Slashdot Mirror
Can Intel's 'Management Engine' Be Repurposed?
Long-time Slashdot reader iamacat writes:
Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
Oh fuck you already fake apk.
Repurposed... to mine bitcoins!
It seems that Linux is better designed than Minix after all.
The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place. Back when it was first introduced, I worked for a company that created a program that would wake a remote computer on demand and run a few sundry tasks: a defrag and a backup. Intel partnered with various software vendors to create demos of what ME could do. And heck, even without ME, most network cards have a wake-on-LAN feature anyway.
Intel clearly didn't do a good job marketing the feature if nobody thought of how to use it until a vulnerability was found in it.
Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow". It was quite ingenious and had a very small surface area. I knew a few fellow admins that blocked the exploit at their firewall but then used it for remote management because it was memory/network efficient and supported all of their needs better than any third-party company could.
Risk v.s. Reward is always prevalent. Good luck on your efforts.
..
That's exactly what WOL is for, as I run mine on a pre-IME processor...as my Plex box doesn't require that much horsepower to do what it does.
Much like Xbox mods and others, it is of limited to no use, since it loses code on poweroff and due to signing, any attempt at exploits which carry over across power cycles will either cause the system to crash or simply not work.
What is needed is some corporate espionage to find/leak these signing keys, or documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak, then either assigning a new key there, or fusing it open so the signing check is always true/ignored.
Nope, the NSA have it completely secured to prevent anyone from stopping it mining Bitcoins.
"Intel clearly didn't do a good job marketing the feature..."
I agree. It seems to me that Intel ME could be a good idea. What is extremely self-destructive to Intel is that customers have insufficient understanding and insufficient control.
Intel news stories (April 17, 2017 )
Articles about spyware in CPUs (June 18, 2017)
"ME is turning into a colossal dumpster fire." (December 10, 2017 )
So said Linus as seen in the first slackware distro.
That would be some interesting networking globally to watch for?
Unexpected gov/law enforcement/mil staging servers reaching around for the port?
If only a big pool of users globally had some software installed that could be updated to keep watch for strange port and hardware request activity?
Domestic spying is now "Benign Information Gathering"
The Intel ME (I think) was a combination Light Out mangement management engine and a VNC server, basically IPMI over IP with a remote console.
It wasn't that secret as I recall it started with something like the P68 chipset on Intel motherboards and was ubiquitous, the weird path to obscurity was when they tried to monetize and license it..
The best thing Intel could do today would be to fully document and open it up. People would probably choose to either disable it, or more probably add-on a seperate ethernet card for secure traffic, and reserve the built-in NIC for management activities like on HP servers with its iLO interface.. they also had a "shared" mode stealing interstitial ethernet CDMA intervals to virtualize two seperate Ethernet MAC addresses on the same physical hardware.. duty cycle something like 80/20 but they had the lesson learned to also make it disabled and use (only) a seperate add-on interface connected to different pins on the motherboard, for 100/100 across two different NIC interfaces for practical reasons. Ironically it all started with the Gas and Oil industry, Exxon back in the days when they wanted remote mangement on their servers.. in pre-HP Compaq days.. Intel saw that and wanted some of that business.. so it crept into the base designs later.. without a lot of thought.. which has come home to roost
You can bet every intelligence organization on the planet is after Intel's ME keys. Sooner or later someone will get them.
iamacat writes:
Not a day goes by without a story about another Intel Management Engine vulnerability.
I've missed at least the last 60 of these. Being generous.
Submission is real confused.
While it's possible to bend the IME to your own will, it's far more trouble than it's worth. For one, you can get an entire dedicated NAS that uses less power and space for less money than any comparable Intel setup. This approach requires magnitudes less time, effort and expertise. The design of the IME is such that it is suited to be an invisible backdoor that cannot be removed. It is for this reason that the most reasonable course of action is to disable and shutdown the IME after it has finished the system initialization.
Anons need not reply. Questions end with a question mark.
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.
Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.
The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.
...spy on DRM and crack it open...
Mmhmm. AMD would be just as bad if they were in Intelâ(TM)s position
The Q35/Q45 chipsets each had bugs that allowed them to be exploited (Q35) and disabled (Q45).
The X58, I forget if due to bugs or some other needs, didn't have an Intel ME available in it, utilizing a regular southbridge plus a limited chipset hub.
Sandy Bridge was the first to have it, and as a result of buggy XAPIC2 support on the Nehalem/Westmere boards was the first to have reliable IOMMU/VTd support, but also had mandatory intel me firmware (until me_cleaner figured out how it operated and that it could mostly be disabled.)
All later versions up until Gen 10 of Intel ME were variations of the same ARC processors used from Q35 era up, and ran ThreadX with some proprietary software on top for the management functions. Furthermore, I don't have a citation for this, the ARC processors had been used prior to the Intel ME as the memory controller, utilizing ROM code to set the memory straps, decode the column/row array addressing, etc. After Gen10 is the Intel (whatever) P54C or 486, or whatever multicore ME running Minix3.
Would take care of that. Given your own code in the ME and assurances that no one can remotely unlock/reprogram the SPI flash, the ME would actually make an excellent secondary processor for a number of purposes, including working with an modified keyboard with encryption over the line to decode keystrokes intended to be sent to the OS, while providing local services unavailable to the OS when needed for unlocking/decoding/passing through keys from secure key storage.
The possibilities for a user controlled management procesor like the Intel ME are limitless, and many of them could improve the security of the system by keeping input devices from being snoopable at the operating system level. With some work it would even be possible to have apps communicate with the ME directly, allowing a secure I/O space the operating system and keyloggers/sniffers programmed to look at the keyboard device would be unable to access.
The main use I can think of would be to properly own your own hardware: If, for some reason, you're in the habit of using software that comes with an inconvenient DRM scheme or anti-cheating mechanisms, the ability to debug & manipulate software that doesn't want to be debugged or manipulated can be quite helpful in overcoming some of the more sophisticated obstacles the developers of such software like to set in your way.
I won't get into an argument over whether you're right about that or not, but I will say we can work to make that point entirely irrelevant. If we work to give AMD and Intel roughly equal market share, then start propping VIA up until we have 3 equal players (VIA could catch up in performance and power efficiency with some funding; they've got the engineering capabilities, they simply lack funding). As each of the smaller players gets bigger, the bigger player gets smaller; we begin opening the door for a fourth serious player, then a fifth, and so on.
If AMD and Intel are both compromised in the market, and let's go ahead and assume they are for the purpose of this discussion, the correct response is to redistribute market share in a way that shrinks the biggest players and makes room for new players who may not be compromised.
Since VIA is not an option for the typical desktop or workstation user, and there are no other players, that means growing AMD even if they're also compromised, simply to shrink Intel. Then, we start growing VIA for lower-power needs, until they're able to catch up in performance-per-watt; then we grow them to be Intel and AMD's equals. We show other foundries that there is room to grow in the x86 market, they step up, we grow them, then we win.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
At the expense of the billions who will be hacked.
Great.
And heck, even without ME, most network cards have a wake-on-LAN feature anyway.
It's all about YOU, isn't it? (LOL)
Our reign has gone on long enough. Indeed. Summon the meteors.
This is kind of like saying a bandsaw is a useful tool to shred cheese. You realize that any single vulnerability immediately will run at ring -3 and can over-write anything, I mean any part of your system. I also really doubt you would get any type of speed up over just normal OS.
Someone is off their meds today it seems...
Erm, AMD has PSP. It is not that much different from IME.
Seeing as ``ME'' is in a position to debug e.g. running kernels over Ethernet, isn't it about time we had that function? No need for Intel to keep it schtum anymore with the recent revelations, is there.
If there is off the shelf software that does what I want (on demand services on a box that uses very little power when not in use), I would be happy to purchase it for reasonable price. If not, I can only gain the functionality by hacking and repurposing it.
You cannot repurpose IME, because you would be in violation of DMCA. If you think that it could cause a security risk, then your only choice is to stop using the hardware or accept the risk.
Slackware was far from the first linux distro, if that was what you were (trying to) get at. Slackware was based on SLS.
If you're using it to wake up your computer on LAN activity - that is what it was designed to do, it is an option that can be configured in the BIOS of the "nettop" that I have with an Atom processor. If the computer originally came with Win 8 or later (the UEFI-based boot system never show a BIOS screen) then I'm not sure how you'd set this option - but that is exactly what the IME was intended for.
The IPMI chip that is shipped on most hosts doesn't have a lock down key.
The package itself is open source and you can build your open FRU image. Most people don't like or can't understand how to work in embedded systems. It brings a lot of tears to me.
If you want to play around with something embedded go pick up a DD-WRT or Open-WRT supported router and get cracking. If you have some experience with C then start cranking out some improvements to U-Boot. I have a list of shit I want to do and release to the community. My free time is dedicated to other more wordly tasks these days.
Thankfully, my company actually has some sane open source policies and I can contribute back my knowledge gains. Someday, I'll fix the terminal chain code to my liking.
The problem is ME is like a colander designed to be a boat for large companies. In the end, large companies were already planning to line the bottom of their boat with a hard seal, so no real problem for them. The rest of us, though, aren't willing to seal off the boat because that fundamentally defeats the purpose. So, I'd argue that in effect Intel's purpose wasn't what the author desires precisely because they never designed it for the environment it's to be used in and hence it can't reasonably work.
Which fundamental are a no go because they're too vulnerable to attack.
No, I'd argue Intel did a great job marketing the feature to the intended audience. It's that in their design focus to minimize design costs, they decided to push the ME into desktop systems where it was never intended. If Intel ME had actually been developed with the internet in mind, we'd have seen (1) more common management tools and clear desktop user documentation and (2) an actually hardened system that relies upon public keys for verification. We'd also likely have seen a lot more documentation along with at least some of the source code to make it easier for more permanent modifications (likely by OEMs).
Honestly, it's really hard to argue that it's just a PR mess. There's so much potential in what Intel ME could be, but it's wasted because it was designed for enterprises to complete control systems. Given to users, though, and it undermines DRM and just about everything else in the desktop space. Without a radical hardware redesign of what Intel ME is or simply dropping it for desktops, I don't really see what Intel can do. Of course, that helps nothing for all the Intel ME designs in the wild. The real fun comes now in just how far hackers figure out how to push the Intel ME to totally subvert whatever protect Ring -1 and -2 were meant to provide. Makes me wonder if TPMs are safe.
The real power of IME has always been reserved to the Q-series motherboards at the consumer level. No one bought those, only if you specifically wanted it.
Yggdrasil for the win!
Since security problems have been found in the Intel ME, it is probably better to replace the whole operating system. Consider installing Windows. Not having a video adapter connected to the ME engine will fix some annoyances like those BSOD that once in a while appear when running Windows in the user space.
With no added systemd
Sent from my ASR33 using ASCII
The NSA beat you to it.
The OEM's that are simply disabling the system is probably the best move. It's one of those things that once the hackers begin to focus on it, the attacks will continue. Most users have never bothered to even understand what it does in the first place. Most will never miss it if its disabled.
Exactly what I was thinking. Could be used for an Open Source hypervisor at the base of the very system. Maybe it could even make Qemu/KVM details more efficient, ... Could be a auxiliary, deep sleep co-processor for your Un*x OS, ... ;_)
Since it renders ANY computer vulnerable to being hijacked, even if shut off, the ME can now be used as a shield against any claims of copyright infringement.
Stop it's ability to send info. outward via router port filtering ports 16992-16995 + 623-625 Intel AMT/ME uses in a modem/router external to OS/PC.
Intel ME/AMT operates from your motherboard but has NO CONTROL OF YOUR MODEM/ROUTER!
(This stops it cold talking in/out permanently OR being able to remotely 'patch' it to use other ports by Intel OR malicious actors/malware makers etc.!)
Additionally, once you disable the AMT engine's software interface (ez via software like the unistaller for it & DisableAMT.exe + the test in usermode via Intel-SA-00075-GUI.exe to TRIPLE CHECK)? A malware to 'repatch' this = impossible (bios updaters require it in usermode ware, e.g. ASUS).
(I only allow 80, 8080 & 443 in/out here on a SINGLE stand-alone system (no home LAN but TCP/IP connected online in BOTH my modem or router port filters or software firewalls))
HOWEVER - Be CERTAIN your modem/router's internal ware is "solid" too (turn off things like UPnP etc. & CHECK router/modem HAS NO KNOWN BACKDOOR EXPLOITS (tons do unfortunately)) - get it patched ASAP if it's KNOWN exploited & TONS of routers, ARE https://it.slashdot.org/comments.pl?sid=9995967&cid=53488785/
* GOOD ROUTERS/MODEMS HAVE PORT FILTERING OPTIONS (crappy ones don't)!
Especially after this finding: Intel Management Engine pwned by buffer overflow vendor patches for the vulnerability may not be enough http://www.theregister.co.uk/2017/12/06/intel_management_engine_pwned_by_buffer_overflow/ & Marcus Hutchin's "magic bit" patch doesn't help vs. this either.
APK
P.S.=> Good luck - it's the BEST EASIEST & CHEAPEST DEFENSE using what you already have (hopefully, again as not ALL modems have port filtering but most do & certainly GOOD ONES DO) vs. this threat by stopping it being able to communicate in/out period, from OUTSIDE of the INTEL chipset external to it via a router/firewall hardware... apk
Indeed. I feel like i'm the only person who's ever effectively utilized it in enterprise IT. And password protected it.
How would you go about making this happen, wave a magic wand?
If someone knew about this setup and was on your LAN they could wreak havoc with your server.
A well designed server farm would use a separate, segregated network for administration.
(That's actually part of the criticism against Intel ME/AMT : it listens on the same physical network connection, meaning potential exploits from an internet facing port)
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
See subject: To whom it may concern - the freak I'm replying to has some dumb scheme in impersonating me folks - ignore him.
APK
P.S.=> You're a whackjob freak - no questions asked - this has to be the 10th time you've impersonated me this week alone - apk
Hey, it ain't like you have to tell us to ignore a post signed with APK...
Seems like a problem of your own making, you could just post non-anonymously. (I know, the irony of me saying that as an AC...)
Your loss! /.ers using his work like it and are faster and safer online praising it https://yro.slashdot.org/comments.pl?sid=11467101&cid=55720319/
The name of the game these days is to dress up a vuln/backdoor to make it appear as, "Oh, but it does xyz useful thing!" IMHO it's kind of dangerous to portray something pretty fucking insecure appear to be useful in any way. ME just needs to go away (or open sourced, which it appears legally it should be) so it can be fixed properly.
It is pitch black. You are likely to be eaten by a grue.
I pretty much explain it in the last paragraph. I didn't think I had to spell it out step by step here on Slashdot, but I was apparently wrong. A company's market share grows when more people buy their products relative to the growth of their competitors; to grow a company, the market must begin to favor them over competitors.
It's economics 101 and completely obvious to any 5 year old with a long enough attention span to have learned how to read and type. I really can't believe I had to explain it.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
I think this ignores the secrecy behind the ME in the first place. Wake-on-LAN has been a common function for, seemingly, ever, and is well-known, whereas the capabilities, even the existence, of the ME has just come out recently. If it was meant for powering up for such sundry tasks as you mention, why has it gone undocumented and unrealized for so long? You can't blame that on shoddy marketing.
Rather, the ME has been *purposefully* kept secret, which forces one to ask why? The obviousness is that it's a hardware backdoor for intelligence/LEO purposes, which is precisely who has used it the most.
"BMC"?
Suppose the same functions were implemented in a separate chip?
Could you explain why "... it can never be a good idea." I'm guessing I know less than you about the situation. Also, I don't know the meaning of "BMC".
The main question is, it seems to me: How can Intel arrange its hardware in a way that assures customers that there are no back doors? At present that seems FAR from an easy goal.
If they had just included a simple off button, Intel ME could actually have turned out to be a useful management tool instead of the latest in draconian big brother software.
If the Intel ME bothers you, turn off the power switch on the back of your power supply after shutting down your computer for the day, or if it doesn't have one, disconnect the power cord. Can't be accessed remotely if there's no power connected to the box. :-) If you've got a laptop, take the battery out. If you've got a tablet with an Intel processor in it, I guess you're screwed. Get or make small Faraday cage to store it in when you're not using it, or turn off your WAP.
lulz, no.
It's been publicized and pushed in every 'Q' sku chipset.
It is effectively a RILO card embedded into every workstation, on steroids.
The sales pitch to enterprise was:
Your IT dept can remote wake, apply patch, and shut back down overnight, thus not bothering your staff, or consuming work hours to accomplish patching network wide.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
That book is available for FREE DOWNLOAD: Platform Embedded Security Technology Revealed -- Safeguarding the Future of Computing with Intel Embedded Security and Management Engine (PDF file)
Chapters:
Front Matter
Cyber Security in the Mobile Age
Intel's Embedded Solutions: from Management to Security
Building Blocks of the Security and Management Engine
The Engine: Safeguarding Itself before Safeguarding Others
Privacy at the Next Level: Intel's Enhanced Privacy Identification (EPID) Technology
Boot with Integrity, or Don't Boot
Trust Computing, Backed by the Intel Platform Trust Technology
Unleashing Premium Entertainment with Hardware-Based Content Protection Technology
Breaking the Boundaries with Dynamically Loaded Applications
Looking Ahead: Tomorrow's Innovations Built on Today's Foundation
Back Matter
Quote from page 2:
In August 2010, Intel announced the acquisition of security giant McAfee. Paul S. Otellini, Intel's president and CEO at the time, emphasized that "security has become the third pillar of computing" when commenting on the investment. (Page 2, PDF page 8)
To me, that is typical nonsense indicating the lack of social and technical ability I see in Intel's top management. Intel now owns 49% of McAfee because it sold 51%. McAfee was never a good purchase for Intel, and was never a good company from which to purchase security software; that is my understanding.
A Slashdot comment of mine from 11 1/2 years ago: More Intel employees should say in public what they have told me in private: Intel CEO Paul Otellini is not a competent leader. He lacks social ability. (June 09, 2006)
There is a lot of valuable information in the book for readers who want to understand how intel arrived at the present situation. However, to me, the book is also full of useless nonsense. The author, Xiaoyu Ruan, tries to convince people he has understanding by providing a lot of what is known as "corporate-speak", fake communication also known as "workplace jargon". There is little depth of understanding.
Intel's inclusion in its products of secret hardware and software controlled by hidden organizations will eventually mean either a major re-organization of Intel, or the end of Intel, in my opinion. Can you supply hardware to your customers that is known to be insecure, and to have methods of access that are not clearly explained?
There is an easy fix for the potential ( and perhaps already existing ) security breaches that the ME enables. Just start or propogate the rumor that the Chinese have already cracked the ME and are planning to influence the next round of elections. Given how easily politians can get worked up about their job security by nonsensical rumors of Russian interference, they would be sure to force the NSA to allow Intel ( and AMD ) to disable, or verifyably make optional, such customer un-friendly nonsence.
You live and learn, or you don't learn much.
Thanks VERY much for your reply.
BMC sounds excellent. I like this: "The BMC often has it's own private LAN connection so management can be over a physically separate network."
In more than 11 years, I haven't seen anything like full awareness by other people of the fact that Intel is badly managed. To me, the fact that Intel has provided forced secret access to its hardware, later found to have vulnerabilities, is a tragedy for Intel, the United States, and the world.
I mentioned that in another comment to this Slashdot story: FREE BOOK about the Intel Management Engine. Part of what I said: "A Slashdot comment of mine from 11 1/2 years ago: More Intel employees should say in public what they have told me in private: Intel CEO Paul Otellini is not a competent leader. He lacks social ability. (June 09, 2006)"
Otellini is no longer the CEO of Intel. The present management does not seem much better. For example, Intel advertising is wacky, in my opinion. I got an email message from Intel 2 days ago that says: "Final call for awesome prizes -- train now or miss out". I don't need "awesome prizes". I need excellent technology and excellent, reliable explanation of Intel's technology.
Just incredible.
Here's the timeline of truth:
NSA pay intel $$$$$$$$$$$$ to create a backdoor into any OS
intel call it a "management feature", yeah that sounds right. they even make some half-assed attempts to make it look like it was a commercial thing
they keep taking your money
you keep buying it
someone finds an """""exploit"""" (not an exploit, an API)
YOU then post, rather proud of yourself I might say, that this was the INTENT of the management engine, oh gee wow
you get 5 interesting
and nobody was ever in any danger of having to think
Can I mine Bitcoin in ME?
That clearly wasn't stated. First Slackware, as in, not in the second Slackware release. Not Linux*.
the capabilities, even the existence, of the ME has just come out recently... why has it gone undocumented and unrealized for so long?
No, they released an SDK for it in 2008. Companies like Lenovo and Dell use it for anti-theft software. Corporate IT departments use it to deploy scripts to monitor antivirus and firewall settings. I wrote code for it in 2008 for a product called "Spare Backup." It used AMT to wake at either a specific time, or in response to a specific packet, to initiate a backup.
Yggdrasil tried to call their first release 'LGX' which I assume is something they had copyrighted. The release with the manual on white paper with just green and white printing on the cover.
'green and black', obviously.