Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports

Slashdot user bongey writes: A pair of security researchers in Russia are claiming to have compromised the Intel Management Engine just using one of the computer's USB ports. The researchers gained access to a fully functional JTAG connection to Intel CSME via USB DCI. The claim is different from previous USB DCI JTAG examples from earlier this year. Full JTAG access to the ME would allow making permanent hidden changes to the machine.
"Getting into and hijacking the Management Engine means you can take full control of a box," reports the Register, "underneath and out of sight of whatever OS, hypervisor or antivirus is installed."

They add that "This powerful God-mode technology is barely documented," while The Next Web points out that USB ports are "a common attack vector."

Re: MODERATION IS CENSORSHIP

[140Mandak262Jamuna]

You here the right to speak. We have the right to ignore you. It is our freedom of speech to call you a crack pot.

Re: MODERATION IS CENSORSHIP

[140Mandak262Jamuna]

Probably a bot. Watching new topics and post first.

Re: MODERATION IS CENSORSHIP

[Narcocide]

When you post off topic drivel in an attempt to derail a conversation you're suppressing the free speech of others. Get fucked.

Will Intel ME run Windows ME?

[jfdavis668]

I here it runs a version of MINUX 3. Can we hack in and install the more nomenclaturely correct Windows ME?

Re:Please explain

even an AC on this site should be smart enough to know the difference. if you can't, perhaps you should go run along to reddit or some other site where the users and their submissions are down at your own comprehension level.

vulnerabilities in linux kernel drivers for usb are relatively easy-to-fix *SOFTWARE* issues.

the code is worked-on and reviewed by multiple, independent parties; and can also be examined and compiled by end users.

vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

the feature is embedded in the silicon of every fucking processor they manufacture. a similar feature is also found inside the more recent amd processors as well. problems here would require swapping hardware (processors, processors and/or bios). these features and the firmware that controlls them are closed-source, proprietary, and not documented for the public. you have to give blind faith and trust to hardware vendors (intel, amd, bios producers, motherboard manufacturers, etc) to actually fix the vulnerabilities and/or allow the total and irreversible disabling of the features.

Intel ME is awesome

What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

There's nothing wrong with a God mode. They key is making sure the right person is God.

Re:Intel ME is awesome

[duke_cheetah2003]

What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

There's nothing wrong with a God mode. They key is making sure the right person is God.

The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

The closed-source nature of it is a huge problem too, as obvious from this article. So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can. This is a pretty viable attack vector too, since you know, a payload could deliver the ME sploit, infect any usb storage devices, and hope for the next fool who boots accidentally or intentionally from those devices. I imagine if an attacker took control of the ME subsystem, it'd be a real bitch to eject their crap, considering how poorly ME is documented and how arcane the tools are.

In my experience as a refurbisher, it's a very rare sight to see any laptop or desktop computer that even mentions ME, or has an option to turn it off in the BIOS. Most of the ME implementations are completely transparent to the host computer, never mentioned in the BIOS, no way to turn it off, no indication it's even there.

Re:Intel ME is awesome

[MrKaos]

There's nothing wrong with a God mode. They key is making sure the right person is God.

Yeah, I'm kinda thinking that if the management engine is on the machine and it is MINIX, I'd like to use it myself to, you know, manage the machine. I'm pretty sure I paid for it.

Re:Intel ME is awesome

The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

What you describe covers a lot of electronics that have been co-opted by hackers and turned into Linux running systems. I'm not saying it's a trivial task, and I don't think I'm personally up to the challenge. But these security researchers who know how to exploit the Intel ME are the forefront of being able to document how it works and working out how to inject a whole new OS.

he closed-source nature of it is a huge problem too, as obvious from this article. So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can.

Compared to what? Exploiting the kernel? Exploiting the BIOS? We're talking about another level underneath that's fundamentally the same thing. Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS. Obviously, the focus should be about documenting it and pushing for as many people as possible to replace it.

This is a pretty viable attack vector too, since you know, a payload could deliver the ME sploit, infect any usb storage devices, and hope for the next fool who boots accidentally or intentionally from those devices. I imagine if an attacker took control of the ME subsystem, it'd be a real bitch to eject their crap, considering how poorly ME is documented and how arcane the tools are.

Which, again, is how far away from kernel and extant BIOS exploits? It wasn't but a few days ago that it was pointed out how much of a mess the Linux USB subsystem is. I can't believe that Windows' closed source drivers are any better, even if the exact attack vector is different. The answer is, again, to document and replace. However you look at it, throwing around a lot of fear at this stage is only useful if we're hearing ways to mitigate (which is true to at least the extent of mentioning USB ports as an attack vectory but really to broad a point unless that was actually the message being delivered). It doesn't sound like that's being pushed at all, though, which is actually the greatest disservice.

In my experience as a refurbisher, it's a very rare sight to see any laptop or desktop computer that even mentions ME, or has an option to turn it off in the BIOS. Most of the ME implementations are completely transparent to the host computer, never mentioned in the BIOS, no way to turn it off, no indication it's even there.

Which only highlights the point about educating users. If the setting does exist, disable it. If you're not sure and you're Intel, presume the worst and protect your USB ports. That's good advice, period, given the repeated stories of social engineering with dropped usb drives. Don't think you're safe with AMD because they have the PSP which may be just as bad.

I guess my overall point is, the sky isn't falling. We're just finding new ground. We should be the ones to exploit it before bad hackers do.

Re:Intel ME is awesome

[daniel23]

That's easy, Intel and no one else.
However, during development a guy in a dark suit comes along, representing $TLA.
"Thou shalt not..." he says, so now there 2 Gods.

Said agency looks at the matter and insists on a kill switch for their own boxes - which is a wise move and everyone should have that. But then again, where is the fun in being God if everyone can lock you out?

So it is kept top secret how to access the ME and only $ThirdParty with the appropriate clearing learn about it. Amongst them $Contractor sees the value and sells the details to $Spy in exchange for $$$.
Spies spy on spies, trust turns trusted and not long there is a small crowd of gods and semi gods competing to reap and exploit.

Enter $researcher who, by dilligence and ingenuity finds a way in no one else thought about before.

Re:Intel ME is awesome

[Gravis+Zero]

We have security researchers who decry the evil of Intel ME.

The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

Re:Intel ME is awesome

[sjames]

It's a dangerous as hell way to "solve" an already solved problem. The servers I work with have IPMI and a BMC on them rather than the ME. The BMC can emulate a USB DVD drive so I can do a fresh OS install. It also connects to an internal serial port so I can do serial console over LAN. It can simulate a press on the power and reset buttons. The newer ones can also act as a KVM for dealing with OSes that insist on GUI interaction. Using that, I can fully manage a server I have never actually seen that lives across the country from me.

The big difference is that it can't silently scan or modify memory while the OS isn't looking. It can't snoop the contents of the HDs. It can't log the physical keyboard. It's not just that it pinky swears not to, the hardware simply can't do it.

It's not like that capability is expensive these days. It long ago went from being an add-on to being built-in. It was already starting to appear on desktop machines as well as servers. There simply wasn't a legitimate gain from giving the ME god level access.

Beyond scary

[markdavis]

This Management Engine stuff just gets scarier and scarier. Just like intentional backdoors in encryption WILL be found and exploited, these undocumented "systems" within our systems will be cracked and the result can and will be DEVASTATING. It is hard enough to keep operating systems updated and secure. Firmware-level security is not something that can be easily maintained on running machines, even if Intel and friends can put out patches fast enough. I want my machine to be MINE.

These "infected" machines are making their way into our entire infrastructure- controlling everything from power generation, traffic, government operations, military, healthcare, just about everything. Imagine black-hatters, rogue nations, criminals, or terrorists simply bypassing all normal security and just taking control of the hardware and doing whatever they want.

WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

Oh, and AMD is doing the same thing as Intel, so don't look to them as some alternative.

Re:MODERATION IS CENSORSHIP

[MrL0G1C]

Posting as AC is self-censorship.

Could make DRM core accessible

[Gravis+Zero]

This could potentially give people full access to the Intel Insider core which is what all the 4K DRM relies on.

I hope after IME is fully pwn3d that people will start taking a crack at AMD's PSP because I would like to have a fully open system but I refuse to financially support Intel due to their highly unethical and anti-competitive behavior.

Re:Please explain

[rudy_wayne]

vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

But you still need physical access to the machine.

And I think its mostly firmware, not hardware, so it's probably patchable.

Re:Beyond perspective.

[markdavis]

>"Funny how you find that scary, and not the fact that someone has physical access to your computers."

Today it is a compromise with physical means. Tomorrow it could be remote.... remember, the ME has access to the network and the host OS, so attack vectors could come from various places.

Re:God mode.

[duke_cheetah2003]

So all this is really saying is physical access is god mode. You don't need an ME for that to be true.

Sadly, you're incorrect. This is a fairly viable remote attack vector. All you need to have is something to deliver the sploit to the host, infect any usb storage devices with your ME sploit and wait for some fool to boot one of those devices accidentally or intentionally. In the mean time, your malware continues to infect every USB device ever attached to the machine. You'll definitely hook a good number of targets, with that number always climbing as more machines get infected and infect more USB storage devices.

Designing hidden access is bad for Intel.

[Futurepower(R)]

Maybe they should make a movie, "Why Intel went bankrupt."

How can you deliver Intel (and AMD) computers to customers knowing that there is secret control by unknown agencies? Do you tell the customers? If you don't tell the customers, can you be taken to court and sued for damages?

Does anyone think that secret government agencies are well-managed? No one at a secret agency would ever steal?

Could the problem be solved by isolating Intel computers from the Internet, providing internet access from other computers, and providing some secure method of data transfer?

This Ask Slashdot story didn't get sufficient attention, in my opinion: Ask Slashdot: Best Way To Isolate a Network And Allow Data Transfer?

The problem of hidden access is not just with Intel and AMD. Microsoft does it: Windows 10 is possibly the worst spyware ever made Quote: "Buried in the service agreement is permission to poke through everything on your PC.

Re:Designing hidden access is bad for Intel.

[Agripa]

How can you deliver Intel (and AMD) computers to customers knowing that there is secret control by unknown agencies?

Maybe the NSA was the customer and paid for it like they paid RSA.

If you don't tell the customers, can you be taken to court and sued for damages?

Do you mean like all of those people who took the telecommunication companies to court when it was revealed that they were cooperating with the US Government to conduct warrantless surveillance?

https://en.wikipedia.org/wiki/...

This isn't a bug

This is not an exploitable bug, it is an NSA feature.

Re:Please explain

[DontBeAMoran]

Why does everybody keeps saying that AMD made the PSP? It's made by SONY you morans!

Re: Please explain

[BLToday]

You know this is Intel right? They didn’t even bother fixing scaling issue on some of their integrated graphics (over scanning or under scanning). Their solution was to load custom resolution which doesn’t work on some effected system because the drivers didn’t allow you to load custom resolutions. And you can’t add a graphics board because the system is a micro PC. Do you really think Intel will go back and fix ME for systems that are more than 3 years old?

A very important front for software freedom

[jbn-o]

WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

What you're describing is software freedom. And you deserve software freedom for all of the computers you own. You should be allowed to run, inspect, share, and modify the BIOS, "Management Engine" (or workalike), and all of the other software on the computer including any encryption keys used. Fortunately for all of us people are working on different architectures and on freeing common architectures, so I hope you'll help them.

Re:Please explain

[thegarbz]

you morans

It's spelled mor... oh for Pete's sake.

Re:Please explain

[DontBeAMoran]

http://i0.kym-cdn.com/photos/i...

Re: MODERATION IS CENSORSHIP

[uncqual]

Which Supreme Court? Are you thinking of the Pruneyard Shopping Center v. Robins (1980) case? This was initially decided by the California Supreme Court based on the California Constitution. The Supreme Court of the United States upheld the California Supreme Court decision by ruling that State Constitutions are not in violation of the United States Constitution if they grant broader rights within the state than the United States Constitution does - they didn't find that the United States Constitution protects a "free speech" right under the First Amendment in the common areas of a shopping mall.

Perhaps you're thinking of another case, but I don't recall such a case right off the top of my head. Do you have a cite?