Is the 'Secret' Chip In Intel CPUs Really That Dangerous?

New submitter Miche67 writes: A recent Boing Boing blog post by Damien Zammit is stirring up fears, claiming Intel's x86 processors have a secret control mechanism that no one can audit or examine. And because of that, he says it could expose systems to undetectable rootkit attacks that cannot be killed.
Blogger Andy Patrizio, after talking with an Intel spokesperson, says the developer's argument has holes and he doesn't think Zammit will persuade Intel to replace the system with a free, open source option.

So, what we have is an open source crusader scaring the daylights out of people on a giant what-if scenario that even he admits couldn't happen in our lifetimes.

An Intel spokesperson told the publication: While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

So .. Security by Obscurity.

How nice ... Is there any history about how that has worked before?

Re:So .. Security by Obscurity.

By its very nature, you never hear about the cases where "Security by Obscurity" actually works.

Re:So .. Security by Obscurity.

[msauve]

"Is there any history about how that has worked before?"

Sure, FBI sends "National Security Letter" to Intel, demanding they open the door without telling anyone. FBI then has unrestricted access to Intel systems, worldwide, but "no, you can't see the source code, it's secure, we promise."

Re:So .. Security by Obscurity.

[Pope+Raymond+Lama]

Very relevant video presented at last year's CCC

https://media.ccc.de/v/32c3-73...

The whole model (in)security is thoroughly explained - better than on yesterday' article,
and way, way better than on this so called "rebuttal".

Re:So .. Security by Obscurity.

[arglebargle_xiv]

There's actually a lot of precedent for this sort of thing in the way of ILOM/DRAC/IPMI and similar capabilities. In fact Intel's AMT isn't really news, it's been there for years. A general pattern in all of these systems is the use of crappy old ARM processors, incredibly ancient Linux kernels (2.6.x), unpatched old binaries from God knows where, and coding like it's 1997 (strcpy(), fixed-length buffers, etc). There's lots of material out there on this, e.g. Dan Farmer's take. Oh yeah, and you typically can't disable it, even when you think you've disabled it. My only surprise about all of this is that people are surprised by it.

Re:So .. Security by Obscurity.

[invictusvoyd]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure. Intel has a defined set of policies and procedures, managed by a dedicated team, to actively monitor and respond to vulnerabilities identified in released products. In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

That "spokesman" did learn this exact paragraph in his management college. Exact. He was told to remember it word by word.

So is this a manufactured clickbait story?

[CajunArson]

So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years* having an "OMG YOU TRANSMIT YOUR IP ADDRESS TO THE WORLD EVERY TIME YOU GO TO A WEBSITE!!" moment.

And it wasn't even that original since the same damn hissy fit gets thrown every year or so as memory serves, since this is by no means the first time I've heard the conspiracy theory.

So, either this guy is an idiot (not discounting that at all) or he managed to troll people into generating clicky clicky ad revenue by recycling conspiracy theories. Some of the people being trolled might be willing participants to boot.

Re:So is this a manufactured clickbait story?

[bersl2]

You're going to make a comparison to IPMI?

Start reading: http://fish2.com/ipmi/

Re:So is this a manufactured clickbait story?

[HiThere]

It appears that you are correct that this "isn't new", but it also appears that the only answer ever received is "trust us". And while this isn't proof that the conspiracy theories are right, it isn't exactly proof that the "conspiracy theories" are wrong.

Re:So is this a manufactured clickbait story?

[mrchaotica]

Not only "trust us," but also "oh, by the way, you have no choice because we've made implementing your own open-source firmware impossible".

Re:So is this a manufactured clickbait story?

[Austerity+Empowers]

So from what I can tell, this entire fiasco is basically some blogger who was clearly ignorant of how enterprise management features that have been present in hardware for *years*

It is true that this is not new. It's not clear to me how many people are aware of it however.

Intel ME has greater capabilities than I think it should have for its purpose. In fact, no one is sure of all its capabilities as it seems we'd discover a new and unexpected one every time we hit a bug (at the time, this was many times daily). It does, however, have a very valid and useful purpose that has a clear place in the world. To some degree we already trust Intel a lot, all of our processing and data goes through their chips. They could do very awful things if that was their intent. What concerns me about Intel ME is that it does not appear to be a closed system, it is somewhat promiscuous and seems like a potential entry point. Last I worked with it (admittedly a few generations ago), it got its code via BIOS boot-rom like everything else, this could easily be co-opted by our favorite far east manufacturers. So whatever Intel's intent, it's not clear that they are in a position to be sure of anything.

Re:So is this a manufactured clickbait story?

[vux984]

and where it shares the same ethernet port as the main machine

Seriously? How about... practically all modern intel PCs. (very very few of which have a dedicated magement port)

"The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current (as of 2015) Intel chipsets."

https://en.wikipedia.org/wiki/...

So if you can find an modern Intel PC with a single ethernet port. It's got it.

where you can't disable it in the BIOS

Disabling AMT in bios, may not actually disable it, it may just disable exposing it as a device to the host operating system. There are *plenty* of posts from people who disabled AMT only to find it was still running, still picking up an address via DHCP, and still manageable via AMT management tools, even while the PC was "off".

In general there generally are ways to disable it; I can't find a cite for a system where it literally couldn't be turned off.

But.. even turning it off isn't reliable.

"A Ring -3 rootkit was demonstrated by Invisible Things Lab for the Q35 chipset. [...] The ME rootkit could be installed regardless of whether the AMT is present or enabled on the system, as the chipset always contains the ARC ME coprocessor. "

https://en.wikipedia.org/wiki/...

So even where AMT was disabled, the co-processor is still physically there and may be reachable/exploitable.

Oh, and i forgot to mention, it works with laptops on wifi too.

"Intel AMT supports wired and wireless networks. For wireless notebooks on battery power, OOB communication is available when the system is awake and connected to the corporate network, even if the OS is down."

I certainly don't think this article does any justice to the situation. But at the same time, the management engine stuff is a giant gaping security hole that does present serious and non-trivial to mitigate risks when exploits are found.

It has backdoor access. Authentication issue?

The chip has the "power" to do many things including take secret control of a system, transfer files, read RAM, anything. No debate on that.

The "debate" is whether security through Intel obscurity (un-auditable unless you work for them) can be trusted FROM NOW ON, without checkups.

If history is any measure...

Who drives the need?

In the case of the Intel Management Engine, there are mechanisms in place to address vulnerabilities should the need arise.

Umm, if Intel is the only holder of the keys to the kingdom, then they get to decide when the need arises. In fact, how much do you want to bet that if someone is nice enough to bring an issue to Intel's attention and Intel decides to take no action that there's a "by the way, if you so much as make a peep about this we'll bury you in an avalanche of DMCA litigation for the rest of your natural life"?

Forgive me if I'm skeptical about this. I think I'd rather have an agreement with Darth Vader. At least he doesn't pretend to be a nice guy.

Stop worrying

[JustAnotherOldGuy]

"While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure."

Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

Re:Stop worrying

[asackett]

Especially if you're an Eastern European cracker, huh?

Re:Stop worrying

[drinkypoo]

Well alrighty then, I feel so much better now. Because when a technology company says something is "very secure", you can take that to the bank!

What I want is to be secure from an Intel subjected to coercion by a corrupt government.

Odd..

[kenh]

This capability has existed in certain CPU/chipsets since the Intel Core processors were released yet to date no one has successfully 'hacked' into this well-advertised feature...

Did this boing-boing blogger check with anyone that, you know, is fairly current on the Intel platform before exposing this 'incredible' security issue?

Re:Odd..

[barc0001]

> yet to date no one has successfully 'hacked' into this well-advertised feature...

Not that we know of anyway. Generally the really bad guys don't publicize what they've found, they just use it. So who knows? For all we know there might be some cool new ransomware being developed right this instant that will deploy and activate in the next 3 months that locks up most of the Intel systems on the planet.

Yes

[Opportunist]

Anything I cannot audit, I have to trust. I have no reason to trust Intel. So yes, it is potentially dangerous because I can neither audit nor trust it.

Re: Yes

[kenh]

Then turn it off in the BIOS.

Seriously, this is not a 'secret' function built into the CPau, it is a feature implemented in chipset and controlled by a BIOS setting.

Re: Yes

[mrchaotica]

That's horribly naive. Even if the interface claims that it's "off," there is no proof and no reason whatsoever to trust it.

Trust comes from being able to read the source code (all of it), compile it yourself, and load it on the device. Nothing less.

Re:Yes

[Opportunist]

What you can do here is audit at the interface. This can be quite taxing but it is at least possible. In the end, different hardware elements still have to communicate with each other and they have to rely on documented interface specs for this, and here is where you can insert the crowbar. Yes, that can entail creating your own hardware to take a "man in the middle" kind of approach when the communication is harder to decipher. Whether you really want to invest this much into your audit is up to you, but at least it's doable.

Not so much luck if you're dealing with structures that are integrated. Doing an audit for a mainboard and its substructures is already quite difficult and requires a good deal of equipment that most people might not want to spend the money for, but it's at least still doable. Auditing the insides of a modern CPU, though, is something that is outside of my reach at least.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

The term "security through obscurity" normally refers to the method being secret, not to secret information used to authenticate an actor within the system. More specifically, it normally refers to relying on the method being secret to make discovery of a vulnerability more difficult, rather than actually fixing the vulnerability. Clearly this is bad if an adversary becomes aware of that vulnerability anyway.

Re: secure 'for now'

[greenfruitsalad]

yes, absolutely.

who has the RSA private key?

[lkcl]

there is some empirical evidence - nothing concrete that can be shared publicly - which tends to suggest that the RSA private key that Intel uses is already known and in use. if nothing else, you should not be reassured that there have been no "gagging orders" that come out of the U.S. Government on a regular basis, preventing and prohibiting companies from telling anyone that "yes we have had the NSA knocking on our door and yes we were forced to give them the RSA private key because otherwise they threatened that whoops, it would be really hard to get export licenses for our processors".

this kind of threat by security services is not outside the realm of possibility: it already happens, and i have met someone who was present at a meeting (with GCHQ) in which this type of threat to destabilise their business model was actually made.

there is a really simple solution, here: don't buy systems with intel processors. that assumes of course that people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it, so if you'd like to sign up for the crowdfunding campaign which will launch very shortly, you can do so here - http://crowdsupply.com/eoma68

Re:who has the RSA private key?

people are making systems for sale that don't have intel processors... and that's exactly what i'm doing. i'm not one for complaining *without* actually doing something about it

... Because you expect us to believe that Allwinner wouldn't obey the Chinese-government equivalent of a National Security Letter?

IME is defective by design

[WaffleMonster]

AMT allows anyone who can broadcast DHCP and legitimately purchase a certificate from a CA to own your system while if it isn't even turned on.

If there is a defect (as if the above isn't bad enough) they won't bother to fix their bugs once they have decided your hardware is no longer worth their time to support... same as IPMI vendors and all the rest.

Even when you turn off "AMT" in bios if you are lucky enough to even have that option which I do not... it is STILL there listening. The only way I've found to limit this unnecessary and unwanted system within a system madness is to disable the hardware virtualization feature which prevents sharing of hardware with IME and operating system.

Re:IME is defective by design

[freeze128]

Or you could just disable your PC's on-board ethernet port in the BIOS, and add a 3COM ethernet card and use that instead. Won't the IME be surprised when it cannot control another company's hardware!

An Intel spokesperson told the publication

[twistedcubic]

While the Intel Management Engine is proprietary and Intel does not share the source code, it is very secure.

I almost fell out of my chair laughing when I saw this.

Brief answer

[Improv]

No. Obviously not and the guy stirring up trouble is either underinformed or irresponsible.

Most of the hardware in your computer isn't something you get (or could get) a gate diagram from. You'd never know if something is in there that theoretically could be triggered to do something. That's the way hardware is. This guy is fussing over a publicly known feature that people are using in the enterprise to manage systems en masse. It doesn't open some magic wormhole to the control system - it requires a clear path of access and a setup and all that fun stuff. Meaning if you want to use IME, you need to set it up on all the systems for your network environment and debug it and build tooling around it. It's not fun to get that stuff right, and often not that easy.

It's not impossible that there's a backdoor in IME, but it's just as easy to imagine a backdoor anywhere else in your system. It's hard to imagine how one could ever be confident that that's not the case. So the focus and the anger is misaimed.

Re:Brief answer

[joe_frisch]

Most other hardware doesn't have the external and CPU interfaces. A disk driver probably cannot do anything very useful with the data it sees if you use disk encryption. It can't read the data and probably doesn't have external network access.

This management system by design has low level access to the CPU and external interfaces. It is potentially a much more capable hacking tool.

Its not easy to think of a reason that there is not a local hardware disable since the management capabilities are not needed by a substantial number of users.

If Intel knows how to access the chip, presumably they can be ordered to do so by the government, making this a universal back door.

Re:Security by obscurity works quite well.

[bws111]

No, the term security by obscurity means that the method MUST be a secret, because that secret is the only thing providing security. It is entirely possible, and quite normal, to have a security system which does not REQUIRE the method to remain secret, yet still not disclose what that method is. That is NOT security by obscurity, it is additional security by obscurity, and is in no way a bad thing.

Not disclosing the method sucks from an auditability standpoint, but in no way means that the actual security is provided by obscurity.

Extra general purpose computer running firmware ..

[khz6955]

'Intel Management Engine (ME) .. described as "an extra general purpose computer running a firmware blob .. a chip protected by RSA 2048 security on a chip'

Can I replace this firmware blob with one of my own?

Can I replace the RSA key with one of my own?

Can I audit this firmware blob to see what it does?

Can I disable this ME subsystem?

Who else can access this ME subsystem?

"there are mechanisms in place to address vulnerabilities should the need arise."

So basically Intel and any designated third party can access your computer regardless of in place security mechanisms.

Re:Security by obscurity works quite well.

[Anonymous+Brave+Guy]

"Security through obscurity" is a term of art, a quick way of referring to a useful concept that anyone who works in the field understands. That meaning is surely also what the OP was referring in their post. Perhaps you weren't familiar with it, but every professional or academic working on IT security will be.

Security through obscurity is not a particularly successful technique and never has been, as you can tell from the vast number of published exploits against systems that were not actually secure based on vulnerabilities that were discovered despite their obscurity.

By the way, the point of private keys isn't (just) that they are longer than passwords, though that is a significant practical benefit. Authentication using public-private key pairs is also asymmetric: someone possessing the public key can verify that someone they are talking to, for example someone requesting SSH access to a server, is in possession of the corresponding private key without the private key ever being disclosed. This is qualitatively different to typical password-based authentication, where someone logging in to the server does actually send their full password to the server's SSH daemon (encrypted, obviously), even if further processing is then based on some derived hash value.

Re:It has backdoor access. Authentication issue?

[PatientZero]

And when the FBI orders them to provide secret access to this chip running in all devices using it worldwide, they'll obviously break national security laws to inform the public, right? Oh, but of course, since it's the FBI, it'll still be secure from all (other) bad actors!

the primary "if"

[flacco]

> namely, if it can be compromised by a rootkit

It fucking IS a rootkit.

Christ.