Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports

Slashdot user bongey writes: A pair of security researchers in Russia are claiming to have compromised the Intel Management Engine just using one of the computer's USB ports. The researchers gained access to a fully functional JTAG connection to Intel CSME via USB DCI. The claim is different from previous USB DCI JTAG examples from earlier this year. Full JTAG access to the ME would allow making permanent hidden changes to the machine.
"Getting into and hijacking the Management Engine means you can take full control of a box," reports the Register, "underneath and out of sight of whatever OS, hypervisor or antivirus is installed."

They add that "This powerful God-mode technology is barely documented," while The Next Web points out that USB ports are "a common attack vector."

MODERATION IS CENSORSHIP

Moderation is censorship and needs to be abolished. Undoubtedly, your first reaction is to censor this position to -1. Keep in mind that doing so only supports this position that moderation is a tool for censoring posts that moderators disagree with. It promotes groupthink because moderation is primarily used as a tool to vote on agreement or disagreement with a post. Therefore, it reduces the visibility of posts voicing contrary opinions, discouraging discussion and supporting an echo chamber. Moderation has become very harmful to Slashdot and needs to be removed.

By definition, moderation is the suppression of material that is deemed inappropriate. Moderation more than satisfies this definition, therefore it is a form of censorship.

The most common counterargument is that the posts are still visible under some settings, therefore it is not censorship. However, moderation limits the number of people who are posts when they are voted down, suppressing them though not altogether eliminating the posts. Consider that there are restrictions on adult material, including where and when it can be sold or shown, and who is allowed to be present to access or view it. Although it is still possible to access and view adult material, those efforts constitute censorship. It isn't controversial to say that adult material being restricted is a form of censorship. Effectively the same thing is happening with moderation on Slashdot. Moderation is a form of censorship.

Another common argument is that moderation is not censorship because it's not imposed by the government. However, if businesses or individuals block access to content for others, they are indeed practicing censorship. If your ISP voluntarily blocks access to some content, they are practicing censorship. It is not controversial to call label that as censorship. In the case of moderation, individuals are suppressing content, and that is censorship.

Make no mistake, moderation is a form of censorship. The common counterarguments have been thoroughly refuted. The negative effects can be seen throughout Slashdot, which has become an echo chamber where any opposing views are frequently reduced to a score of -1. This stifles the discussions that once made Slashdot so lively and interesting. Moderation is censorship, and it is ruining Slashdot.

Re: MODERATION IS CENSORSHIP

[140Mandak262Jamuna]

You here the right to speak. We have the right to ignore you. It is our freedom of speech to call you a crack pot.

Re: MODERATION IS CENSORSHIP

[140Mandak262Jamuna]

Probably a bot. Watching new topics and post first.

Re: MODERATION IS CENSORSHIP

Ignoring someone is not the same as suppressing their speech from others. When a user moderates a post down, it renders it invisible to other users with a viewing threshold above that level. That is censoring a post, plain and simple. It goes well beyond ignoring a post. And no, I'm not a bot, but you are a fool. Moderation is censorship and it is harmful. Yes, this post is off topic, but consider this civil disobedience against a system that suppresses dissenting opinions.

Re: MODERATION IS CENSORSHIP

[Narcocide]

When you post off topic drivel in an attempt to derail a conversation you're suppressing the free speech of others. Get fucked.

Re: MODERATION IS CENSORSHIP

free speech is not necessarily free on private property since Constitutional Rights only affect government attempts to silence speech

the owner of a property like a shopping mall can kick your butt out for shouting at customers, and a moderator on this site has the same rights

Re: MODERATION IS CENSORSHIP

Protests aren't meant to be convenient. This is a protest against censorship on Slashdot. You are still free to post whatever you want, and nothing you post is being suppressed by my post. I notice you haven't posted about anything else, but felt the need to post in this thread. If you're so concerned that discussing censorship is interfering with other conversations, why are you posting in this thread?

Re: MODERATION IS CENSORSHIP

[Narcocide]

Provably false. You're not very smart, are you?

Re:MODERATION IS CENSORSHIP

Shut up, SaneGoat.

Re:MODERATION IS CENSORSHIP

Yes, it's important to censor dumbasses.

Re:MODERATION IS CENSORSHIP

[MrL0G1C]

Posting as AC is self-censorship.

Re: MODERATION IS CENSORSHIP

No, the supreme court ruled a while back that the spaces between stores at the mall are common areas that require public access, and so are entitled to free speech protections. It would be like a town square.

Re: MODERATION IS CENSORSHIP

Oh, please cite of stfu

Here is a well researched article describing the lack of any Federal support for freedom of speech on private property through SCOTUS rulings over the past 70 years. Only one case found for free speech, because the California constitution allowed for it and it was seen to supersede the US Constitution. Laws like that only apply in 6 states.

You really should learn how to back up your spew

Re: MODERATION IS CENSORSHIP

"When a user moderates a post down, it renders it invisible to other users with a viewing threshold above that level. That is censoring a post, plain and simple"
No, you fucking idiot, you're completely wrong & stupid.
Viewing thresholds can be changed by the user, even an AC. It's a choice.. There's even a helpful slider above that shows how many comments are hidden.
That wouldn't be possible if this were truly censorship.

Re: MODERATION IS CENSORSHIP

[omnichad]

viewing threshold above that level.

Right...because they don't want to see it. Why is that not fine?

Re: MODERATION IS CENSORSHIP

[OrangeTide]

That is censoring a post, plain and simple.

No, that's not plain nor simple. Each viewer has the choice to view messages at the threshold they desire. Everyone posting here agrees to the system was have here. If you do not agree, you are free to operate your own forum somewhere else.

PS - starting off-topic discussion will get you modded down. That means most people won't see your post, I will still see it because I frequently have mod points and spend them cleaning house.

Re: MODERATION IS CENSORSHIP

[Dog-Cow]

You deserve to have a rusty spike shoved through your eyeball.

Re: MODERATION IS CENSORSHIP

âoeWhen a user moderates a post down, it renders it invisible to other users with a viewing threshold above that levelâ

No, it doesnâ(TM)t. Setting a viewing threshold removes unwanted posts from view. What you are saying is equivalent to saying âoeFacebook censored my stuff because not everyone in the world went there to see itâ.

Re:MODERATION IS CENSORSHIP

[thegarbz]

Undoubtedly, your first reaction is to censor this position to -1.

Yep, the title alone qualifies for an "offtopic" mod. Goodbye. It was nice not reading your irrelevant opinion.

Re: MODERATION IS CENSORSHIP

[thegarbz]

but consider this civil disobedience against a system that suppresses dissenting opinions.

Trust us, the irony of your disobedience along with the resulting moderation they receive is not lost on us.

Re: MODERATION IS CENSORSHIP

[BronsCon]

invisible to other users with a viewing threshold above that level

Well, it sounds like those users who don't see it have decided they wanted to exercise their

right to ignore you.

You still had (and exercised) your

right to speak

and people who wish to hear you can still hear you. How do I know this to be true? I moderate (with a heavy slant toward positive moderation or none at all -- I rarely use all of my mod points), I browse at -1, and I see all of your moronic comments. You are not being censored, but you are being sorted and categorized so that people who wish to ignore your messages, which you seem to imply that you're fine with, can do so.

Re: MODERATION IS CENSORSHIP

Well all know it's Creimer. His karma is so fucked he had to create 10+ sock puppet account. He has to post at -1 because he's a dirty fucking low life spammer.

Re: MODERATION IS CENSORSHIP

[uncqual]

Which Supreme Court? Are you thinking of the Pruneyard Shopping Center v. Robins (1980) case? This was initially decided by the California Supreme Court based on the California Constitution. The Supreme Court of the United States upheld the California Supreme Court decision by ruling that State Constitutions are not in violation of the United States Constitution if they grant broader rights within the state than the United States Constitution does - they didn't find that the United States Constitution protects a "free speech" right under the First Amendment in the common areas of a shopping mall.

Perhaps you're thinking of another case, but I don't recall such a case right off the top of my head. Do you have a cite?

Re:MODERATION IS CENSORSHIP

Highly suspicious thread derailment - anyone would think there are some people who don't want the IME to be discussed....

Please explain

A couple of days ago, a story ran discussing many massive vulnerabilities in the Linux kernel USB drivers. Users laughed it off, saying that if someone has physical access, the computer is already compromised. When USB is then used to exploit a vulnerable IME, it's considered a serious issue. Why is it that Linux gets a free pass when other systems do not?

Re:Please explain

Yes, I would rather see Ethernet or Fibre access to the ME since that will likely be the mode of access to boxes that you cannot get physical access to, wireless would be handy for any consumer device

Re: Please explain

I'm not even sure this is an issue, can't u just disable DCI in bios?

Re:Please explain

Dell has the ethernet access tied to a code that is in the server case (if it is not permanently disabled), still limited to physical access, but could have somebody else report the number to you

Re:Please explain

Nobody uses Linux. Everybody uses IME.

Re:Please explain

IT doesn't.

But Linux machines in a server farm are common. So all it takes is someone on the "inside", like someone who owns a machine next to yours in a shared cabinet to start compromising all the neighboring machines.

With a laptop or desktop, you only need to compromise one machine to access the network. Like I need to express this point bluntly. IF YOU CAN UNPLUG THE MACHINE, YOU HAVE ACCESS TO THE NETWORK. Change the MAC address on your device to match the one you unplugged and then go nuts via the ethernet cable.

The idea behind stealthy compromises is to prevent detection. Eg, servicing your laptop by staff outside your business or government lease a real possibility of compromise. Never mind people who stupidly leave machines unattended and unlocked.

Janitorial staff is the easiest way to compromise a network.

Re:Please explain

even an AC on this site should be smart enough to know the difference. if you can't, perhaps you should go run along to reddit or some other site where the users and their submissions are down at your own comprehension level.

vulnerabilities in linux kernel drivers for usb are relatively easy-to-fix *SOFTWARE* issues.

the code is worked-on and reviewed by multiple, independent parties; and can also be examined and compiled by end users.

vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

the feature is embedded in the silicon of every fucking processor they manufacture. a similar feature is also found inside the more recent amd processors as well. problems here would require swapping hardware (processors, processors and/or bios). these features and the firmware that controlls them are closed-source, proprietary, and not documented for the public. you have to give blind faith and trust to hardware vendors (intel, amd, bios producers, motherboard manufacturers, etc) to actually fix the vulnerabilities and/or allow the total and irreversible disabling of the features.

Re: Please explain

We say "flaws" three letter agencies say "features".

Re:Please explain

Why is it that Linux gets a free pass when other systems do not?

Not so much a "free pass" but more like nobody gives a shit about Linux.

Re:Please explain

Everybody uses IME.

Not true. There's no IME on my computer.

AMD CPU and chipset.

Re: Please explain

The vulnerabilities in IME are software. The software is stored in the BIOS and can be upgraded.

Re:Please explain

[rudy_wayne]

vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

But you still need physical access to the machine.

And I think its mostly firmware, not hardware, so it's probably patchable.

Re:Please explain

Why is it that Linux gets a free pass when other systems do not?

Linux and other OSS are near and dear friends. Closed source software or capitalist products like Intel CPU and Windows are enemies. You should know that if you've been on this site long enough.

Re:Please explain

True, AMD PSP is probably much better.

Re: Please explain

For this, yes, but the management engine has wonderful "features" like a full TCP/IP stack and webserver. This is just the beginning and it should scare the hell out of anyone.

No antivirus software can detect or fix this.

Re: Please explain

It shouldn't get a pass. Stuxnet was said to have pwned Iran from a usb stick left laying around. It's an obvious Trojan horse (in the wooden horse sense) vector.

USB stick at the gate. No Greek army. Cool! A free usb! What's on it?
Haul it through the gates, plug it in to the city square. Greeks sneak out. Your city gets sacked, your servers enslaved, and your data raped.

Anyone defending Linux for that issue has a poor understanding of physical and electronic security history.

Re:Please explain

[DontBeAMoran]

Why does everybody keeps saying that AMD made the PSP? It's made by SONY you morans!

Re: Please explain

[BLToday]

You know this is Intel right? They didn’t even bother fixing scaling issue on some of their integrated graphics (over scanning or under scanning). Their solution was to load custom resolution which doesn’t work on some effected system because the drivers didn’t allow you to load custom resolutions. And you can’t add a graphics board because the system is a micro PC. Do you really think Intel will go back and fix ME for systems that are more than 3 years old?

Re:Please explain

[Khyber]

"vulnerabilities in linux kernel drivers for usb are relatively easy-to-fix *SOFTWARE* issues."

And yet one sits there, still fucking untouched, and has been since 2003.

Wake me up when Linus actually makes a WORKING fucking product and maintains the core components of it.

Re: Please explain

Wake up!

Re: Please explain

Sorry, but software creates the usability of the chip, no chip is designed to operate on its own, the chip received a signal, now what does it do with the signal? Just as a BIOS told a BIOS chip what to do. Just as the new os under the BIOS tells the BIOS what Intel wants. And, even the embedded software on a chip can be modified by unknown means. That's what is being researched now. The new paths that screw the user.

Re:Please explain

[infolation]

Linux and other OSS are near and dear friends.

GNU/Linux and other FOSS are near and dear friends.

Linux and other OSS are only friends.

Re:Please explain

[infolation]

There's no IME on my Intel computer.

I write this on a Thinkpad with Libreboot.

Re:Please explain

[thegarbz]

you morans

It's spelled mor... oh for Pete's sake.

Re:Please explain

[ls671]

I am not sure what booting has to do with IME being present on your computer or not..

Re: Please explain

Or rather "unintended side effects may occur". Look through all those network protocol specifications. This is one I remember reading. "To initiate and reset a new connection to the server, create a login request packet with the user details left empty. Unintended side effects may occur if the user details are not left all zero."

Re: Please explain

UEFI does the samel. There are programming examples of installing a TCP/IP stack. The idea was to allow sys admins to get the system to self update / reimage the OS remotely.

Re:Please explain

[DontBeAMoran]

http://i0.kym-cdn.com/photos/i...

Re:Please explain

[thegarbz]

Just what I needed, A good sunday night laugh :-)

Re: Please explain

Because you left out a very important part of what they said. The usb exploit isnt as bad because you can restrict physical access to the usb port (or disable it) until the software is patched. With ME you would have to restrict physical access forever since it is a hardware issue. Some things if you restricted physical access forever, you wouldnt be able to use the machine.

Re: Please explain

[Khyber]

Looked at latest release. Vulnerability still present.

Back to sleep I go.

Re:Please explain

[infolation]

Libreboot is just the name of the project and does not mean it only replaces the UEFI (although it is downstream of Coreboot). The SPI flash chip containined the IME is reprogrammed (in my case I used a Beaglebone Black). When a Thinkpad is flashed with Libreboot, the IME is overwritten and completely neutralised.

There's only about 8 Thinkpad models, all pre-2009, that this can be applied to. The core2duo architecture is the last generation of machine that can have the IME entirely removed.

The only newer IME-free Libreboot option is Chromebook C201 (not suitable for my purposes as it's Rockchip, so won't run TAILS).

Re:Please explain

Sony? No, it was made by Jasc.

Re: Please explain

It's fucking FIRMWARE. Until someone credibly states that ME is in ROM and not EEPROM / NAND flash, it's also just software and just as patchable. Do you call software on an SSD hardware too?

Heh...

Maybe they should make a new hacker movie called "owned in 60 seconds".

Mandatory vulnerability

Not to mention that breaking or disabling the ME causes a system reset after 30 minutes. Why isn't this mandatory backdoor the biggest news item in the modern corporation-critical age of journalism?

Re:Mandatory vulnerability

Because it's a non-story for everyone who doesn't work in government, and only notable to enterprise customers considering purchasing new equipment. They're not going to throw out millions of dollars in equipment because Skylake chipsets might be vulnerable.

Re:Mandatory vulnerability

It's a non-story until someone writes a destructive virus or ransomeware that uses ME, but then it's too late. The journalists' laptops will not longer work. So I guess it's always a non-story.

Re:Mandatory vulnerability

Don't worry. Intel will recall all chipsets and replace them. We're all going to be fine.

Re: Mandatory vulnerability

malware spyware when the job is cyber warfare. we are now at the point where every bank, law firm and political institution in the us is completely pwned by people who want to see the usa become the former united states of America.

The films feared a firesale, what we have now is much, much more insidious. The NSA set us up the bomb. all your base are belong to us, and the clock is ticking.

Re: Mandatory vulnerability

The NSA set us up the bomb. all your base are belong to us, and the clock is ticking.

Wrong, you obviously didn't hear about the OFF SWITCH of IME, called HAP. All highly protected systems in government have disabled IME thru HAP.
Google: IME HAP

JTAG = direct serial connection?

[Narcocide]

If they can get a JTAG connection to it directly, does this mean we could also just fry the thing to neutralize it without harming the rest of the computer then?

Re:JTAG = direct serial connection?

[BoRegardless]

Epoxy the USB ports!

Re:JTAG = direct serial connection?

[whoever57]

Epoxy the USB ports!

Not going to help if it's already been compromised before you receive it.

Re:JTAG = direct serial connection?

Epoxy the USB ports!

"Hey, i have this Safe, it's pretty easy for criminals to crack, but i took a giant shit on it, this will stop them!"

Will Intel ME run Windows ME?

[jfdavis668]

I here it runs a version of MINUX 3. Can we hack in and install the more nomenclaturely correct Windows ME?

Re:Will Intel ME run Windows ME?

meh.

Re:Will Intel ME run Windows ME?

At least we can bring back the jokes. By the way I think AMD's PSP sucks as much as ME!

God mode.

So all this is really saying is physical access is god mode. You don't need an ME for that to be true.

Re:God mode.

[duke_cheetah2003]

So all this is really saying is physical access is god mode. You don't need an ME for that to be true.

Sadly, you're incorrect. This is a fairly viable remote attack vector. All you need to have is something to deliver the sploit to the host, infect any usb storage devices with your ME sploit and wait for some fool to boot one of those devices accidentally or intentionally. In the mean time, your malware continues to infect every USB device ever attached to the machine. You'll definitely hook a good number of targets, with that number always climbing as more machines get infected and infect more USB storage devices.

Re:God mode.

[squiggleslash]

I don't think this exploit involves booting from a USB storage device, rather it's taking advantage of the fact a USB device can send malformed packets. To exploit this, you're going to need to do more than write data to a USB storage device, you're going to have to hack the USB device's firmware.

That's a tall order - yeah, there's probably quite a few out there that have exploits that would allow you to overwrite the firmware, but what's the betting your virus is going to have the right exploit for the actual USB devices the user is going to be using?

Maybe a better option would be to target the phone of the user you're trying to hack, as (I believe) Android phones would be very easy to reprogram to send malformed USB packets, if you're able to find an exploit that gives you access to root or whatever the equivalent is these days.

Re:God mode.

[SuricouRaven]

Rewrite or replace the hardware. Many USB memory sticks have plenty of free space inside - you could easily stick a little CPLD chip in there to sit between the USB port and the flash memory. It'd even still work as a memory stick. You'd need one skilled hacker to design the CPLD, but once it's designed the actual construction is only a low-skill soldering job. Anyone who can buy a PCB and solder an SMD could do it, and you can buy custom-made PCBs on eBay. And CPLDs too.

Re:God mode.

[thegarbz]

infect any usb storage devices with your ME sploit and wait for some fool to boot one of those devices accidentally or intentionally

USB DCI doesn't work like that. This would need to enumerate as a specific DCI device to the USB Host. It isn't some virus that sits on a storage controller and short of bricking every device that becomes attached to the system it won't spread. Furthermore it will be immediately obvious that something has gone wrong.

Additionally DCI is highly system specific, and while it is possible that Intel's ME is configured identically in every system the odds of it are highly unlikely limiting any exploit, even if it could be automated and remoted to likely a specific family of processors.

This is bad, but it is hardly end of the world bad. Practice safe sex and don't stick foreign appendages in your ports. It may have an STD.

Re:God mode.

[squiggleslash]

Yep, that would do it too. The point is though it's not something you can (easily and effectively) do by creating a virus that'll target USB mass storage devices. If you were going the "untargeted virus" route, you'd have to write something that knows about a lot of exploits for a lot of different USB devices. Targeting cellphones, or just creating a custom USB stick the way you're suggesting for a specific target, is much easier.

Re:God mode.

In the mean time, your malware continues to infect every USB device ever attached to the machine.

It doesn't quite work like that. DCI (along with traditional JTAG) is fused off before the system leaves the factory, per Windows hardware certification requirements. This guy somehow managed to acquire a part that didn't have DCI fused off yet. Special circuitry is required to interface with the JTAG scan chain... you need one of these: https://designintools.intel.com/Silicon_View_Technology_Closed_Chassis_Adapter_p/itpxdpsvt.htm. This DCI technology routes JTAG over the USB connector physically, it doesn't implement transfer of JTAG scan chains over the USB protocol. You can't just hack a USB flash drive... you would need a custom built USB device. Note that Intel will only sell you one of these things + the software to drive it if you sign a NDA with them.

Given that his screenshot has a window with the title "Administrator: Intel DAL Python CLI" I have a hard time believing that he has done anything more than gotten an un-fused Intel reference board + Intel debug tools under NDA from Intel and he managed to successfully follow the directions for enabling USB JTAG debug. If this is the case, his "success" in no way would translate to an actual exploit usable on your typical off the shelf laptop.

Nonsense if you are smart.

Run whatever host OS then run a VM in it of a LIVE DVD of Linux (Tails 1.4.1, Knoppix, etc) from a microSD card in a USB adapter. With Knoppix use the TORAM boot flag when you load it up so it all goes into RAM. Voila. When do you ever need to reboot? You can store all your data on an encrypted volume/partition wherever you want. (Use SAMBA whatever.. a million ways) Save persistent settings if you want. LOL

Intel is hax. Google is hax. Microsoft is too weak to be hax it's spyware. Facebook is Jewish social hax.

Wake up people you are all being ruined.

Re:Nonsense if you are smart.

Since the ME has access to all peripherals, the network, and the RAM, it doesn't matter how many VMs you run in a live DVD of whatever. The ME has full access, and whoever has control over the ME has full access.

Re:Nonsense if you are smart.

What if it is VMs all the way down?

Intel ME is awesome

What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

There's nothing wrong with a God mode. They key is making sure the right person is God.

Re:Intel ME is awesome

[duke_cheetah2003]

What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

There's nothing wrong with a God mode. They key is making sure the right person is God.

The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

The closed-source nature of it is a huge problem too, as obvious from this article. So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can. This is a pretty viable attack vector too, since you know, a payload could deliver the ME sploit, infect any usb storage devices, and hope for the next fool who boots accidentally or intentionally from those devices. I imagine if an attacker took control of the ME subsystem, it'd be a real bitch to eject their crap, considering how poorly ME is documented and how arcane the tools are.

In my experience as a refurbisher, it's a very rare sight to see any laptop or desktop computer that even mentions ME, or has an option to turn it off in the BIOS. Most of the ME implementations are completely transparent to the host computer, never mentioned in the BIOS, no way to turn it off, no indication it's even there.

Re:Intel ME is awesome

[fahrbot-bot]

There's nothing wrong with a God mode. They key is making sure the right person is God.

Problem is that everyone thinks they're the one - or should be.

Re:Intel ME is awesome

[MrKaos]

There's nothing wrong with a God mode. They key is making sure the right person is God.

Yeah, I'm kinda thinking that if the management engine is on the machine and it is MINIX, I'd like to use it myself to, you know, manage the machine. I'm pretty sure I paid for it.

Re:Intel ME is awesome

The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

What you describe covers a lot of electronics that have been co-opted by hackers and turned into Linux running systems. I'm not saying it's a trivial task, and I don't think I'm personally up to the challenge. But these security researchers who know how to exploit the Intel ME are the forefront of being able to document how it works and working out how to inject a whole new OS.

he closed-source nature of it is a huge problem too, as obvious from this article. So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can.

Compared to what? Exploiting the kernel? Exploiting the BIOS? We're talking about another level underneath that's fundamentally the same thing. Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS. Obviously, the focus should be about documenting it and pushing for as many people as possible to replace it.

This is a pretty viable attack vector too, since you know, a payload could deliver the ME sploit, infect any usb storage devices, and hope for the next fool who boots accidentally or intentionally from those devices. I imagine if an attacker took control of the ME subsystem, it'd be a real bitch to eject their crap, considering how poorly ME is documented and how arcane the tools are.

Which, again, is how far away from kernel and extant BIOS exploits? It wasn't but a few days ago that it was pointed out how much of a mess the Linux USB subsystem is. I can't believe that Windows' closed source drivers are any better, even if the exact attack vector is different. The answer is, again, to document and replace. However you look at it, throwing around a lot of fear at this stage is only useful if we're hearing ways to mitigate (which is true to at least the extent of mentioning USB ports as an attack vectory but really to broad a point unless that was actually the message being delivered). It doesn't sound like that's being pushed at all, though, which is actually the greatest disservice.

In my experience as a refurbisher, it's a very rare sight to see any laptop or desktop computer that even mentions ME, or has an option to turn it off in the BIOS. Most of the ME implementations are completely transparent to the host computer, never mentioned in the BIOS, no way to turn it off, no indication it's even there.

Which only highlights the point about educating users. If the setting does exist, disable it. If you're not sure and you're Intel, presume the worst and protect your USB ports. That's good advice, period, given the repeated stories of social engineering with dropped usb drives. Don't think you're safe with AMD because they have the PSP which may be just as bad.

I guess my overall point is, the sky isn't falling. We're just finding new ground. We should be the ones to exploit it before bad hackers do.

Re:Intel ME is awesome

[daniel23]

That's easy, Intel and no one else.
However, during development a guy in a dark suit comes along, representing $TLA.
"Thou shalt not..." he says, so now there 2 Gods.

Said agency looks at the matter and insists on a kill switch for their own boxes - which is a wise move and everyone should have that. But then again, where is the fun in being God if everyone can lock you out?

So it is kept top secret how to access the ME and only $ThirdParty with the appropriate clearing learn about it. Amongst them $Contractor sees the value and sells the details to $Spy in exchange for $$$.
Spies spy on spies, trust turns trusted and not long there is a small crowd of gods and semi gods competing to reap and exploit.

Enter $researcher who, by dilligence and ingenuity finds a way in no one else thought about before.

Re:Intel ME is awesome

There's nothing wrong with a God mode.

There certainly is something wrong with a "God mode" management engine. Think about it--why do you need a second processor running MINIX and controling the main CPU? It's only because the present-day operating systems running on the main CPU are too handicapped to do the things you want. In principle, if things were designed elegantly, you could just have a single processor with a single operating system that actually did everything.

Re:Intel ME is awesome

"They key is making sure the right person is God"
But what if that person prefers to be Allah?

Re:Intel ME is awesome

[Gravis+Zero]

We have security researchers who decry the evil of Intel ME.

The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

Re:Intel ME is awesome

Well which subsect of islam? Details matter.

Re:Intel ME is awesome

The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

No, people decry the level of authority (the God mode) that is granted to Intel along with the difficulty or inability to disable it. Although to that end, it's absurd precisely because Intel is the creator of the CPU and hence already has a lot of supreme power over the system. That the IME consolidates that power into something other than the CPU is only distressing for people because so many people were focused on the CPU as the lynch pin of security. Well, that was absurd from the start because even a lowly PIC could interject or monitor key presses and route them in a fashion that could be picked up by others (encoding them in the EM noise).

So, to that end the IME just seems the blatant and obvious example of the power grab people were expecting with just enough of the cloak and dagger to not outright mention its existence. I get it. I don't even really disagree with the characterization. My point is that through it all, security researches aren't seeing the other part of the big picture: Intel gave us a really useful security tool to undermine just about every other supposed protection that the CPU can provide. That includes VM protection, DRM, and all sorts of malware that would try to subvert the kernel.

So, regardless of Intel's intent, it seems clear that God Mode is such a substantial undermining of a lot of moneyed interests if used properly, that any claim that TLAs had it put in really don't get that subverted for good it's one of the most undermining technologies against those people.

You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

If all the Intel ME is is a loaded gun pointed at our heads, then we're all already dead. But me cleaner and other researches that have shown that it CAN be functionally disabled in many (maybe all?) cases speak more about the fundamental question: what can you do with the technology of the gun? Whether you like it or not, the gun is a major component that revolutionized warfare and is substantially the reason the world moved from monarchies to democracies. Not to say that was wholly it, but consider that you talk in terms of a gun at your head, not an army at your throat. Worry about the oppression IME can cause. And subvert it to free us. That is the hacker way. That is the way of freedom, not of fear.

Re:Intel ME is awesome

[phantomfive]

The problem is you can't get rid of it by reformatting your hard drive. This isn't a root account, and it's not ring 0. Unless you know how to make it secure, it shouldn't exist, and Intel doesn't know how to make it secure.

Re:Intel ME is awesome

I know, it's annoying. I love AMT/vPro stuff, KVMoIP management of desktops? The agent keep-alive stuff? The OOB logging? It's great for managing fleets of systems. Just wait till these idiots learn how it interacts with Intel wifi chipsets and how laptops can reverse connect home to vPro Gateways/MPS, they'll lose their minds all over again.

Re:Intel ME is awesome

It would be a nice way to run around any DRM build into the OS, and can't be fixed with OS updates. If you already run an open OS, it is quit pointless.

Re:Intel ME is awesome

The problem is you can't get rid of it by reformatting your hard drive.

Nor can you get rid of most firmware or the BIOS that way either (unless it's Linux). Nor can you really disable them. And God knows what SMM can do once empowered through said firmwares + BIOS. Hell, SMM is right on the CPU. And virtually all the code is closed source! Oh no!

This isn't a root account, and it's not ring 0.

Well, if SMM is a mythical ring -2, then I guess this is mythical ring -3? Either way, it really doesn't change much at that level.
  The amount of code, the secrecy, and the exposed insecurity are worrisome. Then again, I'm almost certain most the UEFI shit is a security nightmare with near, if not the same, level of reach and worry. It's just not a single point of focus today. Just like how the clusterfuck the Linux USB subsystem is wasn't a known thing for a long time. Just like almost certainly something similar is true in Windows and Mac OS X either in the subsystem itself or the drivers.

Unless you know how to make it secure, it shouldn't exist, and Intel doesn't know how to make it secure.

Get back to me when anyone knows how to make their system secure short of burying it in cement (and even then that likely won't work thanks to bluetooth and wifi). The closest we've got is OpenBSD because all of the extensive auditing, but again, we're still fundamentally trusting the firmware that loads OpenBSD. Removing IME wouldn't change this. It's just remove one layer of the [in-]security onion.

But, yea, keep on beating the dead horse. Or, you know, recommend that IME be updated (with something better, perhaps?) like every security ridden nightmare that is the modern PC. Push for Intel to document it a lot better? Yea, that'd be smart. Especially allowing for documentation so people could replace it with something open source? Most definitely. But all this baby out with the bathwater stuff is bullshit.

Re:Intel ME is awesome

[Zumbs]

Indeed. The default should be disabled, so that it is possible for experts, e.g. the IT department, to enable the specific parts of it that they want to use.

Re:Intel ME is awesome

[AmiMoJo]

The problem is that they use it to boot the system, so you need it for at least the boot part before it can be disabled. There is that secret NSA disable bit, but you can't rely on it because at the very least the boot code has the execute first and that could be compromised.

To overcome this either Intel would have to create a new boot system and somehow disable any capability to change/update it (unlikely), or it will have to be replaced by an open source system that we can at least audit. Well, I guess there is another option, Intel could open source the boot code.

Re:Intel ME is awesome

[rastos1]

No, people decry the level of authority (the God mode) that is granted to Intel along with the difficulty or inability to disable it. Although to that end, it's absurd precisely because Intel is the creator of the CPU and hence already has a lot of supreme power over the system.

Yes, Intel has supreme power over the system. And we trusted Intel to not abuse that power. Those that did not trust it were ridiculed for the tinfoil hat. And now we have found (*) out that they did abuse the power. Or prepared the ground to abuse it - by themselves, TLA or any other bad actors.

*) I mean - as far as I understand, IME was not exactly closely guarded secret that nobody knew about. It is just that the scope was not known and more of general public is becoming aware of the it.

Re:Intel ME is awesome

Exactly! There's already Wake-On-LAN at the BIOS level which could wake up Windows OS or Linux OS which would then make use of the main CPU. This 2nd CPU used solely by IME is redundant, and obviously a backdoor.

Re:Intel ME is awesome

[thegarbz]

You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

I would think the same thing if I knew there were no bullets. Intel's ME runs all the time because it has system reasons for doing so. The thing that freaks out most people (remote administration) is controlled by the user. This can easily be verified by a network that doesn't respond to anything when it is disabled.

At that point you are limited to physical attacks that require someone to already own your machine.

"That's a pretty neat and loaded gun that you're about to shoot me with" I said as I lay bleeding out from my stab wounds.

Re:Intel ME is awesome

[phantomfive]

But, yea, keep on beating the dead horse. Or, you know, recommend that IME be updated (with something better, perhaps?) like every security ridden nightmare that is the modern PC. Push for Intel to document it a lot better?

Intel should use formal verification. They already do it for a lot of their hardware. Also, they should at least have code review, because current evidence shows that really really dumb stuff is getting through (for example, empty password always accepted).

Re:Intel ME is awesome

[Gravis+Zero]

Intel's ME runs all the time because it has system reasons for doing so.

It only has reason to run during the initial boot sequence. This has been verified and yet IME still runs even if you disable ATM.

The thing that freaks out most people (remote administration) is controlled by the user. This can easily be verified by a network that doesn't respond to anything when it is disabled.

IME monitors packets and only acts when it gets the proper packet sequence. The stars will burn out long before you're done enumerating every packet value.

At that point you are limited to physical attacks that require someone to already own your machine.

Permanently disconnecting your computers from all networks and external devices is the only real option here. A compromised installer, updater or USB device could easily result in a permanently owned box. At that point the only option is to replace your CPU... unless you are using a laptop in which case you need to replace your laptop.

Re:Intel ME is awesome

[thegarbz]

IME monitors packets and only acts when it gets the proper packet sequence.

IME enumerates a separate interface for networking. When you disable the network interface IME is no longer listening.

Unless you can show me a detailed description of where it says otherwise.

Re:Intel ME is awesome

[sjames]

It's a dangerous as hell way to "solve" an already solved problem. The servers I work with have IPMI and a BMC on them rather than the ME. The BMC can emulate a USB DVD drive so I can do a fresh OS install. It also connects to an internal serial port so I can do serial console over LAN. It can simulate a press on the power and reset buttons. The newer ones can also act as a KVM for dealing with OSes that insist on GUI interaction. Using that, I can fully manage a server I have never actually seen that lives across the country from me.

The big difference is that it can't silently scan or modify memory while the OS isn't looking. It can't snoop the contents of the HDs. It can't log the physical keyboard. It's not just that it pinky swears not to, the hardware simply can't do it.

It's not like that capability is expensive these days. It long ago went from being an add-on to being built-in. It was already starting to appear on desktop machines as well as servers. There simply wasn't a legitimate gain from giving the ME god level access.

Re:Intel ME is awesome

[unrtst]

So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can.

Compared to what? Exploiting the kernel? Exploiting the BIOS? We're talking about another level underneath that's fundamentally the same thing. Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS. Obviously, the focus should be about documenting it and pushing for as many people as possible to replace it.

WTF? It is not fundamentally the same thing! The BIOS is there to initialize the hardware so that the OS can boot. The boot manager handles passing on that to the OS, where the kernel takes over as the running/managing process. That entire time, the ME is still there, and provides no value to that process. (I'm not saying it has zero value, but its value is not in that series of events, but outside it)

Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS.

So "yes", definitely. Is that way you meant to say? We've been working to get rid of the traditional BIOS for a LONG LONG time. We've also been actively working for the past several years on minimizing the role the kernel plays (for example, the move towards vm and, more so, containers). The ME is technically unnecessary, so yes, let's just get rid of it!

I guess my overall point is, the sky isn't falling.

The sky already fell.

Re:Intel ME is awesome

[havana9]

What should be done for safety is to add a couple of pin on the chip, one that enables the BIOS flash an the one that enables the ME engine or not. So a couple of jumpers on the motherboard could make the buyer to control the behaviour. IF this is difficult because is a laptop or an embedded ssytem they could be changed with soldered blobs or even using a keyboard controller that remember the configuration set with a particular key combo on power on in an eeprom. Problem solved.

Re:Intel ME is awesome

[Gravis+Zero]

Intel won't even allow people to disable IME, let alone give them the option of how to do it. They could solve this problem a bunch different ways with ease but the point is that Intel does not want to allow you to disable IME.

Re:Intel ME is awesome

WTF? It is not fundamentally the same thing! The BIOS is there to initialize the hardware so that the OS can boot.

One, the BIOS might be "there" to initialize the hardware but at least since the days of ACPI the BIOS has taken an active role in determining power management. That's actually a large part of what IME does when AWT does. It's a major reason why disabling IME per se doesn't solve anything because if it's not the IME coprocessor it's SMM on the main processor doing the same thing and with the same power to do all the evil things you can imagine. Which, oddly enough, is well within the power of most "BIOSs" today as most are now very complex UEFI engines with as much power (through SMM) to do whatever IME can do.

The boot manager handles passing on that to the OS, where the kernel takes over as the running/managing process. That entire time, the ME is still there, and provides no value to that process. (I'm not saying it has zero value, but its value is not in that series of events, but outside it)

Read above about power management. Really, what IME is designed to do when AWT is disabled is nothing more than what has been done for a long time with SMM. The major difference is offloading the work on a coprocessor means a lot less power when a system is "off" along with extended features when AWT is enabled. There's nothing really cloak and dagger about it, per se.

So "yes", definitely. Is that way you meant to say? We've been working to get rid of the traditional BIOS for a LONG LONG time.

"traditional" BIOS indeed. And the replacement has been UEFI, with much more complexity and reach. Ie the move hasn't been to get rid of the BIOS but to supplant it with something "better".

We've also been actively working for the past several years on minimizing the role the kernel plays (for example, the move towards vm and, more so, containers).

Minimizing the role the kernel plays != getting rid of it. Meanwhile, no we haven't tried to minimize the kernel. We have tried to work to contain the kernel in VMs which themselves are very complicated beasts with no real track record of security and only some hope that less lines of code == more security. Unfortunately, that hasn't really demonstrated itself because we're still giving subordinate kernels substantial access to hardware and said kernels aren't getting any smaller. Ie VMs are at best a poor hack around properly designing around a microkernel and then figuring out how to actually handle driverhardware access in a safe way. Which is to say, we're really no further on that line than we have been since the 70s. Lots of theoretical OSs but nothing that's practically used.

The ME is technically unnecessary, so yes, let's just get rid of it!

USB is technically unnecessary. WiFi is technically unnecessary. GPUs are technically unnecessary. Again, baby out with the bathwater. You want to get rid of the IME in its current state if there is no way to supplant its firmware? That I can understand. Not even bothering to try because it's "technically unnecessary"? Do I even begin to point out that if your little fantasy of VMs were to work, something the IME holding the actual hypervisor and with superior position over the hardware might be a good location? Or debugging kernel exploits as they happen. Nah, let's just get rid of it because it's badly designed today*.

Meanwhile, have fun having no sleep mode or going back to the old way relying upon keeping the main CPU awake and having shorter battery life while asleep.

* PS - Yea, as mitigation, disable it today where possible. Which isn't the same as outright discarding it or fear mongering over it.
  Just like how today we have to be extra secure with our USB with Linux until the subsystem is substantially fixed.

Re:Intel ME is awesome

Intel should use formal verification. They already do it for a lot of their hardware.

You do realize that formal verification on software is somewhere between a lot harder to impossible, right? And it's already, often, extremely difficult for hardware.

Also, they should at least have code review, because current evidence shows that really really dumb stuff is getting through (for example, empty password always accepted).

Granted. Intel sucks when writing software and likely did a piss poor job believing obfuscation would protect them from worrying about such things. And they were right, for about a decade. That doesn't excuse their poor handling of it or their lack of documentation. Or a lack of updates. Or, well, really mostly the handling of it (including the probably needless request to disable IME if IME wasn't so badly written*) once it became clear people were treating IME as some sort of secret conspiracy instead of a [not entirely] well publicized management tool.

So, at this point we can't dismiss that the IME is a huge security vulnerability. Or that the lack of a documentation is now no longer an acceptable situation. That can be said for a lot of hardware though. The second we start seeing malware exploiting GPU firmware to override security, the same will be validly said. There's simply way too many attack vectors in the modern PC already, in the name of performance or convenience of the original hardware/software developer. Those things need definitely fixed. I've long been hoping for such with GPUs especially.

But what do I envision happening? Something along the lines of what's happening with IME. With articles written about how "the addiction of gamers" and "high end GPUs were their undoing". And calls to trust integrated GPUs (from Intel, of all people) or AMD (if it's nVidia) or nVidia (if it's AMD)...until researchers quickly (within a month) find the same sort of vulnerability in the other one along with Intel. We've got such a swiss cheese setup, it's just absurd.

*Presuming it was not so badly written, it wouldn't meaningful listen when AWT is disabled and it'd be a moot point, even probably power wise, on whether it were actually disabled.

Re:Intel ME is awesome

[phantomfive]

You do realize that formal verification on software is somewhere between a lot harder to impossible, right?

There have been a lot of tools created in the last decade that make formal verification easier.
At a minimum, Intel needs to use basic security practices like code review, which in many cases they are not.

Re:Intel ME is awesome

[unrtst]

The ME is technically unnecessary, so yes, let's just get rid of it!

USB is technically unnecessary. WiFi is technically unnecessary. GPUs are technically unnecessary. Again, baby out with the bathwater.

USB is the only one of those built into most motherboards, and it can be disabled. They can all be disabled. The power management in BIOS that you spoke of can be disabled. The IME can't be disabled.
These comparisons are not of equal parts.

If the IME were easily disabled (and veritably so), that would probably suffice for the majority of people complaining about it, and the majority of normal people still wouldn't even know what it is and would just leave it running.

Re:Intel ME is awesome

[thejynxed]

They've found at least in the case of laptops that have cellular enabled wireless, disabling your network interface does nothing because the IME has direct access and control over the wireless radio. Neither does yanking the power cord or removing the battery, because the newer ones have started coming with their own power supplies, sort of like the old CMOS batteries, only you can't access or remove those, either.

Re:Intel ME is awesome

[thegarbz]

They've found at least in the case of laptops that have cellular enabled wireless, disabling your network interface does nothing because the IME has direct access and control over the wireless radio.

And yet IME does not actually listen or respond to cellular interfaces. It does have control but that's about it. If you did have a point it was diminished by the fact that you believe a tiny battery will power fully functioning network interfaces / cellular modems.

dahlink

[PopeRatzo]

A pair of security researchers in Russia

I've found a photo of this pair of "security researchers" in Russia:

https://pre00.deviantart.net/f...

 

Can of worms

I once worked on a military base. My commander could see a bad solution and told us 'I decided to put that can of worms back on the shelf'. Intel. Put the can back on the shelf. Disable the ME. Bad idea on day one. More bad day after day. You need no more than a standard BIOS to boot. The rest, as you can see just causes problems.

Beyond scary

[markdavis]

This Management Engine stuff just gets scarier and scarier. Just like intentional backdoors in encryption WILL be found and exploited, these undocumented "systems" within our systems will be cracked and the result can and will be DEVASTATING. It is hard enough to keep operating systems updated and secure. Firmware-level security is not something that can be easily maintained on running machines, even if Intel and friends can put out patches fast enough. I want my machine to be MINE.

These "infected" machines are making their way into our entire infrastructure- controlling everything from power generation, traffic, government operations, military, healthcare, just about everything. Imagine black-hatters, rogue nations, criminals, or terrorists simply bypassing all normal security and just taking control of the hardware and doing whatever they want.

WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

Oh, and AMD is doing the same thing as Intel, so don't look to them as some alternative.

Re:Beyond scary

[110010001000]

No computer running a general purpose OS is secure. None. Security is the antithesis of general purpose computers.

Re:Beyond scary

No computer running a general purpose OS is secure. None. Security is the antithesis of general purpose computers.

Can you please provide details on how to break into an Intel 80486 system running linux with no network card? There is no USB and no management engine. Microsoft earned a very high security rating for NT with this hardware configuration.

Re:Beyond scary

[markdavis]

>"No computer running a general purpose OS is secure. None. Security is the antithesis of general purpose computers."

With that type of broad statement, you are correct- NOTHING is really "secure". Security is always matter of degrees. There is no safe that can't be broken into, eventually, with enough effort and resources. And once that method is found, it could quickly enable other safes to be broken. We shouldn't allow some company to have control over our safes and install a bunch of secret "locks" and entrances into those safes.

ME introduces another attack vector/path. And one that is not well known, and not under our (the owner's) control.

Re:Beyond scary

Funny how nobody complains about how scary systemd is, or how magically all the distros adopted it, or how a init daemon was transformed into a system daemon. Systemd is similar to intel ME, just not hardware, but software.

WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL.

No can do. Only two companies sell the CPU, Intel and AMD that runs your windows, linux, osx apps. Don't like their terms? Don't buy their products. When you have only two vendors, this is a problem. You have no choice but to adopt whatever they sell, or go back to the stone age and use pen and paper or some old CPU.

Re:Beyond scary

[Gravis+Zero]

This Management Engine stuff just gets scarier and scarier. Just like intentional backdoors in encryption WILL be found and exploited, these undocumented "systems" within our systems will be cracked and the result can and will be DEVASTATING.

You are now finally on the same page that computer scientists have been on for over a decade. It's been repeated many times that it's not a question of "if" it will be compromised but rather "when".

The fact that you are only just started freaking out clearly exemplifies the problem: the general public doesn't care about security until it's too late and they won't listen to experts.

Re:Beyond scary

[markdavis]

>"You have no choice but to adopt whatever they sell, or go back to the stone age and use pen and paper or some old CPU."

There are some other options:

1) Pressure the two companies to stop it
2) Try to pass a law to make them stop it
3) Use white-hatters to break into it and release ways to stop it.

Re:Beyond scary

[markdavis]

>"The fact that you are only just started freaking out clearly exemplifies the problem: the general public doesn't care about security until it's too late and they won't listen to experts."

I have been freaking out about it ever since it was introduced, and really believed that it would have been stopped or undone by now. I am not the "general public" but I agree with what you are saying. Now that there are millions of such chips out there, we have lots of ticking time bombs just waiting for the right exploits to appear.

Re:Beyond scary

[WaffleMonster]

No can do. Only two companies sell the CPU, Intel and AMD that runs your windows, linux, osx apps. Don't like their terms? Don't buy their products.

No big deal. The way things are going we're all going to be running ARM on desktop before too long anyway. Intel and AMD should do everyone a favor and go back to sleep.

You have no choice but to adopt whatever they sell, or go back to the stone age and use pen and paper or some old CPU.

The customer has all the power in the world.

Re:Beyond scary

The implications are worse; the many vectors (including this one) could mean that increasingly, software toolchains and hardware implementations will themselves become compromised with obfuscated attack code. This will be nearly impossible for society to root out over time. :-(

Re:Beyond scary

[Bert64]

With physical access there are many ways...
Open the case, extract the disk, load some malware onto it, put it back in?

Re:Beyond scary

[omnichad]

Scan for RF interference from the keyboard to get the password.

Beyond perspective.

Funny how you find that scary, and not the fact that someone has physical access to your computers.

Re: Beyond perspective.

You mean someone had physical access to the computer you now own. Like the guy at the shop who sold it to you.

Re:Beyond perspective.

[markdavis]

>"Funny how you find that scary, and not the fact that someone has physical access to your computers."

Today it is a compromise with physical means. Tomorrow it could be remote.... remember, the ME has access to the network and the host OS, so attack vectors could come from various places.

Re:Beyond perspective.

I remember. I also remember that the majority that use ME (use, not talk about it on talk shows) have the skills and knowledge to control their work environment so that unknown things aren't phoning home to every Tom, Dick, and Harry on the planet. That's what happens when the common man is exposed to a powerful work tool. They fear what they don't understand. ME is a powerful tool for those with the skills to wield it. That's who it was made for.

Re: Beyond perspective.

Not so sure about that. Does your firewall have the ability to recognize a steganographic packet being injected with regular TCP traffic? The ME has the ability to rewrite everything leaving the computer.

Re:Beyond perspective.

Funny how you find that scary, and not the fact that someone has physical access to your computers.

You mean like someone perhaps plugging in a random USB key that they found in a parking lot?

* https://en.wikipedia.org/wiki/Agent.BTZ
* https://en.wikipedia.org/wiki/2008_cyberattack_on_United_States

See also Stuxnet. You don't think various agencies try to plant moles in various companies?

Could make DRM core accessible

[Gravis+Zero]

This could potentially give people full access to the Intel Insider core which is what all the 4K DRM relies on.

I hope after IME is fully pwn3d that people will start taking a crack at AMD's PSP because I would like to have a fully open system but I refuse to financially support Intel due to their highly unethical and anti-competitive behavior.

epoxy is not the panacea

Even if the USB ports are epoxied, one can open up the box and still access the USB bus quite easily.

Re: epoxy is not the panacea

[gaussey]

Well you could epoxy the headers on the motherboard too.

yawn

how many times are you going to run this story? i think i've counted 5 so far.

Nonsense if you are SGX.

And now you know what SGX is about.

https://en.wikipedia.org/wiki/Software_Guard_Extensions

Re:Nonsense if you are SGX.

Maybe you should read Section 6.6.5 of this document, which makes it likely - though hard to tell certainty, because Intel improperly documents the ME - that SGX can be compromised from a compromised ME, instead of quoting wikipedia?

Re:God mode: Remote...for dummies.

You're still forgetting the "remote" part. There's nothing remote about saying physical access means root. And if someone has physical access there's a whole bunch of ways that don't require an ME to execute.

Not news...

...because any admin worth their salt knows that if someone has physical access to the device, it's as good as compromised, period.

Re:Not news...

[Z80a]

I think it is news, but due the other way around.
As you can access the thing via USB, now you can in theory create an USB device that knocks the unneeded ME modules off

Looks like we're all about to be bitcion miners

[doug141]

... for a botnet.

Designing hidden access is bad for Intel.

[Futurepower(R)]

Maybe they should make a movie, "Why Intel went bankrupt."

How can you deliver Intel (and AMD) computers to customers knowing that there is secret control by unknown agencies? Do you tell the customers? If you don't tell the customers, can you be taken to court and sued for damages?

Does anyone think that secret government agencies are well-managed? No one at a secret agency would ever steal?

Could the problem be solved by isolating Intel computers from the Internet, providing internet access from other computers, and providing some secure method of data transfer?

This Ask Slashdot story didn't get sufficient attention, in my opinion: Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

The problem of hidden access is not just with Intel and AMD. Microsoft does it: Windows 10 is possibly the worst spyware ever made Quote: "Buried in the service agreement is permission to poke through everything on your PC.

Re:Designing hidden access is bad for Intel.

[infolation]

Ironically, Google might be the answer to this.

Google's engineer's work to remove unwanted firmware from Intel's chips is only one of their directions in this area.

Hopefully Google's interest in the fully open IBM Power architecture will move OpenPower out of the niche market. Google's specifically said that concerns about Intel ME and other related tech is part of their interest in the Power platform.

Re:Designing hidden access is bad for Intel.

[Agripa]

How can you deliver Intel (and AMD) computers to customers knowing that there is secret control by unknown agencies?

Maybe the NSA was the customer and paid for it like they paid RSA.

If you don't tell the customers, can you be taken to court and sued for damages?

Do you mean like all of those people who took the telecommunication companies to court when it was revealed that they were cooperating with the US Government to conduct warrantless surveillance?

https://en.wikipedia.org/wiki/...

Epoxy is easily removed.

[Futurepower(R)]

Epoxy is easily removed using a Dremel tool.

Re:Epoxy is easily removed.

[BoRegardless]

That is the problem, the hardware "fixes" are just impediments to bad guys.

Intel ME as a back door is even scarier. That is why a friend I know who does missle targeting programing does it in an isolation room with no external connections of any type and no electronic devices allowed to be brought in or you might have a very serious accident.

I don't think there is a perfect answer to security. Probably the only thing I can imagine is you carry your own OS/data in your external device and it just boots whatever computer you need, which has no CPU itself. But that still won't stop it from getting corrupted.

Re:Epoxy is easily removed.

Probably the only thing I can imagine is you carry your own OS/data in your external device and it just boots whatever computer you need, which has no CPU itself.

If you carry your OS and data on your external device and then boot a machine that uses Intel CPU, you are still screwed by IME. Your suggestion is not an improvement.

Re:Epoxy is easily removed.

Weld them together then. You can't exactly hack USB ports if they are welded on to the motherboard. Also solder all PCI-e devices down.

It's happened before.

Mod parent up!

Questions

[NicknameUnavailable]

• How practical is it to execute code on ME?
• How powerful is the ME processor compared to the real one? 100% the power? 10%? etc?
• Is it possible to take advantage of this to not only stop the ME from spying, but to increase performance?

Re:Questions

[Gravis+Zero]

How practical is it to execute code on ME?

For general applications, it's absolutely worthless. It doesn't even use the x86 architecture.

Is it possible to take advantage of this to not only stop the ME from spying, but to increase performance?

Realistically, no.

Re:Questions

The latest MEs have an x86 processor, 486 like but with a much higher clock.

Re:Questions

Not very powerful but it doesn't need to be. Since the IME has full access to everything you can simply use the IME to patch the operating system's or hypervisor's kernel once it is loaded into memory and do whatever you want from there. A perfect and undetectable bootkit that even if somehow detected can't be removed.

This isn't a bug

This is not an exploitable bug, it is an NSA feature.

I'm safe!

[DontBeAMoran]

I knew there was a good reason to keep this VIA C3 Mini-ITX motherboard around!

Good. Step 1: dump plaintext Minix OS?

First task should be to get the fully unencryped Minix ME OS so we can figure out how to neuter and replace it with something safe, that users can control or just turn off permanently.

Hell, wouldn't it be juicy if private keys or something were extracted, so the ME system could just be broken permanently for all machines, so the current range of chipsets could be easily made user-trusted with a simple app run once per PC?

You are the customer?

Wait, so when I buy an Intel processor, *I* am the customer now? The processor does stuff against my wishes for others benefit???

WTF. Intel really dropped the ball. You can see why they're selling only 15% of the processors now, with ARM taking most of the market from them right under their nose.

A very important front for software freedom

[jbn-o]

WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

What you're describing is software freedom. And you deserve software freedom for all of the computers you own. You should be allowed to run, inspect, share, and modify the BIOS, "Management Engine" (or workalike), and all of the other software on the computer including any encryption keys used. Fortunately for all of us people are working on different architectures and on freeing common architectures, so I hope you'll help them.

Re:A very important front for software freedom

[thejynxed]

Except the software is the smallest part of the ME.The ME comprises a series of CPUs (some ARM-based), low-level hardware access, and in some cases found so far, it's own power supplies and cellular data connection.

The software side of it is only a small start to things that need remedied in this situation, especially a situation in which we find a system-within-a-system such as this that can entirely override the command functions of the UEFI/BIOS firmware, the OS, and last but not least, the end-users/system admins themselves, remotely, even if you pull the plug.

Emty rhetoric

It is unlikely that Americans fully understand what an internet without censorship and mass surveillance is really like, to the point that I much of what Americans have to say on the subject is empty rhetoric.

Abort! Abort!

[mentil]

Nerd: *tapa tapa tapa* Oh my god! The Intel Managament Engine... it's gone rogue! It's out of control!
Man With Shades And Many Chevrons: Shut it down!
Nerd: *tapa tapa tapa* I'm trying! But it's not responding to the shutdown code!
Man With Shades And Many Chevrons: Just pull the plug or something!
Nerd: It already has control over our systems! We'll need to do a manual override!
Man With Shades And Many Chevrons: Dammit! Where's Bruce Willis when you need him?!

Don't worry guys

Electronic voting is still better than paper.
After all, someone could bring in a million boxes of ballots.
These attacks on evoting machines have never been proven in the real world.

Thank God Minix 3 is under a BSD-style License

[rodia]

It helps to protect Intel's valuable intellectual property called ME from people like us. Don't listen to this barefoot Hippie Stallman from the FSF, he just wants the unwashed masses to have actual control over the machines they payed for.

Something useful?

[aglider]

I have no idea how powerful that engine is.

I hope someone will come out with some neat idea to usefully exploit that ME in favour of the users.
Maybe some femto-kernel or the likes...

Re:Something useful?

I have no idea how powerful that engine is.

In raw number crunching "power"? Not very powerful.

In complete access to your system "power"? Quite powerful.

Bert64 the great bullshitter shotdown... apk

See subject: It was a pleasure shooting down your obvious self-upmodded by sockpuppet post pure bs here https://linux.slashdot.org/comments.pl?sid=11338175&cid=55527999/

* We don't know what ports Intel ME/AMT uses? Bullshit - it's easy to trigger yourself (& has blank logon - what everyone's worried about regarding it) to see EXACTLY what ports it uses yourself, easily.

(Clue - don't EVER "take potshots" @ ME, ever again...)

APK

P.S.=> I see you're "@ it again" spouting 'put them in doubt bs' (which ANY FOOL, especially like yourself doing it YET AGAIN, lol, can do) with "miraculous circumstances" pretty much - well, the DAY YOU DO A BETTER SOLUTION vs. ANYTHING than I have in the link above? Is the day YOU actually accomplished something of worth you bogus bullshit artist do-nothing... apk

Bert64 the great bullshitter shotdown... apk

See subject: It was a pleasure shooting down your obvious self-upmodded by sockpuppet post pure bs here https://linux.slashdot.org/comments.pl?sid=11338175&cid=55527999/

* We don't know what ports Intel ME/AMT uses? Bullshit - it's easy to trigger yourself (& has blank logon - what everyone's worried about regarding it) to see EXACTLY what ports it uses yourself, easily.

(Clue - don't EVER "take potshots" @ ME, ever again...)

LASTLY: DAYS LATER I SEE YOU DOWNMOD "HID" (or tried to, I won't ALLOW it fool) LAST TIME I POSTED THIS TOO https://slashdot.org/comments.pl?sid=11345669&cid=55535545/ - you are a sockpuppeting loser, no questions asked now!

APK

P.S.=> I see you're "@ it again" spouting 'put them in doubt bs' (which ANY FOOL, especially like yourself doing it YET AGAIN, lol, can do) with "miraculous circumstances" pretty much - well, the DAY YOU DO A BETTER SOLUTION vs. ANYTHING than I have in the link above? Is the day YOU actually accomplished something of worth you bogus bullshit artist do-nothing... apk