Slashdot Mirror

← Back to Stories (view on slashdot.org)

Can Intel's 'Management Engine' Be Repurposed?

Posted by EditorDavid on from the messing-with-Minix dept.

Long-time Slashdot reader iamacat writes: Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.

This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"

9 of 139 comments (clear)

  1. Repurposed... by Type44Q · · Score: 3, Interesting

    Repurposed... to mine bitcoins!

    1. Re:Repurposed... by Anonymous Coward · · Score: 5, Funny

      Better yet, repurposed to send the following email to Intel's CEO every 10 minutes.

      "Hi, this is an automated message sent from a hijacked Intel Management Engine to remind you of what you enabled by adding me to the design of your chips. The owner of the computer is unable to stop this, and in fact is completely unaware that it's happening! Currently the computer is turned [on/off]. I strongly recommend you rethink adding this to the next line of cpu chips as a botnet is currently being formed to send these reminders to you!"

      I think I'm mostly joking.

  2. Repurposed? That's exactly what it is intended for by MobyDisk · · Score: 5, Interesting

    The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place. Back when it was first introduced, I worked for a company that created a program that would wake a remote computer on demand and run a few sundry tasks: a defrag and a backup. Intel partnered with various software vendors to create demos of what ME could do. And heck, even without ME, most network cards have a wake-on-LAN feature anyway.

    Intel clearly didn't do a good job marketing the feature if nobody thought of how to use it until a vulnerability was found in it.

  3. It depends on your risk-management philosphy by Anonymous Coward · · Score: 3, Informative

    Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow". It was quite ingenious and had a very small surface area. I knew a few fellow admins that blocked the exploit at their firewall but then used it for remote management because it was memory/network efficient and supported all of their needs better than any third-party company could.

    Risk v.s. Reward is always prevalent. Good luck on your efforts.

    1. Re: It depends on your risk-management philosphy by c6gunner · · Score: 4, Informative

      Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow".

      Just for the record, Cult of the Dead Cow was the name of the group which created it; Back Orifice was the name of a program which they released.

      And yes, it was tiny enough to be easily attached to even something as small as a keygen, turning it into an easy trojan, while also being a great remote administration tool for more legitimate use.

  4. Re:Unless someone discloses the signing key... by MobyDisk · · Score: 3, Interesting

    since it loses code on poweroff

    Yeah, but then when power is restored, the OS boots, and the application just re-registers itself with AMT again. There's a public API to do it. It doesn't have to be burned into the firmware to work. It just needs to wake the OS when a request is made.

  5. Lights Out Management Engine by Anonymous Coward · · Score: 5, Interesting

    The Intel ME (I think) was a combination Light Out mangement management engine and a VNC server, basically IPMI over IP with a remote console.

    It wasn't that secret as I recall it started with something like the P68 chipset on Intel motherboards and was ubiquitous, the weird path to obscurity was when they tried to monetize and license it..

    The best thing Intel could do today would be to fully document and open it up. People would probably choose to either disable it, or more probably add-on a seperate ethernet card for secure traffic, and reserve the built-in NIC for management activities like on HP servers with its iLO interface.. they also had a "shared" mode stealing interstitial ethernet CDMA intervals to virtualize two seperate Ethernet MAC addresses on the same physical hardware.. duty cycle something like 80/20 but they had the lesson learned to also make it disabled and use (only) a seperate add-on interface connected to different pins on the motherboard, for 100/100 across two different NIC interfaces for practical reasons. Ironically it all started with the Gas and Oil industry, Exxon back in the days when they wanted remote mangement on their servers.. in pre-HP Compaq days.. Intel saw that and wanted some of that business.. so it crept into the base designs later.. without a lot of thought.. which has come home to roost

  6. Re:What's what WOL is for by Myself · · Score: 5, Insightful

    Yes and no. WOL can wake a sleeping computer, but not reboot it if it hangs, nor provide any other sort of remote administration beyond what the OS gives you once it comes up. And if it doesn't come up, WOL just left you in the lurch. You need remote-hands to recover.

    I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.

    IME sounds like it could serve this purpose and more, perhaps providing a useful subset of iLO/DRAC functionality, but not just for server boards.

  7. Not safely by sjames · · Score: 3, Interesting

    For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.

    Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.

    The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.