Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Intel Security Hardware

The Trouble With Intel's Management Engine (hackaday.com) 106

szczys writes: You've used many devices that have Intel's Management Engine built into them, even if you haven't heard of it before. This is the lowest level of security, built directly into the chips. But obscurity is part of its security and part of its weakness. Nobody knows exactly how ME works, yet it includes a wide range of features that would be frightening if exploited. The ME is always listening, able to receive packets even when the device is asleep. And it has the lowest level of access to every part of the computer system.
This discussion has been archived. No new comments can be posted.

The Trouble With Intel's Management Engine

Comments Filter:
  • by CajunArson ( 465943 ) on Friday January 22, 2016 @01:59PM (#51352345) Journal

    Stopped reading the conspiracy rant after this delicious gem:

    Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

    Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.

    I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

    • by Anonymous Coward on Friday January 22, 2016 @02:15PM (#51352449)

      IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.

      Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).

      • by Anonymous Coward on Friday January 22, 2016 @02:25PM (#51352537)

        ...with absolutely no visibility by anyone outside of Intel or without strict NDAs...

        Not true. As one who is under strict NDA, I'm pretty sure that Intel doesn't even know how it works or what it does.

        • by Junta ( 36770 )

          Yes, I have witnessed a lot of 'ok, the IME thinks SOMETHING is wrong, but damned if we know what'

      • by Burz ( 138833 )

        IME has always been a buggy piece of shit with absolutely no visibility by anyone outside of Intel or without strict NDAs, that is a fair statement. I have no experience with AMDs equivalent to speak of. But IME was always a black box of vague claims, poor implementations, bugs and secret sauce. That devices have embedded FW is unavoidable in this day and age, it's a fact of life and people need to get over it (I'm looking at systems companies who are allergic to software). But normally that embedded FW has a fixed function, is scope limited such that it can be reasonably tested and verified by the design teams and "must work". It's not like a more typical software development model (even for BIOS or UEFI) where if they have to release a patch they will do it. Updating IME can be sketchy given where it's fingers may lie in a design. IME seems to confuse all those boundaries and I haven't worked with anyone who has liked it.

        Confusing BIOS and UEFI into this discussion is distracting, they are generally unrelated (but again, given the sketchy scope of IME, there are tie-ins).

        Agreed. GP is kneejerk Intel fanboy blather and automatically runs to attack AMD as if TFA intended to play favorites. Intel dominates the market and sets the trends, so stop being a baby about criticism when an article focuses on them.

        IME remains a black box, that can talk with the network and is therefore open to attack. Its not a part of the trusted computing base, but has control over it.

        • by Gr8Apes ( 679165 )
          It seems like a really good way to deal with this is to use a non-Intel firewall between you and the internet, and only whitelist inbound ports and DPI those ports. Not terribly difficult, but likely beyond any Joe/Jane Sixpack.
    • Re: (Score:2, Interesting)

      I didn't even go past the part of the article that the submitter mangled for "The ME is always listening, able to receive packets even when the device is asleep." No, not exactly. The subsystem is able to recieve information from the network interface when the machine is hibernating or sleeping. So? Are we calling wake on lan or power saving mode an attack now? That's a basic feature of most modern devices with a network interface. Hell, my NAS box does this, it's network ready but in a powered down s
      • by Anonymous Coward on Friday January 22, 2016 @02:27PM (#51352557)

        It does a bit more than this. Heck, when the system is turned off (S5), it can still publish a webpage interface to the network. This is more than wake on lan or power saving mode.

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Yeah, that's a big difference between "turn on power" and "here's a HTTP SERVER running while in sleep"

          Previous parent is intentionally deceptive trying to blur the line. Shitty.

      • by lgw ( 121541 )

        It does more then wake on lan. Any time you have buggy code paying attention to the contents of packets in any way, you have a real attack vector. The ability to execute arbitrary code in a layer this low is something to worry about. Could an attacker use this layer to do an update to the BIOS (whatever it's called)? I don't know, but I'd like to know.

        • by mikael ( 484 )

          One of the old tricks of testing network software was to send randomly sized packets to the target system. Eventually something would crack. Sometimes they used function look-up tables to handle different packet types.

      • by klui ( 457783 )

        Intel AMT is available even if the machine is powered off. https://en.wikipedia.org/wiki/... [wikipedia.org]

        • Intel AMT is available even if the machine is powered off.

          Yep, sure, uses vacuum zero point energy or something. I bet it is can also listen on the ethernet even if the cable is unplugged and on wi-fi even if the AP/router is off, in fact it probably has knowledge of wi-fi auth backdoors built in so it can connect to any of your neighbours' wi-fi, and if that fails it'll go directly to satellite. It also has a full AI core and will actively attack you if you try to open up the machine and mess with it, and if you so much as think of unplugging everything and put

    • by st3v ( 805783 )
      I agree, the fact they wrote that immediately discredits the author as technically inept. This makes the whole article a waste of time.
      • by Gr8Apes ( 679165 )
        Perhaps that you agree and think the author is technically inept discredits you as technically inept. UEFI has a whole new set of potential attack vectors by virtue of it being remotely accessible. UEFI has some good features, but I think I'd prefer the entire "remote accessibility" piece to be a separate optional chip. There are a few other parts that would be nice to have the same optional pluggable feature, but given that making a single chip that does it all is n factors cheaper than building n chips, t
    • by Anonymous Coward

      Stopped reading the conspiracy rant after this delicious gem:

      Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

      Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.

      It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.

      The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.

      • Stopped reading the conspiracy rant after this delicious gem:

        Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

        Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure.

        It is not the abandonment of BIOS which makes computers insecure, it is the choice of UEFI.

        The current release of the UEFI specification has over 2,000 pages. This is a horribly complex mess which is almost impossible to implement completely and correctly. And you can bet that firmware vendors will opt for completeness over correctness any day.

        As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?

        EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead. Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemen

        • by Gr8Apes ( 679165 ) on Friday January 22, 2016 @06:20PM (#51354279)

          As opposed to 30 years of hacks from 1981 and layers and upon layers which only a select few knew the secrets with the bios?

          EFI was supported here before Windows 8. Now slashdot has become a fear of change site for IT folks which is hypocracy. Not saying UEFI is perfect but I am glad the bios is about dead.

          BIOS could have been replaced with a modern EFI that merely fixed the issues with BIOS, and there would have been no issues. The problem is it was replaced with UEFI, which is much like replacing initd with systemd, and I apologize for the insult to UEFI in advance.

          Like DOS with expanded vs extended ram tricks needed for games I welcomed Windows NT/95 greatly to say goodbye. Same is true with BIOS and all the limitations like 2 TB disks which that hack was implemented because the bios is hardset at 40 meg disks and a virtual 2 TB wrap around was put in.

          BIOS had issues with small pointers it used (16 bit IIRC, of which several were "reserved") So you had 1024 cylinders as a max, and 512bit sectors, so the first cut was to create a cluster in between those two, which allowed for more space by aggregating sectors into clusters which could be addressed in a single cylinder. (This is all so long ago, I'm sure I have something wrong) All of this was based on the early early storage mediums where those terms really related to their physical counterparts.

          Personally, I said goodbye to DOS with OS/2 - flat memory addressing and true pre-emption over time-slicing. I've run several other OSes since then. I am looking forward to the security disaster that is Windows NT/2K/XP/VISTA/8/10 to go away and be replaced by something sane.

    • by Thud457 ( 234763 )
      What, this little gem didn't faze you?

      Nobody knows exactly how ME works

      • I'm sure the authors of the article don't know how the management engine works.

        But given their level of "competence" I'm sure they don't know how a lot of things work. So what, a piece of technology isn't governed by the level of ignorance of some blogger.

        • by Gr8Apes ( 679165 )

          But given their level of "competence" I'm sure they don't know how a lot of things work.

          You don't need to be competent in something to necessarily know it is broken or smells fishy. It certainly can help, but in this case, they are spot on. ME smells fishy for sure.

    • I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

      I don't understand these types of comments which are made quite often here and elsewhere. Someone says something about Google and there is always a response about Apple or Microsoft doing x, y and z too.

      Why can't someone focus on something a specific vendor is or is not doing even if you disagree with their process or conclusions without being obligated to enumerate all other vendors who may or may not be doing the same thing?

      Why is there always that implicit assumption failure to talk about what everyone

    • Comment removed based on user account deletion
    • Two other problems are that boot signing is an optional module in UEFI, in addition to the fact that ME is off in the factory configuration, and in order for it to do anything you have to explicitly enable it and configure a password.

      It's actually a wonderful feature to have, by the way. It still works even if the CPU is dead and you have no RAM. You can tell exactly what's wrong with a seemingly dead system through the fault logs on the web interface.

      • Actually no, the ME is off as far as user facing features are concerned, but if it is fully off, good luck booting your PC. The MS is always on, and contrary to Intel's public stance, when you buy a SKU with it disabled/no BIOS for it loaded/fused off (depending on whom you talk to, I have gotten all three many times), it is still there, still functional, and still not under your control.

        In short 'off' means the user facing and user accessible parts are no longer user accessible, not what most people still

      • But MS supports it and change is scary and bad so shhh. The bios is the best ever right there with running XP on a modern i7

    • I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me.

      I know, right?! Just last month someone tried to convince me that Juniper routers had a backdoor. [slashdot.org] Can you believe the crazy shit people are willing to believe? What crazy conspiracy-theory drivel will people post next, all our phones are tapped? A secret NSA building where internet traffic is recorded? I mean, that would have be a huge building.

      conspiracy-theory drivel indeed!

    • Stopped reading the conspiracy rant after this delicious gem:

      Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device.

      Yeah, so because they finally abandoned BIOS, modern computers are suddenly insecure. With the implication that BIOS was somehow secure. Yeah, bullshit.

      I'm not even saying that the IME is necessarily perfect, but conspiracy-theory drivel doesn't do much for me. That goes double for when it seems to be directed at one vendor and one vendor only while pretending that everybody else out there (AMD [which flat-out embeds an ARM processor in its parts to copy the functionality of IME], anything running ARM, etc.) is all magically secure.

      Almost every computer microchip has microcode that is revisable via a module stored within the bios. Much of the chips instruction set is programmable. Intel, AMD and other vendors do have microcode updates that are presented at boot time. Linux has them. Windows has them, etc.

      And if you think that the AES instructions within the chip are safe to use, think again. I am willing to bet that the NSA has front doors into the cpu chip, such that it has the possibility to report encryption or decryption activit

  • by Anonymous Coward on Friday January 22, 2016 @01:59PM (#51352347)

    Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..

    But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.

    • by Junta ( 36770 )

      And the specifications are locked up and restricted, preventing quality third party tools to step in for Intel's lackluster implementation.

      • by Anonymous Coward

        Without sitting in on an Intel meeting on the subject, I can assume that is because they are still determining where the line is between useful feature and security exploit waiting to happen. Until that line is determined, their best course of action is to not release any detailed documentation about the potential of the system and provide only their (by devs for themselves) preliminary software.

        Yes, this course of action may result in a general market rejection of the system, but that's better than making

        • by Junta ( 36770 )

          I would put more money on it being a matter of them considering it a valuable differentiator for business customers, and keeping it secret mitigates risk of competing vendors popping up to compete on a level playing field.

          They aren't still determining the line, they have had this for years and years and know very well their intent and risks.

          • IntelME is really for it's SOC components so they can integrate with cpu states for mobile devices and desktops. It shouldn't be open or maybe open for opensource developers who write drivers for the integrated components.

            It is a driver suite but with more cpu integration no different than geforce or ATI catalyst driver suites.

    • Between lack of a useful setup routine, centralized management, etc.. it's a royal PITA to actually work with on an Enterprise level.. It's nice though.. I'll give them that.. onboard VNC for BIOS level control like a DRAC/BMC/ORA/iLO, etc and ability to send WOL to PC level hardware is nice for those pesky users that have totally messed things up.. It's also useful for remote rebuilding of machines since you can remote redirect ISOs and such..

      But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.

      Very painful to work with. Two apparently identical laptops had ME that worked quite differently.

    • But.. again.. royal PITA to setup and the documentation is scattered and horrible to read through.

      Why oh why couldn't Snowden dump some of the more useful documents the NSA has? ;cP

  • by Anonymous Coward

    What do you mean "if"?

      https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Known_vulnerabilities_and_exploits

  • AMD. No backdoors.


    (some verification may be required)
    • by jandrese ( 485 ) <kensama@vt.edu> on Friday January 22, 2016 @02:49PM (#51352695) Homepage Journal
      AMD calls their version of the IME the "Platform Security Processor (PSP)".

      One of the side effects is that open source BIOS projects [libreboot.org] are effectively dead for desktops.
      • Re: (Score:3, Informative)

        by Anonymous Coward

        The PSP is nothing like IME. IME is a dedicated chip for remote management, which you can't touch.

        PSP is simply a separate ARM core that you can control, including running a separate OS. The PSP ARM core, in turn, has a common ARM feature called TrustZone, which provides very strong security guarantees for the software running inside the TrustZone. Again, you control how this is configured and what software runs in the TrustZone.

        I don't know about the PSP specifically, but most ARM chips with TrustZone also

        • by _merlin ( 160982 )

          If you're enabling IME with default password, you're doing it wrong. If you enable IME you should be installing your own certificates and using certificate-based authentication. If you aren't, you're stupid. I've never encountered hardware where IME is enabled by default (in fact my Dell Precision T3610 is buggy in such a way that it's impossible to enable, and there's no way to enable it on 13th-generation PowerEdge by design). There's a lot of FUD about IME, but it won't hurt you if you don't turn it

  • So the IME is in place in millions of desktops. Is anyone currently using any of the features? How does the software communicate with it?

    • by Anonymous Coward
      It's not a mystery. These are normal management features used by enterprises.
    • An Anonymous Coward and Junta earlier up gave the answer. Basically it's a neat feature which "should" let Enterprise admins manage and fix a box even if the user has trashed the OS. It's all done by intercepting network packets before the OS even sees them. The problem is the tools Intel provides are apparently pretty horrid. Like cross SNMP and Netboot, but several times worse horrid. The other thing is the spec isn't open, so no one else can write tools or extend tools to use them. For example, the

      • by Junta ( 36770 )

        Their closed approach probably stems from them getting a bit burned on IPMI. Intel was chiefly responsible for the spec, but the first real mass market servers that had it were AMD (mainly because of Intel's preoccupation with Itanium at the time). In the server business, Intel has nearl 0% share for service processors (third parties rule that roost, excepting the fact they all must interact with IME too). As they have evolved IME, they've kept it a tight restrictive secret. This means that the function

  • This kind of stuff really gets the wheels turning in my head, but unfortunately the hamsters in those wheels are on the verge of death.
  • by BarbaraHudson ( 3785311 ) <barbara,jane,hudson&icloud,com> on Friday January 22, 2016 @02:37PM (#51352601) Journal

    always listening, able to receive packets even when the device is asleep

    When was the last time you saw a computer that didn't have "wake on lan", "wake on keyboard", and "wake on network"? It's not done by magic and pixie dust/

    • It's not done by magic and pixie dust/

      It wasn't done by a magical and highly obscure and secretive OS embedded in the CPU either.

      Actually for the most part these were done by management functions of the individual cards responsible for the devices and triggered a computer startup with a standard call to the bios without CPU involvement.

      As other people have pointed out, waking on LAN is quite different from being able to serve up a full webpage while powered off which is a part of what IME is apparently capable of.

  • In my experience, on late model DDR3 and DDR4-based chipsets, the ME driver is unstable, does absolutely nothing, is now included in Windows Update so you can't ignore it unless you disable it. Some early model computers around 2009-ish will not boot if ME is turned off in the BIOS so why is there even an option in the BIOS to turn it off? NOBODY actually uses it for anything, even in most corporate IT environments. I also heard some computers can use it to turn on from a dead power off, allegedly. It's
  • by Anonymous Coward
    It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't
    • It's a completely separate processor embedded in the PCH itself. It's leveraged for a wide range of functions, including things like out-of-band control of the machine itself, even when it's off, and even when it's non-bootable for some reason. It's also used for content protection and encryption of protected video and audio, and as such the ME software is integrated with the graphics and (I think) audio drivers. That's about all I know about it, if there are other functions the ME is leveraged for, I don't know about them. I do know it's not necessary for the ME to be running for the rest of the computer to be bootable, but if it's not then some functions may be disabled (like the playing of protected content).

      Not necessarily.

      Intel ME only communicates and integrates other intel components inside the cpu. The audio and video you mentioned only applies to intel graphics. Since ME is a lower level integration tool the part you see is just the audio and video by the integrated. If you own a realtek audio and an Nvidia card it won't be applicable for example.

      Unless I could be wrong that is what I read up

  • by mrchaotica ( 681592 ) * on Friday January 22, 2016 @02:51PM (#51352717)

    If you don't like this sort of thing, buy devices that support Coreboot [wikipedia.org].

  • Step 1. Purchase a legitimate certificate from CA trusted by ME

    Step 2. Broadcast DHCP announcement with domain name matching your trusted certificate

    Step 3. Root dance

    • You would still need Intel RST to pretend to be a browser and open the website though.

      Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code

      • All of those exploits exist and are in the wild. Luckily they have not been cobbled together into an attack script that I am aware of, but I haven't looked for a usable version of the hacks. I mainly care that they exist, and they do. :(

      • You would still need Intel RST to pretend to be a browser and open the website though.

        No websites required. Computer does not even need to be turned on.

        Even going to the website with evil javascript trusted would still require admin access and need another OS level exploit to execute and then another one through ME to execute the code

        All you need is access to broadcast domain of wired or wireless network on which your victim is attached. As my attack strictly uses remote access facilities as intended to be used no exploits are required.

  • by Anonymous Coward

    I'll give you an example of how ME is used on very common business-oriented cheap desktops like Dell OptiPlex or old HP dc series.

    It all begun around the era of Core2Duo when manufacturers started to implement ME/AMT management solutions on their cheap office PCs. In the *default configuration* the access to ME's setup is unrestricted and protected by default credentials of admin/admin. Even if you have set a password on the BIOS itself you can still enter ME setup by just pressing a hotkey during boot.
    Sinc

  • Having already listened to Joanna Rutkowska's talk a few weeks ago, the writer got it wrong... he/she read or heard 'stick' and inferred 'USB'... no. USB is terminally insecure because the controllers necessary to operate it can be infected also (https://srlabs.de/badusb/) That's why there is a line that says SPI in it. She is talking about something like an SDcard, which has less firmware in it to corrupt. Complexity is the enemy of trust. The issue is that the new stuff is harder for white hats to ac

Five is a sufficiently close approximation to infinity. -- Robert Firth "One, two, five." -- Monty Python and the Holy Grail

Working...