you can't see the source code, it's secure, we promise."

Re:So .. Security by Obscurity.

[invictusvoyd]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

That "spokesman" did learn this exact paragraph in his management college. Exact. He was told to remember it word by word.

So is this a manufactured clickbait story?

[CajunArson]

So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years* having an "OMG YOU TRANSMIT YOUR IP ADDRESS TO THE WORLD EVERY TIME YOU GO TO A WEBSITE!!" moment.

And it wasn't even that original since the same damn hissy fit gets thrown every year or so as memory serves, since this is by no means the first time I've heard the conspiracy theory.

So, either this guy is an idiot (not discounting that at all) or he managed to troll people into generating clicky clicky ad revenue by recycling conspiracy theories. Some of the people being trolled might be willing participants to boot.

Re:So is this a manufactured clickbait story?

[HiThere]

It appears that you are correct that this "isn't new", but it also appears that the only answer ever received is "trust us". And while this isn't proof that the conspiracy theories are right, it isn't exactly proof that the "conspiracy theories" are wrong.

It has backdoor access. Authentication issue?

The chip has the "power" to do many things including take secret control of a system, transfer files, read RAM, anything. No debate on that.

The "debate" is whether security through Intel obscurity (un-auditable unless you work for them) can be trusted FROM NOW ON, without checkups.

If history is any measure...

Who drives the need?

In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Umm, if Intel is the only holder of the keys to the kingdom, then they get to decide when the need arises. In fact, how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

Forgive me if I'm skeptical about this. I think I'd rather have an agreement with Darth Vader. At least he doesn't pretend to be a nice guy.

Stop worrying

[JustAnotherOldGuy]

"While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure."

Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

Odd..

[kenh]

This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

Did this boing-boing blogger check with anyone that, you know, is fairly current on the Intel platform before exposing this 'incredible' security issue?

Re:Odd..

[barc0001]

> yet to date no one has successfully 'hacked' into this well-advertised feature...

Not that we know of anyway. Generally the really bad guys don't publicize what they've found, they just use it. So who knows? For all we know there might be some cool new ransomware being developed right this instant that will deploy and activate in the next 3 months that locks up most of the Intel systems on the planet.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

The term "security through obscurity" normally refers to the method being secret, not to secret information used to authenticate an actor within the system. More specifically, it normally refers to relying on the method being secret to make discovery of a vulnerability more difficult, rather than actually fixing the vulnerability. Clearly this is bad if an adversary becomes aware of that vulnerability anyway.

Re: Yes

[mrchaotica]

That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it.

Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

Re:who has the RSA private key?

people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it

... Because you expect us to believe that Allwinner wouldn't obey the Chinese-government equivalent of a National Security Letter?

Extra general purpose computer running firmware ..

[khz6955]

'Intel Management Engine (ME) .. described as "an extra general purpose computer running a firmware blob .. a chip protected by RSA 2048 security on a chip'

Can I replace this firmware blob with one of my own?

Can I replace the RSA key with one of my own?

Can I audit this firmware blob to see what it does?

Can I disable this ME subsystem?

Who else can access this ME subsystem?

"there are mechanisms in place to address vulnerabilities should the need arise."

So basically Intel and any designated third party can access your computer regardless of in place security mechanisms.

Re:It has backdoor access. Authentication issue?

[PatientZero]

And when the FBI orders them to provide secret access to this chip running in all devices using it worldwide, they'll obviously break national security laws to inform the public, right? Oh, but of course, since it's the FBI, it'll still be secure from all (other) bad actors!