The Trouble With Intel's Management Engine (hackaday.com) 106
szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.
Stopped reading after... (Score:5, Insightful)
Stopped reading the conspiracy rant after this delicious gem:
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
Re:Stopped reading after... (Score:4, Interesting)
IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
Re:Stopped reading after... (Score:5, Funny)
...with absolutely no visibility by anyone outside of Intel or without strict NDAs...
Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.
Re: (Score:2)
Yes, I have witnessed a lot of 'ok, the IME thinks SOMETHING is wrong, but damned if we know what'
Re: (Score:3)
IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.
Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).
Agreed. GP is kneejerk Intel fanboy blather and automatically runs to attack AMD as if TFA intended to play favorites. Intel dominates the market and sets the trends, so stop being a baby about criticism when an article focuses on them.
IME remains a black box, that can talk with the network and is therefore open to attack. Its not a part of the trusted computing base, but has control over it.
Re: (Score:1)
Re: (Score:2, Interesting)
Re:Stopped reading after... (Score:4, Informative)
It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.
Re: (Score:2, Informative)
Yeah, that's a big difference between "turn on power" and "here's a HTTP SERVER running while in sleep"
Previous parent is intentionally deceptive trying to blur the line. Shitty.
Re: (Score:3)
It does more then wake on lan. Any time you have buggy code paying attention to the contents of packets in any way, you have a real attack vector. The ability to execute arbitrary code in a layer this low is something to worry about. Could an attacker use this layer to do an update to the BIOS (whatever it's called)? I don't know, but I'd like to know.
Re: (Score:2)
One of the old tricks of testing network software was to send randomly sized packets to the target system. Eventually something would crack. Sometimes they used function look-up tables to handle different packet types.
Re: (Score:2)
Intel AMT is available even if the machine is powered off. https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:1)
Intel AMT is available even if the machine is powered off.
Yep, sure, uses vacuum zero point energy or something. I bet it is can also listen on the ethernet even if the cable is unplugged and on wi-fi even if the AP/router is off, in fact it probably has knowledge of wi-fi auth backdoors built in so it can connect to any of your neighbours' wi-fi, and if that fails it'll go directly to satellite. It also has a full AI core and will actively attack you if you try to open up the machine and mess with it, and if you so much as think of unplugging everything and put
Re: (Score:2)
If the power isn't disconnected by a physical switch (or pulled out) then it isn't powered off. Period.
Not understanding that distinction may be just about ok when messing around inside a PC, but then that person goes and messes around inside a light fitting believing that it is turned of at the light switch. Live is live.
Re:Stopped reading after... (Score:5, Informative)
Re: (Score:1)
Re: (Score:1)
Re: (Score:1)
Stopped reading the conspiracy rant after this delicious gem:
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.
It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.
The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.
Re: (Score:2)
Stopped reading the conspiracy rant after this delicious gem:
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.
It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.
The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.
As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead. Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemen
Re:Stopped reading after... (Score:4, Informative)
As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?
EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.
BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.
Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.
BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.
Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.
Re: (Score:2)
Nobody knows exactly how ME works
Re: (Score:2)
I'm sure the authors of the article don't know how the management engine works.
But given their level of "competence" I'm sure they don't know how a lot of things work. So what, a piece of technology isn't governed by the level of ignorance of some blogger.
Re: (Score:1)
But given their level of "competence" I'm sure they don't know how a lot of things work.
You don't need to be competent in something to necessarily know it is broken or smells fishy. It certainly can help, but in this case, they are spot on. ME smells fishy for sure.
Re: (Score:2)
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
I don't understand these types of comments which are made quite often here and elsewhere. Someone says something about Google and there is always a response about Apple or Microsoft doing x, y and z too.
Why can't someone focus on something a specific vendor is or is not doing even if you disagree with their process or conclusions without being obligated to enumerate all other vendors who may or may not be doing the same thing?
Why is there always that implicit assumption failure to talk about what everyone
Re: (Score:2)
Re:Stopped reading after... (Score:4, Informative)
Maybe you should actually learn about AMD's product lineup: http://www.anandtech.com/show/... [anandtech.com]
Yes, in the year 2012 it was a futuristic feature. Then 2013 happened. Where have you been?
Re: (Score:2)
Re: Stopped reading after... (Score:2)
Two other problems are that boot signing is an optional module in UEFI, in addition to the fact that ME is off in the factory configuration, and in order for it to do anything you have to explicitly enable it and configure a password.
It's actually a wonderful feature to have, by the way. It still works even if the CPU is dead and you have no RAM. You can tell exactly what's wrong with a seemingly dead system through the fault logs on the web interface.
Re: (Score:2)
Actually no, the ME is off as far as user facing features are concerned, but if it is fully off, good luck booting your PC. The MS is always on, and contrary to Intel's public stance, when you buy a SKU with it disabled/no BIOS for it loaded/fused off (depending on whom you talk to, I have gotten all three many times), it is still there, still functional, and still not under your control.
In short 'off' means the user facing and user accessible parts are no longer user accessible, not what most people still
Re: (Score:2)
But MS supports it and change is scary and bad so shhh. The bios is the best ever right there with running XP on a modern i7
Re: (Score:2)
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me.
I know, right?! Just last month someone tried to convince me that Juniper routers had a backdoor. [slashdot.org] Can you believe the crazy shit people are willing to believe? What crazy conspiracy-theory drivel will people post next, all our phones are tapped? A secret NSA building where internet traffic is recorded? I mean, that would have be a huge building.
conspiracy-theory drivel indeed!
Re: (Score:2)
Stopped reading the conspiracy rant after this delicious gem:
Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.
I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.
Almost every computer microchip has microcode that is revisable via a module stored within the bios. Much of the chips instruction set is programmable. Intel, AMD and other vendors do have microcode updates that are presented at boot time. Linux has them. Windows has them, etc.
And if you think that the AES instructions within the chip are safe to use, think again. I am willing to bet that the NSA has front doors into the cpu chip, such that it has the possibility to report encryption or decryption activit
IME is powerful, but a nightmare to mess with (Score:3, Informative)
Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
Re: (Score:2)
And the specifications are locked up and restricted, preventing quality third party tools to step in for Intel's lackluster implementation.
Re: (Score:1)
Without sitting in on an Intel meeting on the subject, I can assume that is because they are still determining where the line is between useful feature and security exploit waiting to happen. Until that line is determined, their best course of action is to not release any detailed documentation about the potential of the system and provide only their (by devs for themselves) preliminary software.
Yes, this course of action may result in a general market rejection of the system, but that's better than making
Re: (Score:2)
I would put more money on it being a matter of them considering it a valuable differentiator for business customers, and keeping it secret mitigates risk of competing vendors popping up to compete on a level playing field.
They aren't still determining the line, they have had this for years and years and know very well their intent and risks.
Re: (Score:2)
IntelME is really for it's SOC components so they can integrate with cpu states for mobile devices and desktops. It shouldn't be open or maybe open for opensource developers who write drivers for the integrated components.
It is a driver suite but with more cpu integration no different than geforce or ATI catalyst driver suites.
Re: (Score:2)
Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
Very painful to work with. Two apparently identical laptops had ME that worked quite differently.
Re: (Score:2)
But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.
Why oh why couldn't Snowden dump some of the more useful documents the NSA has? ;cP
Re: (Score:2)
I guess you use AMD.
It has been exploited. (Score:2, Informative)
What do you mean "if"?
https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits
The copy writes itself (Score:1)
(some verification may be required)
Re:The copy writes itself (Score:5, Informative)
One of the side effects is that open source BIOS projects [libreboot.org] are effectively dead for desktops.
Re: (Score:3, Informative)
The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.
PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.
I don't know about the PSP specifically, but most ARM chips with TrustZone also
Re: (Score:2)
If you're enabling IME with default password, you're doing it wrong. If you enable IME you should be installing your own certificates and using certificate-based authentication. If you aren't, you're stupid. I've never encountered hardware where IME is enabled by default (in fact my Dell Precision T3610 is buggy in such a way that it's impossible to enable, and there's no way to enable it on 13th-generation PowerEdge by design). There's a lot of FUD about IME, but it won't hurt you if you don't turn it
Why is this such a mystery? (Score:2)
So the IME is in place in millions of desktops. Is anyone currently using any of the features? How does the software communicate with it?
Re: (Score:1)
Re: (Score:3)
Re: (Score:1)
- Implementation and Reference Guide [intel.com]
Re: (Score:1)
You're confusing AMT (Active Management Technology) with IME (Intel Management Engine). AMT runs on top of ME. Even if you disable AMT, ME is still running.
Re: (Score:2)
An Anonymous Coward and Junta earlier up gave the answer. Basically it's a neat feature which "should" let Enterprise admins manage and fix a box even if the user has trashed the OS. It's all done by intercepting network packets before the OS even sees them. The problem is the tools Intel provides are apparently pretty horrid. Like cross SNMP and Netboot, but several times worse horrid. The other thing is the spec isn't open, so no one else can write tools or extend tools to use them. For example, the
Re: (Score:3)
Their closed approach probably stems from them getting a bit burned on IPMI. Intel was chiefly responsible for the spec, but the first real mass market servers that had it were AMD (mainly because of Intel's preoccupation with Itanium at the time). In the server business, Intel has nearl 0% share for service processors (third parties rule that roost, excepting the fact they all must interact with IME too). As they have evolved IME, they've kept it a tight restrictive secret. This means that the function
Beyond my understanding. (Score:1)
Oh noes! (Score:3)
always listening, able to receive packets even when the device is asleep
When was the last time you saw a computer that didn't have "wake on lan", "wake on keyboard", and "wake on network"? It's not done by magic and pixie dust/
Re: (Score:2)
Re: (Score:2)
It's not done by magic and pixie dust/
It wasn't done by a magical and highly obscure and secretive OS embedded in the CPU either.
Actually for the most part these were done by management functions of the individual cards responsible for the devices and triggered a computer startup with a standard call to the bios without CPU involvement.
As other people have pointed out, waking on LAN is quite different from being able to serve up a full webpage while powered off which is a part of what IME is apparently capable of.
my experience (Score:2)
ME details (or what I know of them) (Score:1)
Re: (Score:2)
It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't know about them. I do know it's not necessary for the ME to be running for the rest of the computer to be bootable, but if it's not then some functions may be disabled (like the playing of protected content).
Not necessarily.
Intel ME only communicates and integrates other intel components inside the cpu. The audio and video you mentioned only applies to intel graphics. Since ME is a lower level integration tool the part you see is just the audio and video by the integrated. If you own a realtek audio and an Nvidia card it won't be applicable for example.
Unless I could be wrong that is what I read up
CoreBoot (Score:3)
If you don't like this sort of thing, buy devices that support Coreboot [wikipedia.org].
Re: (Score:2)
So like, four old laptops that are refurbished, and nothing more recent than that on x86?
I mean, I see your point in principle, but in practice this isn't the type of sacrifice most people can make.
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I would but I want to *upgrade* my PC, not switch to something 5+ years old.
Three step process to owning ME equipped machines (Score:2)
Step 1. Purchase a legitimate certificate from CA trusted by ME
Step 2. Broadcast DHCP announcement with domain name matching your trusted certificate
Step 3. Root dance
Re: (Score:2)
You would still need Intel RST to pretend to be a browser and open the website though.
Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code
Re: (Score:2)
All of those exploits exist and are in the wild. Luckily they have not been cobbled together into an attack script that I am aware of, but I haven't looked for a usable version of the hacks. I mainly care that they exist, and they do. :(
Re: (Score:2)
You would still need Intel RST to pretend to be a browser and open the website though.
No websites required. Computer does not even need to be turned on.
Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code
All you need is access to broadcast domain of wired or wireless network on which your victim is attached. As my attack strictly uses remote access facilities as intended to be used no exploits are required.
Re: (Score:2)
Glad I bought a h170 chipset motherboard and therefore don't have this crap.
It's very powerful and very broken (Score:2, Insightful)
I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.
It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
Sinc
In depth analysis of intel ME (Score:1)
article is wrong about Rutkowska's recommendation. (Score:2)