Slashdot Mirror
Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com)
An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.
Always looking out for our interests, even if they don't always tell us how...
suckle upon mine DAMN balls
In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect as they pleased as long as they found my IP address (ICQ advertised this to every contact back then, for example).
And now, with as much security knowledge I've been able to collect for all these years since, my HARDWARE enables some assholes to remotely spy and watch me in real time... it makes me physically sick to think about it. I wouldn't be surprised if it turns out that anything I've ever seen on my computers is all available in some enormous data collection cave in lossless fullscreen video. All ready to blackmail me the minute I gain any sort of power...
Some "friends" I had, who would do such a thing. People don't respect you or your privacy one single little bit.
Not much-hated by the people who buy Intel CPUs by the train-load.
"I don't know, therefore Aliens" Wafflebox1
I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt !
Basically, it is only a matter of time until Intel is no longer able to sell its products. Who would want a computer that is open to whatever employees of secret government agencies and agency contractors want to do? Don't assume that secret agencies and their contractors are managed well.
The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?
"Highly sensitive environments"? As in environments that least have no internet access, or at best are air-gapped. Run by technical people who already know what's there, and how to use it. So who again should be concerned by this fear-mongering story?
"High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.
sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
... indicates it's likely beholden in a similar fashion now.
Try reading on the subject. There are plenty of security researchers working on this problem.
The linked comment about the subject is very informative.
Never assume others are stupid without making the same question to yourself.
God damn...you lose.
Captcha: reformat
...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.
-It is by will alone I set my mind in motion.
No, you are legitimately stupid and probably babbling about Intel AMT which is not the subject here. And, BTW, don't count on the disable setting for AMT to actually disable anything.
Is the Intel Management Engine present in all AMT versions? Is the Intel ME problematic in all versions of AMT in which it exists? Does AMT require Intel ME in the first place?
Slashdot: Playing Favorites Since 1997
Wisdom, (not knowledge) prevents you from being an arrogant idiot like you have just been, knowing what intel ME is exactly (which you clearly do not) is not necessary to suppose there might be so much controversy and research into intel ME because there is no supported way to remove the vulnerable nature of having a whole closed source, obfuscated, signed OS and CPU in control of your CPU... Just to be clear: No, you cannot remove disable intel ME from EFI or BIOS, try at least to not be so condemning next time.
wow why didn't they think of that huh? I guess we should all ask you how IME works then. So this BIOS option prevents the ME OS from booting I presume? otherwise you are still fucked.
What baffles me most is that the regular consumer is not offered this option for the devices they purchased.
Because from all indications right now, AMD is on a proprietary embedded OS AND has full image encryption, meaning no pick and choose of modules to disable.
Something else a lot of people haven't considered: The neural network block used in the processors could have intentional or unintentional exploits built into them. The 'bad masks' that are resulting in Ryzen RMAs may not have been unintentional, but rather a widely used piece of code triggered them in an unintended manner causing a crash instead of an exploit. The point at which we will know for certain is after our system security is relying on them.
Same issue with out of order processors in general. By allowing the processor to reorder instructions as it sees fit, you lose the ability to verify intended operation of code, especially when hyperthreading or alternate states made be interacting with it. This is not to say we should take the performance hit of returning to in-order processors, but that there are a lot of inherent risks in computer technology and with the proprietary nature of current designs there is no way for us to be assured of the safety or security of what are rapidly becoming a central focus of the majority's lives.
The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).
AMT runs on top of Intel ME. So yes, Intel ME is present in all AMT versions, and also remains present if you do not even have AMT enabled.
In order to ensure your security the following steps are required:
- The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
- The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
- Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reader, or a Raspberry Pi configured to emulate one. Then you have to run me_cleaner on the image to strip out the unnecessary bits from the firmware. For [GQ][34]x chipsets they can strip basically everything. Nehalem/X58 is a bit less clear, although it isn't as bad as Sandy Bridge+.
However, one concern that has been overlooked in the later chipsets is the GPU as an alternative vector of attack instead of the ME. It has a similar level of memory access as the ME, newer models have similarly signed firmware and while they officially have bounded memory access it is not improbable that some undocumented feature provides a method for them to breach that.
Also as a remind for anyone using a GPGPU for cryptographic functions/temporary storage of your keys: Always make sure your cude/OpenCL program manually zeros all sensitive memory ranges before returning the thread. Otherwise there is a danger of other GPU programs finding a way to scan/access/copy/exfiltrate that information to third parties.
Or just y'know, run Windows 10. All these dangers become irrelevant since the OS can do it all for them without any of these pesky engineered backdoors.
Note that the team which "decrypted" the firmware enough to figure this out includes Dmitry Sklyarov (check Wikipedia via the link about the story of his arrest in 2001). I'm sure it gives him a nice warm feeling to be a part of this discovery... :-)
I'd also like to take the opportunity to thank all involved in case they visit here!!!!
How realistic could it be to block potential use of IntelME before it even reaches the computer?
Would it be possible to have some software + hardware solution that will work together to only allow IPs on your computer(s) that have actually been accessed by you to go through your router, and any that come in unsolicited to simply be dropped?
Actually, isn't that already a feature of decent high-level routers anyway, to automatically drop any IPs it has no session with or something along those lines?
See subject: Then you come up w/ a better way to Agent Smith this ala "How can you make a phonecall Mr. Anderson (Intel AMT) IF YOU'RE UNABLE TO SPEAK" (or rather no one can hear you) as in what I came up with using what you probably already have & it's this easy... ok??
APK
P.S.=> "Run, Forrest: RUN!!!" as I suspect you don't have a better idea & this IS THE BEST + EASIEST ONE folks can probably implement in their home cable/dsl modems with port filtering (from off the mobo chipset itself outside of it in a good router)... apk
From the article:
"At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices."
Of course that makes this "component" even more ominous.
"By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
See subject: Stopping it's ability to send info. outward via router port filtering ala ports 16992-16995 so filter those ports in a modem/router external to OS/PC. This malware operates from your mobo but it has NO CONTROL OF YOUR MODEM/ROUTER!
(Those ARE the ports IntelAMT/ME uses & THEY COULD CHANGE IP ADDRESSES ALL DAY which would defeat YOUR idea - this stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, outside of the INTEL chipset, & stopped external to it via a router/firewall hardware... apk
Unless it's the porn industry where backdoors are profitable.
See subject: Stopping it's ability to send info. outward via router port filtering ala ports 16992-16995 so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Hey retard you posted this already. I guess it is just to hard for APK to not be a retard
Hey retard you didn't come up with the idea of port filtering, nor did you come up with the idea of default deny, or disabling unnecessary components and features. Just like you didn't come up with the idea of a defrag program or a script/application to create and manage a hosts file. Again APK gets spanked harder than an ugly redheaded stepchild. It really must be hard for him to be such a retard.
Hey retard you posted this already. I guess it is just too hard for APK to not be a retard. Did it ever occur to you that the reason you get down modded so often is that once you state something you don't have to keep stating it. I know this will be difficult for your retard mind to grasp but people hate spammers, especially retarded ones like you. Also randomly bolding and capitalizing text especially in combination with your piss poor ability to construct a sentence let alone an argument doesn't make you look less of a retard.
If you were the real APK you would suck moose cock
Now suck some moose dick to prove it
Then take that moose cock up your ass to confirm you are the real APK
How can APK manage to type so much while sucking so much moose cock
Maybe he isn't sucking it now but taking it in the ass so it frees up his hands
Can APK show that he has stopped with the moose dick
That is right he can't because one is shoved up his ass or half way down his throat right now
You run like Forest to moose cock you sick fuck
See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
1. What if you can't change the router?
2. What if you forget to change the router?
3. What if you connect to another network?
4. What about the versions that use mobile phones built into the motherboard
It's bullshit. Intel's Management Engine is a hardware backdoor into every Intel system. You cannot trust Intel-based PCs. It's that simple.
Frankly, it's shocking that Intel have gotten away with this as long as they have.
How can APK manage to type so much while sucking so much moose cock
Maybe he isn't sucking it now but taking it in the ass so it frees up his hands
Can APK show that he has stopped with the moose dick
That is right he can't because one is shoved up his ass or half way down his throat right now
See I can post multiple times too just like APK
Will APK now go beat off to his hero Alex Jones
I didn't read your post. Standard advice applies. You're welcome.
What dicks, using what was supposed to be a teaching OS (for the betterment of humanity) for such an evil piece of firmware.
If one can even get to the BIOS. Many office boxes are PW'd out.
I downloaded and compiled mei-amt-check from github, which was last compiled 4 months ago.
"A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded."
The mei_me.ko is loaded when the program is run.
It gave me this on my Intel(R) Core(TM) i7-3610QM :
"sudo ./mei-amt-check
[sudo] password for jerry:
Error: Management Engine refused connection. This probably means you don't have AMT"
The "Management Engine" is still there and working or it couldn't have returned that msg.
Stallman's note on 12-19-2016 was more than eight months ago. The patch was compiled four months ago. Plenty of time for the folks who installed the back door to patch it so the mei-amt-check doesn't return truthful results. ???
Running with Linux for over 20 years!
Don't use the onboard NIC then. If it ain't plugged in it can't be used and if it is a random NIC from a different vendor than Intel it's unlikely that Intel ME will be able to make use of it.
Buy a better modem if your ISP won't provide one. They're cheap and worth it. If you forget then take your alzheimers meds or don't buy a motherboard that has this on it. Roaming onto another network is taking a risk on your part. Be sure they have port filtering in place against this as described. If they do not advise them of this threat. Problem is easily solved.
See subject & https://it.slashdot.org/comments.pl?sid=11050927&cid=55108973/ (I came up w/ this since this threat came out) - its easy & most folks have routers/modems that port filter (if not, get one - your ISP's have them) by PORT FILTERING external to mobo chipset via routers/modems (good ones that have port filtering)
* It can't communicate in/out this way, effectively NULLIFYING it... & the rest of what is in that link I posted STOPS IT FROM BEING "upgradeable" by INTEL or malware makers etc. also (by removing the software BIOS level patching interface ware that's needed to do it in Windows etc.)
APK
P.S.=> Bonus is it works CENTRALLY "enterprise-wide" to stall it external to ALL PC's ON A LAN/WAN @ the router/modem firewalling level... apk
See subject: "Registered 'luser'" accounts of which MOST are FAKE NAMES for FAKE LIVES primarily...
APK
P.S.=> It's all a matter of style & MY style has solved this FAR MORE EASILY than the methods many articles around it suggest using what you probably already have (a modem or router with port filtering to stall Intel AMT/ME from 'talking back to mama' etc.)... apk
APK's style is sucking moose dick
See subject: Thanks for that much you unidentifiable useless "ne'er-do-well" whacko! You constantly project your own issues.
APK
P.S.=> You can post as much as you like BUT I always run your LAME ASS out of your "downmodpoints" easily - & my posts still do well & get upmodded anyhow... lol! apk
See subject: Thanks for showing us all you have the "moosedick" issues freak - lmao, seriously!
APK
P.S.=> I guess that's the price of being an unidentifiable trolling "ne'er-do-well" DO-NOTHING douche in yourself... lol! apk
I once was hired by army of one country in North Europe to create remotely detonated devices that would destroy the lost laptop using vPro, which ME is part of. Idiots. Technically it would be fun to do, but when I saw one of the officers, not related to the project, holding his child in one hand and laptop in another, I decided to become reach by other means. I guess they completed that project by now, I definitely wasn't the only smart guy in... that country.