Slashdot Mirror
Can Intel's 'Management Engine' Be Repurposed?
Long-time Slashdot reader iamacat writes:
Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
Repurposed... to mine bitcoins!
The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place. Back when it was first introduced, I worked for a company that created a program that would wake a remote computer on demand and run a few sundry tasks: a defrag and a backup. Intel partnered with various software vendors to create demos of what ME could do. And heck, even without ME, most network cards have a wake-on-LAN feature anyway.
Intel clearly didn't do a good job marketing the feature if nobody thought of how to use it until a vulnerability was found in it.
Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow". It was quite ingenious and had a very small surface area. I knew a few fellow admins that blocked the exploit at their firewall but then used it for remote management because it was memory/network efficient and supported all of their needs better than any third-party company could.
Risk v.s. Reward is always prevalent. Good luck on your efforts.
..
Nope, the NSA have it completely secured to prevent anyone from stopping it mining Bitcoins.
since it loses code on poweroff
Yeah, but then when power is restored, the OS boots, and the application just re-registers itself with AMT again. There's a public API to do it. It doesn't have to be burned into the firmware to work. It just needs to wake the OS when a request is made.
The Intel ME (I think) was a combination Light Out mangement management engine and a VNC server, basically IPMI over IP with a remote console.
It wasn't that secret as I recall it started with something like the P68 chipset on Intel motherboards and was ubiquitous, the weird path to obscurity was when they tried to monetize and license it..
The best thing Intel could do today would be to fully document and open it up. People would probably choose to either disable it, or more probably add-on a seperate ethernet card for secure traffic, and reserve the built-in NIC for management activities like on HP servers with its iLO interface.. they also had a "shared" mode stealing interstitial ethernet CDMA intervals to virtualize two seperate Ethernet MAC addresses on the same physical hardware.. duty cycle something like 80/20 but they had the lesson learned to also make it disabled and use (only) a seperate add-on interface connected to different pins on the motherboard, for 100/100 across two different NIC interfaces for practical reasons. Ironically it all started with the Gas and Oil industry, Exxon back in the days when they wanted remote mangement on their servers.. in pre-HP Compaq days.. Intel saw that and wanted some of that business.. so it crept into the base designs later.. without a lot of thought.. which has come home to roost
Yes and no. WOL can wake a sleeping computer, but not reboot it if it hangs, nor provide any other sort of remote administration beyond what the OS gives you once it comes up. And if it doesn't come up, WOL just left you in the lurch. You need remote-hands to recover.
I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.
IME sounds like it could serve this purpose and more, perhaps providing a useful subset of iLO/DRAC functionality, but not just for server boards.
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.
Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.
The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.
I won't get into an argument over whether you're right about that or not, but I will say we can work to make that point entirely irrelevant. If we work to give AMD and Intel roughly equal market share, then start propping VIA up until we have 3 equal players (VIA could catch up in performance and power efficiency with some funding; they've got the engineering capabilities, they simply lack funding). As each of the smaller players gets bigger, the bigger player gets smaller; we begin opening the door for a fourth serious player, then a fifth, and so on.
If AMD and Intel are both compromised in the market, and let's go ahead and assume they are for the purpose of this discussion, the correct response is to redistribute market share in a way that shrinks the biggest players and makes room for new players who may not be compromised.
Since VIA is not an option for the typical desktop or workstation user, and there are no other players, that means growing AMD even if they're also compromised, simply to shrink Intel. Then, we start growing VIA for lower-power needs, until they're able to catch up in performance-per-watt; then we grow them to be Intel and AMD's equals. We show other foundries that there is room to grow in the x86 market, they step up, we grow them, then we win.
APK quotes people (including myself) without context and should not be trusted. Just thought you should know.
NO, it can never be a good idea. It can only go from a terrible idea to a terrible idea with some upside. Having a BMC with limited access to the main system was a good idea, but we've had those for over a decade now.
documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak
There is no documentation on update/replacemet because it's not possible. If they leaked, chips using those keys would be compromised.
From the only authoritative book on the subject; 'Platform Embedded Security Technology Revealed' by Xiaoyu Ruan:
The Boot Guard configurations set by the OEM slightly vary among different products. In general and at a minimum, the OEM is responsible for configuring its public key hash for a verified boot, and the boot policies via the security and management engine.
The security of a verified boot is rooted to the OEM's asymmetric keypair. The OEM generates a 2048-bit RSA keypair as its root key for signing manifests for the initial boot blocks. The private portion of the root keypair must be kept securely, and signing manifests for initial boot blocks shall be its sole usage. On the other hand, the SHA-256 hash of the public key is programmed to the field programmable fuses during the manufacturing process. The public key hash consumes 256 fuses that belong to the multiple-bit one-time programming category, which cannot be updated once written. Because of the one-time programming limitation, the OEM will not be able to renew the root key or update the hash, even if the private key is compromised. Therefore, the OEM must protect its root private key in a signing server with strong protection from attacks or leakage.
Xiaoyu Ruan is responsible for designing cryptography infrastructure and security applications for Intel's security and management engine.
BMC = baseboard management computer. A small embedded system built in to the main system. The difference is that it does not share memory access or the PCI bus. Instead, it is connected to one of the serial ports, the power and reset lines, and often the USB controller. The latter allows it to emulate a DVD drive to support virtual boot media. The serial connection allows for console over LAN (if the OS has a serial console configured). Newer ones also can snoop the video chip to support a built in KVM (for OSes that can't be used over a serial console).
The BMC often has it's own private LAN connection so management can be over a physically seperate network. They may also have a mini-bridge so they share a physical connection w/ the main system, but can be configured to use a private VLAN.
Since the BMC is not required to bring up the chipset, it can be truly disabled if desired. It is just a remote management system.
In general, the BMC supports IPMI. It may also allow ssh access (with a very limited shell) and/or http(s).
There are still significant security implications if someone does manage to exploit the BMC, but nowhere near as bad as if they exploit the ME.
And this is what a lot of us wanted when working on the ME, but there were other forces at play.
Part is that there is/was a grand plan that streaming services could use the ME to lock content to a given machine, allowing download and play offline capability, but IDK if that ever came to fruition, I think Netflix went another way with that.
whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
That book is available for FREE DOWNLOAD: Platform Embedded Security Technology Revealed -- Safeguarding the Future of Computing with Intel Embedded Security and Management Engine (PDF file)
Chapters:
Front Matter
Cyber Security in the Mobile Age
Intel's Embedded Solutions: from Management to Security
Building Blocks of the Security and Management Engine
The Engine: Safeguarding Itself before Safeguarding Others
Privacy at the Next Level: Intel's Enhanced Privacy Identification (EPID) Technology
Boot with Integrity, or Don't Boot
Trust Computing, Backed by the Intel Platform Trust Technology
Unleashing Premium Entertainment with Hardware-Based Content Protection Technology
Breaking the Boundaries with Dynamically Loaded Applications
Looking Ahead: Tomorrow's Innovations Built on Today's Foundation
Back Matter
Quote from page 2:
In August 2010, Intel announced the acquisition of security giant McAfee. Paul S. Otellini, Intel's president and CEO at the time, emphasized that "security has become the third pillar of computing" when commenting on the investment. (Page 2, PDF page 8)
To me, that is typical nonsense indicating the lack of social and technical ability I see in Intel's top management. Intel now owns 49% of McAfee because it sold 51%. McAfee was never a good purchase for Intel, and was never a good company from which to purchase security software; that is my understanding.
A Slashdot comment of mine from 11 1/2 years ago: More Intel employees should say in public what they have told me in private: Intel CEO Paul Otellini is not a competent leader. He lacks social ability. (June 09, 2006)
There is a lot of valuable information in the book for readers who want to understand how intel arrived at the present situation. However, to me, the book is also full of useless nonsense. The author, Xiaoyu Ruan, tries to convince people he has understanding by providing a lot of what is known as "corporate-speak", fake communication also known as "workplace jargon". There is little depth of understanding.
Intel's inclusion in its products of secret hardware and software controlled by hidden organizations will eventually mean either a major re-organization of Intel, or the end of Intel, in my opinion. Can you supply hardware to your customers that is known to be insecure, and to have methods of access that are not clearly explained?