Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Find a Way To Disable Intel ME Component Courtesy of the NSA (bleepingcomputer.com)

Posted by EditorDavid on from the inside-Intel dept.

An anonymous reader writes:Researchers from Positive Technologies -- a provider of enterprise security solutions -- have found a way to disable the Intel Management Engine (ME), a much-hated component of Intel CPUs that many have called a secret backdoor, even if Intel advertised it as a "remote PC management" solution. People have been trying for years to find a way to disable the Intel ME component, but have failed all this time. This is because disabling Intel ME crashes computers, as Intel ME is responsible for the initialization, power management, and launch of the main Intel processor.

Positive Technologies experts revealed they discovered a hidden bit inside the firmware code, which when flipped (set to "1") will disable ME after ME has done its job and booted up the main processor. The bit is labelled "reserve_hap" and a nearby comment describes it as "High Assurance Platform (HAP) enable." High Assurance Platform (HAP) is an NSA program that describes a series of rules for running secure computing platforms. Researchers believe Intel has added the ME-disabling bit at the behest of the NSA, who needed a method of disabling ME as a security measure for computers running in highly sensitive environments.
The original submission linked to a comment with more resources on the "Intel CPU backdoor" controversy.

64 of 142 comments (clear)

  1. Permanent Netbus.exe. by Anonymous Coward · · Score: 2, Interesting

    In the early 2000s, my CD tray went out, and somebody started typing on my screen to me. It was such a violation that somebody had put a trojan on my machine and snooped around for who knows how long silently before revealing themselves. And since the trojan has no username/password, he not only opened my computer up to his sick self to sit there and watch my private computing environment and download files and watch screenshots of my desktop and all kinds of things -- he also let the entire world connect as they pleased as long as they found my IP address (ICQ advertised this to every contact back then, for example).

    And now, with as much security knowledge I've been able to collect for all these years since, my HARDWARE enables some assholes to remotely spy and watch me in real time... it makes me physically sick to think about it. I wouldn't be surprised if it turns out that anything I've ever seen on my computers is all available in some enormous data collection cave in lossless fullscreen video. All ready to blackmail me the minute I gain any sort of power...

    Some "friends" I had, who would do such a thing. People don't respect you or your privacy one single little bit.

    1. Re:Permanent Netbus.exe. by Dunbal · · Score: 5, Insightful

      Well, if it's any consolation to you, you're never going to gain any sort of power, and nobody really wants to look at whatever is on your screen, beyond stealing your credit card number.

      What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power.

      "Give me 6 lines written by the most honest of men and in them I will find something which will hang him" -- Cardinal Richelieu

      --
      Seven puppies were harmed during the making of this post.
    2. Re:Permanent Netbus.exe. by ChrisMaple · · Score: 1

      /dev/random is your friend.

      --
      Contribute to civilization: ari.aynrand.org/donate
    3. Re:Permanent Netbus.exe. by markdavis · · Score: 5, Insightful

      >"What people like you seem to fail to understand is that if I can collect and store data on EVERYBODY then in the future if I happen to be pissed off at YOU for whatever reason, I can go back through all that data I've collected and find something you said or did which I can use against you. Because EVERYONE commits some crime or other. EVERYONE. Government should never have such power."

      +1,000,000 insightful

      Not just government, NOBODY should have that power. Not governments, not businesses, not individuals. NOBODY. There are so many laws and regulations on the books, it is nearly impossible for any normal person to be 100% legal all the time. And each year it just gets worse. And that is just law- it doesn't have to be something illegal, it can just be something embarrassing to then be used as a weapon to harm or corrupt.

      And even if there is some saintly person out there who thinks they never did anything wrong or embarrasing, I have news for you:

      1) Anything you do can be taken out of context.
      2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.
      3) Nobody is that saintly anyway.

    4. Re:Permanent Netbus.exe. by Anonymous Coward · · Score: 1

      Anything you say can and will be used against you.

    5. Re:Permanent Netbus.exe. by umghhh · · Score: 3, Insightful

      Anything you did not say too. In fact these days any activity can be taken as a reason to smash your doors, put you in handcuffs and charge you with some silly crime. It seems the whole world is going this way. Even in what used to be peaceful Germany you can get that done to you now if your political opponents or some worried citizens dislike your prepping activities - 'he is evil terrorist because he has a weeks worth supply of food in his cellar' etc Seems to me that free world is as mad as the less free versions.

    6. Re:Permanent Netbus.exe. by LordWabbit2 · · Score: 2

      2) With power over your computer, anything can be PLANTED to make it seem like you did or said or contemplated something you never did.

      Exactly, and if you are found to have a single image which can be construed as child porn you are fucked.

      --
      There are three kinds of falsehood: the first is a 'fib,' the second is a downright lie, and the third is statistics.
    7. Re:Permanent Netbus.exe. by Opportunist · · Score: 2

      What's really fucked up about this is the way it's phrased, which essentially can be summed up with "it's up to the judge".

      In other words, if the judge gets a boner, you're fucked.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    8. Re:Permanent Netbus.exe. by KiloByte · · Score: 2

      Since the image choice is not yours, let me assure you, the image(s) that get planted won't be just borderline. Also, the police are assumed to never, ever plant such images even in cases it's widely known they hate your guts.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    9. Re:Permanent Netbus.exe. by Dunbal · · Score: 2

      This is true. Tactical entry, "no knock" warrants, etc used to be reserved for known dangerous criminals. We're almost at the point now where they're busting down your door for parking tickets. Cos admit it - busting down doors is fun. The cops paid for this tactical team and equipment, and by god they are going to use it.... it's human nature. And this trend is not just in the US. I'm an expat living in Costa Rica and I was amazed the other day when on the news I saw a tactical team busting down the doors and windows of a house to get a guy wanted for.... not paying his municipal taxes. OH MY GOD what a hardened criminal! Surely he was waiting for them with "my little friend"!

      --
      Seven puppies were harmed during the making of this post.
    10. Re:Permanent Netbus.exe. by infolation · · Score: 2
      The famous Ayn Rand - Atlas Shrugged quote.

      You fellows were pikers, but we know the real trick, and you'd better get wise to it. There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals, one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced nor objectively interpreted-and you create a nation of law-breakers-and then you cash in on guilt. Now that's the system, Mr. Rearden, that's the game, and once you understand it, you'll be much easier to deal with."

      It seems to enbody the principle of your post, but is always quoted out of context. The book talks about a different era - an industrial era - but, despite its moral defense of capitalism and the necessity of an independent mind, Atlas Shrugged's discussion of 'secret law' is directly relevant to the concept of a device that can exfiltrate an individual's life secrets to a state power.

    11. Re:Permanent Netbus.exe. by Jerry · · Score: 1

      "I am a model citizen"

      Think so?
      Read this: http://lawcomic.net/guide/?p=1...

      --

      Running with Linux for over 20 years!

    12. Re:Permanent Netbus.exe. by Gr8Apes · · Score: 1

      Including that picture you took of your first child getting its first bath. Oops.

      --
      The cesspool just got a check and balance.
    13. Re:Permanent Netbus.exe. by Gr8Apes · · Score: 1

      At this point, I'd question whether the police are ever honest.... And yes, I know probably a significant subset are honest, but enough aren't that it tars them all.

      --
      The cesspool just got a check and balance.
    14. Re:Permanent Netbus.exe. by Dunbal · · Score: 1

      Yeah in first world shitholes they just toss flashbangs into baby cribs at the wrong address and are cleared of any wrongdoing despite mutilating a child who was obviously guilty of SOMETHING.

      --
      Seven puppies were harmed during the making of this post.
    15. Re:Permanent Netbus.exe. by KiloByte · · Score: 1

      On their own, the vast majority of policemen are honest, or a good enough approximation of that. But when an order comes from the above, most will choose to keep their jobs over defending you.

      --
      The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    16. Re:Permanent Netbus.exe. by Gr8Apes · · Score: 1

      Oh, I'm not even talking conspiracy here, just the low-level lack of integrity and Dredd-like thoughts about the "Law", or so it appears.

      --
      The cesspool just got a check and balance.
    17. Re:Permanent Netbus.exe. by umghhh · · Score: 1

      It is what makes me wonder. At some point my doors will probably get smashed either by right wing radicals because I am not pure enough, by antifa activists because I am not tolerant enough or by authorities because I refuse to decry some shit or other (a mayor of small town in Germany wanted one of his subordinates to resign for not openly decrying Erdogan - yesterday, free speech and free though are not valued resources these days). We live in a world where being correct is more and more difficult, getting upset about others not being correct and making hell out of their lives easier and easier. In the past, Europeans chose to run away to 'America' - where do you run away today to? At the same time you have incidents like in Rottenham/UK. Humans heh...

    18. Re:Permanent Netbus.exe. by umghhh · · Score: 1

      This is a correct description of current situation. This BTW is not only Germany but we have militant tolerance fighters i.e. antifas that violently act on any sign of 'intolerance' they see. So you hardly can discuss anything in the open these days out of fear to be declared intolerant asshole. This btw includes people making photos of election poster teams to dox them later on and apply private pressure ect. I do not have to agree with some party slogans but that is going far to far. This has also less political effects too and not only in Germany - Rottenham/UK for decades perpetrators were able to abuse children only because people were afraid to involve authorities. Not to be called a racists made dozens of kids victims of abuse. How nice, is it not? To me it looks like great slogans act as a big fetish that removes need to think rationally. It is enough to follow to be good. Destroying lives in a process is just collateral. That is questionable even if you actually protect anybody but you do not. The only persons protected are gang rapists from Rimini and their buddies elsewhere - we look away because we want to avoid thinking and unpleasant discussions. I wanted to be tolerant, open minded, happy citizen too. Instead I feel depressed every time I open newspaper these days.

    19. Re:Permanent Netbus.exe. by epine · · Score: 1

      You fellows were pikers, but we know the real trick, and you'd better get wise to it.

      Heinlein, toward the end, also suffered from giant book disorder, but even then Heinlein retained enough short-form marbles to at least subtly position this blowhard on the cynical fringe.

      After a thousand pages, the author runs an appalling risk of falling in love with her/his reductive-cadence secret sauce.

  2. "a much-hated component of Intel CPUs" by Nutria · · Score: 1

    Not much-hated by the people who buy Intel CPUs by the train-load.

    --
    "I don't know, therefore Aliens" Wafflebox1
    1. Re:"a much-hated component of Intel CPUs" by Ungrounded+Lightning · · Score: 2

      Because there is an alternative... not. AMD has the same shit.

      Actually it has equivalent but DIFFERENT $#!7.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    2. Re:"a much-hated component of Intel CPUs" by thegarbz · · Score: 1

      Not much-hated by the people who buy Intel CPUs by the train-load.

      Yes this. Perspective matters. Intel powers the worlds PCs the number of people who actually give a shit about this can be stored in a 16bit integer. The number of people calling it a secret backdoor in an 8bit integer.

      Best of all is the overlap between the number of people in the 16bit integer category and those who go out and buy workstation motherboards especially so they get features like the ones Intel ME provide. But somehow Intel is super evil while American Megatrends and the like are not.

      Then there's those people who buy AMD and think they are immune because they don't understand the PSP has the same capabilities as the ME and then move the goalposts around by saying that no one has "proven" that PSP has a backdoor, but not applying the same criteria to Intel.

    3. Re: "a much-hated component of Intel CPUs" by Reverend+Green · · Score: 1

      Everyone who understands what the ME is, calls it a backdoor. However that's not exactly a "secret".

    4. Re: "a much-hated component of Intel CPUs" by thegarbz · · Score: 1

      No, everyone who understands what the ME is calls it what it is, an on CPU consumer version of IPMI, a premium feature that has been part of enterprise grade equipment for almost 2 decades.

    5. Re:"a much-hated component of Intel CPUs" by EndlessNameless · · Score: 1

      You make it sound like this is unique to Intel. It is not.

      AMD's TrustZone is basicallly the same thing---a processor which has supervisory access to the hardware and operating system.

      Read all about it at:

      http://www.amd.com/en-us/innov...

      --

      ---
      According to the latest ruleset, this post should be modded as Vorpal Flamebait +5.
    6. Re:"a much-hated component of Intel CPUs" by Nutria · · Score: 1

      How do you get "You make it sound like this is unique to Intel" from "Not much-hated by the people who buy Intel CPUs by the train-load?

      Maybe you replied to the wrong comment?

      --
      "I don't know, therefore Aliens" Wafflebox1
  3. Evil Bit by Anonymous Coward · · Score: 3, Funny

    I think we should call it the anti-evil bit https://www.ietf.org/rfc/rfc3514.txt !

  4. Re:Thank you NSA by infolation · · Score: 3, Interesting

    I don't want to sound paranoid, but...

    Given the history of this organisation, there is a possibility that the 'disable Intel ME, block the nefarious attackers' bit is a decoy.

    (Disclaimer: I use a 2008 thinkpad with the SOIC-16 personally reprogrammed using a beaglebone. So maybe I'm paranoid.)

  5. How to? by manu0601 · · Score: 3, Insightful

    The bleepingcomputer's article is informative, the researcher's blog post is full of technical details... but how do I actually disable Intel ME? Where is the how-to for that?

    1. Re:How to? by complete+loony · · Score: 5, Informative

      Wait for this patch to me_cleaner to be better tested?

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
    2. Re:How to? by aktw · · Score: 1

      There is no "how-to" at this point, but I'm sure you can get started on CPU firmware modification since now you know the correct bit to flip.

    3. Re:How to? by Anonymous Coward · · Score: 2, Informative
      The article says to use Flash Image Tool (FIT).

      So how can we set the HAP bit? We can use the FIT configuration files and determine the location of the bit in the image, but there is a simpler way. In the ME Kernel section of FIT, you can find a Reserved parameter. This is the particular bit that enables HAP mode.

    4. Re:How to? by complete+loony · · Score: 1

      A version of this patch has been merged into the master branch of me_cleaner. So I'd suggest following their guides to attempt disabling Intel ME. Of course there's a risk you'll brick your motherboard...

      --
      09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
  6. Re:Thank you NSA by saloomy · · Score: 1

    Do Apple computers have the ME enabled? How do you've access it?

  7. Maybe not just that... by Pseudonym · · Score: 1

    "High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

    --
    sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
    1. Re:Maybe not just that... by TemporalBeing · · Score: 1

      "High Assurance Platform" sounds to me like it's a mode to ensure that the CPU doesn't receive SMM interrupts. This is one of the reasons why Intel is not the platform of choice for safety-critical systems that depend on hard real-time guarantees.

      If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

      --
      Truth is like the sun. You can shut it out for a time, but it ain't goin' away. - Elvis Presley (source: imdb.com)
    2. Re:Maybe not just that... by Pseudonym · · Score: 1

      If you need a "hard real-time guarantee" then you wouldn't be using a micro-processor and be using a micro-controller instead.

      Almost all of a time, a microcontroller IS-A microprocessor.

      --
      sub f{($f)=@_;print"$f(q{$f});";}f(q{sub f{($f)=@_;print"$f(q{$f});";}f});
  8. AMD behaviour ... by evanh · · Score: 1

    ... indicates it's likely beholden in a similar fashion now.

  9. is it just me... by Doctor+Device · · Score: 4, Interesting

    ...or does it seem slightly meta that, in a sense, Intel's backdoor has it's own backdoor.

    --
    -It is by will alone I set my mind in motion.
  10. What AMT versions are affected with the ME bkdoor? by MSTCrow5429 · · Score: 1

    Is the Intel Management Engine present in all AMT versions? Is the Intel ME problematic in all versions of AMT in which it exists? Does AMT require Intel ME in the first place?

    --
    Slashdot: Playing Favorites Since 1997
  11. Re:is the author legitimately stupid? by Anonymous Coward · · Score: 1

    Wisdom, (not knowledge) prevents you from being an arrogant idiot like you have just been, knowing what intel ME is exactly (which you clearly do not) is not necessary to suppose there might be so much controversy and research into intel ME because there is no supported way to remove the vulnerable nature of having a whole closed source, obfuscated, signed OS and CPU in control of your CPU... Just to be clear: No, you cannot remove disable intel ME from EFI or BIOS, try at least to not be so condemning next time.

  12. Re:is the author legitimately stupid? by Anonymous Coward · · Score: 1

    wow why didn't they think of that huh? I guess we should all ask you how IME works then. So this BIOS option prevents the ME OS from booting I presume? otherwise you are still fucked.

  13. Baffling by Anonymous Coward · · Score: 2, Funny

    What baffles me most is that the regular consumer is not offered this option for the devices they purchased.

    1. Re:Baffling by Opportunist · · Score: 2

      Have you been on vacation the past 20 or so years?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  14. Only worse.... by Anonymous Coward · · Score: 1

    Because from all indications right now, AMD is on a proprietary embedded OS AND has full image encryption, meaning no pick and choose of modules to disable.

    Something else a lot of people haven't considered: The neural network block used in the processors could have intentional or unintentional exploits built into them. The 'bad masks' that are resulting in Ryzen RMAs may not have been unintentional, but rather a widely used piece of code triggered them in an unintended manner causing a crash instead of an exploit. The point at which we will know for certain is after our system security is relying on them.

    Same issue with out of order processors in general. By allowing the processor to reorder instructions as it sees fit, you lose the ability to verify intended operation of code, especially when hyperthreading or alternate states made be interacting with it. This is not to say we should take the performance hit of returning to in-order processors, but that there are a lot of inherent risks in computer technology and with the proprietary nature of current designs there is no way for us to be assured of the safety or security of what are rapidly becoming a central focus of the majority's lives.

  15. Re:Thank you NSA by Anonymous Coward · · Score: 3, Informative

    You access it from another PC by trying to connect to port 16992,16993,16994,16995,623 and 664 on the target machine. Accessing from the PC itself will not prove anything, as generally the access will go via the loopback interface on the same PC, bypassing the network IC that is working together with Intel ME to intercept communication on those ports.

    Depending on the response you get, you can determine:

    1) Behaviour same as other unused ports: Intel ME probably not available or completely disabled on this processor.
    2) Connection rejected or timed out, but behaviour is subtly different than other ports: Intel ME is present, but not provisioned (vulnerabilities in this state are unknown, but cannot be excluded).
    3) Connection accepted, and some authentication challenge or active error message given: Intel ME is present and provisioned (mostly this is only if your network admins have licensed some software to make use of it).

  16. Re:is the author legitimately stupid? by Anonymous Coward · · Score: 3, Informative

    The BIOS settings just disable the software that runs on top of Intel ME. Intel ME is still present and intercepting certain network ports, as can be verified by comparing the behaviour of those ports to other unused ports on the same PC. The network stack handling them is different, so the rejection behaviour is different - if you don't see a difference right away, try configuring iptables or other firewall software to change the rejection method for those ports (a change from REJECT to DROP should make connections timeout instead of failing immediately for example).

  17. Re:FUD. by cavreader · · Score: 3, Informative

    "As in environments that least have no internet access, or at best are air-gapped."
    The Iranians found out the hard way that even a no internet access,air gapped, highly sensitive environment still wasn't enough to protect them from Stuxnet. Stuxnet was technically impressive but getting the virus smuggled into one of Iran's most secure facilities was even more impressive.

  18. Re:What AMT versions are affected with the ME bkdo by Anonymous Coward · · Score: 1

    AMT runs on top of Intel ME. So yes, Intel ME is present in all AMT versions, and also remains present if you do not even have AMT enabled.

  19. *ALL VERSIONS* *IF ENABLED* by Anonymous Coward · · Score: 2, Informative

    In order to ensure your security the following steps are required:
    - The AMT remote maintenance support has to be disabled (you would have had to manually configure and enable this, unless it was a corporate deployment.)
    - The ME interface would have to be exposed to the operating system. Not all systems enable this. The ones that do will show a device in either the device manager or via lspci on linux.
    - Final:you will have had to make a copy of your bios image, read off using either an FPC or SPI flash reader, or a Raspberry Pi configured to emulate one. Then you have to run me_cleaner on the image to strip out the unnecessary bits from the firmware. For [GQ][34]x chipsets they can strip basically everything. Nehalem/X58 is a bit less clear, although it isn't as bad as Sandy Bridge+.

    However, one concern that has been overlooked in the later chipsets is the GPU as an alternative vector of attack instead of the ME. It has a similar level of memory access as the ME, newer models have similarly signed firmware and while they officially have bounded memory access it is not improbable that some undocumented feature provides a method for them to breach that.

    Also as a remind for anyone using a GPGPU for cryptographic functions/temporary storage of your keys: Always make sure your cude/OpenCL program manually zeros all sensitive memory ranges before returning the thread. Otherwise there is a danger of other GPU programs finding a way to scan/access/copy/exfiltrate that information to third parties.

    Or just y'know, run Windows 10. All these dangers become irrelevant since the OS can do it all for them without any of these pesky engineered backdoors.

  20. Re:Thank you NSA by AmiMoJo · · Score: 1

    Even if it does what it claims to do, it doesn't fully protect you from the ME being exploited. It just prevents exploits against a running ME, but an attacker could still hide code in the ME itself via bogus firmware updates which gives them a powerful rootkit that is difficult to detect or remove.

    Lifting the write enable pin on the EEPROM can prevent that.

    I also worry that the remaining minimal ME code needed to boot the system could be exploited some how. Bad firmware in another device, bad configuration data...

    Still, this is a valuable discovery and one which likely gives ordinary users an easy way to improve their security.

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  21. Re:Thank you NSA by bytesex · · Score: 1

    Is this port knocking, or does each port do something different, or is it simply trial-and-error between ports?

    --
    Religion is what happens when nature strikes and groupthink goes wrong.
  22. ME is integrated in the Chipset, not the CPU by gotan · · Score: 1

    From the article:

    "At the hardware level, Intel ME is nothing more than a microcontroller embedded on the Platform Controller Hub (PCH) chip, the component that handles all communication between the actual Intel processor and external devices."

    Of course that makes this "component" even more ominous.

    --
    "By the way if anyone here is in advertising or marketing... kill yourself." -- Bill Hicks
  23. In the meantime this works... apk by Anonymous Coward · · Score: 1

    See subject: Stop it's ability to send info. outward via router port filtering ala ports 16992-16995 that Intel AMT/ME uses so filter those ports in a modem/router external to OS/PC. Intel ME/AMT operates from your mobo but has NO CONTROL OF YOUR MODEM/ROUTER!

    (This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)

    Additionally, once you disable the AMT engine's software interface (ez via software these articles note)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).

    (I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))

    HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" as well (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/

    * GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones do not)!

    APK

    P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk

  24. Re:way, Way, WAY AHEAD OF YOU... apk by Anonymous Coward · · Score: 1

    1. What if you can't change the router?
    2. What if you forget to change the router?
    3. What if you connect to another network?
    4. What about the versions that use mobile phones built into the motherboard

    It's bullshit. Intel's Management Engine is a hardware backdoor into every Intel system. You cannot trust Intel-based PCs. It's that simple.

    Frankly, it's shocking that Intel have gotten away with this as long as they have.

  25. Re:FUD. by Bite+The+Pillow · · Score: 1

    In my experience, sensitive areas are run by people who did not know about this. So it must have been more like a Sig int input site, gathering external data, like a Twitter scraper. Something partially exposed that needed protection.

  26. Re:Thank you NSA by unixisc · · Score: 2

    Funny how they'd like Intel to have all that extra real estate on a chip to help them monitor the rest of us, but don't want that same capability turned on them. Sauce for the goose is ketchup for the gander!

  27. Re: Thank you NSA by unixisc · · Score: 1

    So easy to do on a laptop or an AIO. Other than gamers, how many people still use desktops where one can plug in a NIC into a PCIe slot?

  28. Re: Thank you NSA by unixisc · · Score: 1

    Does that still work if one uses an Ethernet-USB adaptor on a laptop, where one can't plug in a second NIC card?

  29. Error: Management Engine refused connection. by Jerry · · Score: 1

    I downloaded and compiled mei-amt-check from github, which was last compiled 4 months ago.

    "A simple tool that tells you whether AMT is enabled and provisioned on Linux systems. Requires that the mei_me driver (part of the upstream kernel) be loaded."

    The mei_me.ko is loaded when the program is run.

    It gave me this on my Intel(R) Core(TM) i7-3610QM :

    "sudo ./mei-amt-check
    [sudo] password for jerry:
    Error: Management Engine refused connection. This probably means you don't have AMT"

    The "Management Engine" is still there and working or it couldn't have returned that msg.

    Stallman's note on 12-19-2016 was more than eight months ago. The patch was compiled four months ago. Plenty of time for the folks who installed the back door to patch it so the mei-amt-check doesn't return truthful results. ???

    --

    Running with Linux for over 20 years!

  30. Re:Stop Intel AMT/ME easily... apk by erapert · · Score: 1

    You posted anonymously... and then signed your post??????

  31. Re:FUD. by Jerry · · Score: 1

    From a post by Stallman:
    "3. The backdoor is active even when the machine is powered off:
    Intel rolled out something horrible [hackaday.com]
    The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we canâ(TM)t even look at the code.

    4. Onboard ethernet and WiFi is part of the backdoor:
    The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system
    If your CPU has Intel Anti-Theft Technology enabled, it is also possible to directly access the backdoor from cell towers using 3G.

    5. The backdoor uses encrypted communication:
    https://en.wikipedia.org/wiki/... [wikipedia.org]
    AMT version 4.0 and higher can establish a secure communication tunnel between a wired PC and an IT console outside the corporate firewall. In this scheme, a management presence server (Intel calls this a "vPro-enabled gateway") authenticates the PC, opens a secure TLS tunnel between the IT console and the PC"

    --

    Running with Linux for over 20 years!

  32. Re:is the author legitimately stupid? by jabuzz · · Score: 1

    Don't use the onboard NIC then. If it ain't plugged in it can't be used and if it is a random NIC from a different vendor than Intel it's unlikely that Intel ME will be able to make use of it.