Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
DEAL: For $25 - Add A Second Phone Number To Your Smartphone for life! Use promo code SLASHDOT25. Also, Slashdot's Facebook page has a chat bot now. Message it for stories and more. Check out the new SourceForge HTML5 Internet speed test! ×
Intel Privacy Security Hardware

Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net) 368

A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.

Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
This discussion has been archived. No new comments can be posted.

Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it

Comments Filter:
  • Just as well (Score:4, Interesting)

    by rossdee ( 243626 ) on Wednesday June 15, 2016 @02:47PM (#52323769)

    That my PC has an AMD CPU

    • by Anonymous Coward on Wednesday June 15, 2016 @02:51PM (#52323803)
      Breaking: A user with AMD-powered computer found happy. More at 11PM.
      • Re:Just as well (Score:5, Interesting)

        by hairyfeet ( 841228 ) <bassbeast1968@@@gmail...com> on Wednesday June 15, 2016 @05:04PM (#52324923) Journal

        There is actually quite a lot of us because if you were to do a blind A/B test with an FX-8 versus an i5? You wouldn't be able to tell which is which....but your wallet would know the difference.

        My FX-8320E when paired with an R9 280 and 16GB of RAM plays all my games with so much bling that I have gotten killed on several occasions because I was too busy gawking at the pretty to notice the enemy coming up behind me, runs very very cool (on air the highest I have ever hit is 122F with all 8 cores slammed doing A/V work) and the whole system, with an SSD and 3TB HDD? Less than $550 after MIR.

        When you add to this the fact that AMD has been opening their docs, just as the FOSS community asked them to do, giving massive amounts of code to the community with Vulkan being just one of many, no DRM chips like TPM, oh and you can get their chips for often less than a third an equivalent Intel chip? Its really not a hard choice to make.

        • One would hear the difference. I used to be an AMD only guy for more than a decade, but then Core2Duo came out and suddenly I was able to have a fast CPU without a fan. And even now I have a passive cooled i5 - same cooler BTW as the Core2Duo from years ago.

    • Love and use AMT (Score:4, Interesting)

      by meadow ( 1495769 ) on Wednesday June 15, 2016 @03:01PM (#52323915)

      I love AMT. AMT is definitely one feature of the Dell Optiplex small form-factor systems that I like to use for my headless home servers. Its like having a built-in Cyclades serial console server. For running headless systems its almost essential.

      The only thing I don't like about it is that you need to have Windows installed to be able to update it as part of the updates released by Dell.

      • TROLOLOLOLO!!!! (Score:2, Informative)

        by Thud457 ( 234763 )
        This is the same FUD from Hack-a-day from last Janumanary [slashdot.org]

        DUPE ALL THE THINGS!
        Anononymous poster, check!
        Be sure to mine the +5 comments from old stories for cheap karma!
      • Re: Love and use AMT (Score:5, Informative)

        by ArmoredDragon ( 3450605 ) on Wednesday June 15, 2016 @03:24PM (#52324099)

        I use AMT a lot as well, and have for years. My main question here is: How the fuck is this even remotely news material? Furthermore, why is it presented as some sort of conspiracy? Intel advertises this as a feature and never made any attempt to hide it. AMT is also off by default, by the way.

        The only Intel feature I'm at all concerned about is SGX, which by design can't be audited, and has nothing to do with anything mentioned in TFS.

        • by meadow ( 1495769 )

          Maybe the next /. story will be how all mobile devices have a secret, hidden OS called the bootloader that can be compromised by three-letter agencies...

          • by dfsmith ( 960400 )

            Did you know that some doors—maybe even your door—can be opened by using a MASTER KEY! This, and other secret conspiracies, at 11...

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Except AMD chips appear just as problematic.

      https://libreboot.org/faq/#amd

    • Re:Just as well (Score:5, Informative)

      by marcansoft ( 727665 ) <.hector. .at. .marcansoft.com.> on Wednesday June 15, 2016 @03:18PM (#52324049) Homepage

      ... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.

      Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?

      Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).

      Sleep tight.

      • shit, secondary processors have been inside PCs since the 80s.

        Remember things like "A20 gate" in old pcs? It was a hack on the AT keyboard controller. It was introduced to solve an addressing issue with ram above 1mb in real mode.

        Using secondary chips to do things in memory is an ancient idea. The amiga relied on it quite heavily in fact.

        Own a Wii? There's a secondary ARM core nicknamed "scarlet" in there, running beside the PPC core.

        While having this system compromised by malware is a worrisome prospect,

        • by yusing ( 216625 )

          Hell, Commodore 1541 floppy drives contained their own 6502 for an on-board DOS. Programming the drive was a hot topic for years.

      • by SumDog ( 466607 )

        SD cards have a 32-bit micro-controller on them. They're used to mark bad sectors and keep writes from being on adjacent memory locations (disturbing memory locations a lot on SD cards can corrupt data). There's a talk out there somewhere, where a researcher reprograms the SD cards on-board processor, while keeping it functioning as an SD card. In theory, you could take a 25GB card, have it report it's 15GB and write a small program to make a copy of all writes to a hidden part of the card for retrial late

      • What makes you think the firmware in your PCIe WiFi card also can't access all main memory

        Something which is called an IOMMU.

        https://en.wikipedia.org/wiki/... [wikipedia.org]
        Memory is protected from malicious devices that are attempting DMA attacks and faulty devices that are attempting errant memory transfers because a device cannot read or write to memory that has not been explicitly allocated (mapped) for it. The memory protection is based on the fact that OS running on the CPU (see figure) exclusively controls

    • by zdzichu ( 100333 )

      You are fscked up the same way by AMD: https://libreboot.org/faq/#amd [libreboot.org]

    • Re:Just as well (Score:5, Informative)

      by MachineShedFred ( 621896 ) on Wednesday June 15, 2016 @05:00PM (#52324893) Journal

      This is such overblown pap - the only way to provision Intel AMT / vPro is to either have physical access to the keyboard during reboot, or to have a certificate signed by a trusted provider specifically for provisioning AMT / vPro if you would like to do it over the network. And no, you can't add in your own self-signed nonsense because the CAs that can do this are in the AMT firmware. If you don't get a cert from Verisign / Comodo / etc., the firmware tells you to stick it up your ass and refuses to provision.

      Having done manual provisioning, scripted provisioning, and network provisioning in a technology trial for using vPro on a network with ~55,000 PCs spread across the continent, I can say that Intel thought about this "back door" and made it so that you have to go through some extraordinary work in order to use it. And, even then, unless you paid for full-blown vPro on each and every PC, you get access to basically what you could have done with Wake-on-LAN back in the day, with a few extras. With vPro you can do remote control and remote virtual disk mounts, but doing so causes big flashing red and yellow bars on the border of the screen letting a local user know someone's doing it.

      Moreover, Intel has been actively marketing this functionality for over 5 years to big business as a way to cut software costs for costly (and shitty) remote control solutions that don't work when the OS is fucked. To think that this is some super secret clandestine operation is complete horseshit.

      What an overblown piece of trash this 'article' is.

      • Maybe the NSA has already done that "extraordinary work" you speak of.
  • by Anonymous Coward on Wednesday June 15, 2016 @02:49PM (#52323787)

    This is key to enabling low-power functionality in Intel CPUs - think quick boot and quality testing. It doesn't have any surveillance or other purposes.

    • Re: (Score:2, Insightful)

      Sure, and there's no way it could be used by three letter agencies, ever.

      • Why do that when you can just get the OS vendors to give you backdoors and control? That way you can access everyone, not just the few that have this extra hardware feature...
        • You probably made a typo -- the keys for "just the few" and "all of them" are close-by on the keyboard, after all.
        • On one hand, I think this whole thing is overblown. On the other hand, playing devil's advocate, the TLAs can't access a machine that is powered down; this potentially allows them to turn it on remotely.
          • Re: (Score:3, Funny)

            by slew ( 2918 )

            On one hand, I think this whole thing is overblown. On the other hand, playing devil's advocate, the TLAs can't access a machine that is powered down; this potentially allows them to turn it on remotely.

            There are many levels of "powered-down". Many enterprise PC have had wake-on-lan and pxe-boot for a while. Often these are simply controlled via bios settings (which we know are completely secure against TLAs)...

            Quick shut the barn doors, the horses have escaped!

      • by Yvan256 ( 722131 )

        You really think AMD will mess around with Intel's CPU?

      • by skids ( 119237 ) on Wednesday June 15, 2016 @03:54PM (#52324367) Homepage

        I'm sure it can be used, just like the rest of the hardware "can be used."

        But these things in one form or another have been around for over two decades and everyone who has ever set up real server hardware from scratch knows they're there and their existence has never been a secret. (The closed-source code they run, on the other hand...) It's not even "news" that chipset manufacturers have started to integrate these systems directly into CPUs.

        The earliest one of these I remember was called iLOM on a Sun Systems but I'm sure they predate that. Just LOM and ILO are other names I've seen.

        Once desktops started to need active runtime heat management, many of them got a "systems management" co-processor that helped with thermal/power control.

        Personally I'd be just as worried about whatever firmware is running on the ethernet card these days... which is to say, not very, because there's not much to be done about it, unless you have the reason and time to invest in completely open hardware from top to bottom and the willingness to live within the limitations that might entail. So while I would normally suggest the mildly paranoid just not use the onboard ethernet ports, I can't say I really trust ethernet cards, either.

        Also since there are so many gaping holes just staring me in the face in commercial OSes when it comes to (software) VPN and WPA drivers, I figure it'll be a long, long time before I can get around to finessing things down to the metal, if ever.

        • by bws111 ( 1216812 )

          They have been around a lot longer than that. Mainframes have had 'service elements' and 'support processors' for at least 40 years. And those things can do a heck of a lot more than the Intel AMT stuff. Like alter/display ANY register or ANY storage.

      • by guruevi ( 827432 )

        There are already many platforms (even some workstation/desktop class) that have IPMI or similar remote support. There are similar constructs in the "standard" ACPI (after all, Microsoft made it). If you could hack those chips, yes, you could run whatever you wanted on them and it's a real threat. This is not a feature that Intel is 'hiding', it's actually advertising the feature.

      • Just wait for Facebook or Google to take advantage of it.
    • I think the critical part is that intel doesn't let anyone write code for that chip, basically making it a black box.

      BUT I think its better to have it in the hands of Intel than, say, Microsoft.

    • This is key to enabling low-power functionality in Intel CPUs - think quick boot and quality testing. It doesn't have any surveillance or other purposes.

      None that you know of. The point of the article is that there has been no way to be sure about what's really in there and what isn't. The code appears to have been deliberately obfuscated by Intel at a hardware level. It's true that this subsystem is not new and has been known about for years, but I gather the point of the article is not to announce its existence, rather he wants to say that he has figured out some (but not all) of the subsystem's functionality that was previously hidden, and he wants to ev

    • by l2718 ( 514756 ) on Wednesday June 15, 2016 @03:38PM (#52324229)

      If the only goal was simply to provide low-power functionality, the coprocessor would be fully controlled by the operating system (ultimately, by the owner of the machine).

      In fact, the main goal is to provide remote administration capabilities (what they call Intel Active Management Technology [wikipedia.org]). In other words, the idea is to allow a remote administrator to take over the machine in a way that is independent of and invisible to the main operating system and processor. This serves a legitimate purpose in an "enterprise" environment (one person administers a large number of diverse machines) -- for example it allows taking back control of a cracked machine, or recovering critical data from memory after OS crashes. However, this feature is not useful for a privately administered single-user machine.

      Finally, by definition a remote administration feature is a back door. This one is incredibly dangerous: a rootkit running on the coprocessor is entirely invisible to the operating system, has its own independent network access, and can monitor the disk, the memory and all other peripherals. In principle the remote management features must be activated via the System BIOS and you can set a password there, but really your only measure of safety against this back door is your trust that there are no bugs in Intel's code.

      Why isn't Intel allowing you to replace the firmware? Because it's hard to ensure that the owner of the machine is the one initiating the firmware replacement. The real troubling point is that Intel isn't allowing you to disable this feature with a hardware switch. Hardware switches (jumpers on the motherboard) are a way of controlling the system available only to the physical owner of the machine. Having a hardware switch would satisfy both the enterprise and security-concious customers.

      • by sjames ( 1099 )

        Older schemes where the BMC couldn't access the system memory were safer. One safety feature would be to replace memory access with specific interfaces (serial and a general access port used by SMM) and their own independent network interface (allowing effective vlan isolation with no need for the honor system). To complete the picture, the BMC could emulate a USB device connected on the MB to an actual USB chip. At least that way they would need to compromise 2 firmware images to get anywhere.

  • ...I voted AMD.
  • by ranton ( 36917 ) on Wednesday June 15, 2016 @02:54PM (#52323825)

    Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

    Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?

    • by ceoyoyo ( 59147 )

      This is a discussion site not the New York Times. It's perfectly acceptable to post a rumor or unverified claim. It's good that they identified it as such... usually the Slashdot editor just clicks publish on whatever swill caught his eye in the submissions.

    • by thegarbz ( 1787294 ) on Wednesday June 15, 2016 @05:24PM (#52325051)

      Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

      Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?

      I'd like to go the other way, why are we adding an "unverified" disclaimer to something that has been known about for many years? Intel aren't hiding anything. The existence of this miraculous CPU is documented on their website and it's function is accessible using their provided tools. Heck AMD do it too they just happen to call it PSP instead of IME. The only thing they are hiding is what's in their firmware which everyone has done for a long long time.

  • Old news (Score:5, Informative)

    by psergiu ( 67614 ) on Wednesday June 15, 2016 @02:55PM (#52323831)

    https://libreboot.org/faq/#int... [libreboot.org]

    https://libreboot.org/faq/#amd [libreboot.org]

    Both Intel and AMD had this for years - read above links ...

    • Somebody needs to hack Intel and AMD and release their private keys and source code.

  • What the fuck? (Score:3, Insightful)

    by 110010001000 ( 697113 ) on Wednesday June 15, 2016 @02:56PM (#52323847) Homepage Journal
    This has been known for years and is present on Intel and AMD. What year is this?
    • by Yvan256 ( 722131 )

      And we're safe anyway. It's really easy to know what's dangerous or not on the Internet since the creation of the evil bit.

  • "Trusted" (Score:5, Insightful)

    by Fwipp ( 1473271 ) on Wednesday June 15, 2016 @02:56PM (#52323851)

    From the article:

    We have no physical separation between the components that we can trust and the untrusted ME components, so we can't even cut them off the mainboard anymore.

    Why do you trust the main CPU, if you don't trust the ME chip?

  • This is for out of band management so devices can be monitored and restarted remotely (think: enterprise environments). Nothing to get wrinkles in your tin hat over. :)

  • If it's really there and Intel has hidden it, I wonder if they could be successfully prosecuted for conspiracy to commit unauthorized computer access.

    • Only if you can prove they are using it without your authorisation. It simply existing is not enough.

      • Only if you can prove they are using it without your authorisation. It simply existing is not enough.

        IANAL, but I wonder if "Conspiracy with intent to ..." would be a crime in this case.

        • Prove the conspiracy, and prove the intent - Intel has a huge amount of resources setup around this for enterprise systems management, so you have a massive uphill (almost a vertical cliff one might say) battle to climb in order to prove any malicious intent here.

          Just because you dont like it, doesnt mean anything illegal is being done.

  • Here's the thing (Score:4, Insightful)

    by H3lldr0p ( 40304 ) on Wednesday June 15, 2016 @03:01PM (#52323911) Homepage

    I don't like the idea of a computer inside my computer I don't have any control over.

    I find the article a little on the high side of paranoia, however. Yes, it is possible to have unnamed people from unnamed places get in and get data from your system. The article does go out of it's way to point out that this isn't very likely. The firmware running the second CPU is heavily encrypted and hash-checked at runtime. Making it unlikely to be broken until the heat-death of the universe or we finally figure out the P=NP thing.

    Conversely, I'd like to know what's going on under the cover Intel. If this is in the stuff I bought, I figure I have a legal right to be able to access it and run an audit on it. Without having to go through you. Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.

    • Re:Here's the thing (Score:4, Interesting)

      by Obfuscant ( 592200 ) on Wednesday June 15, 2016 @03:23PM (#52324093)

      I don't like the idea of a computer inside my computer I don't have any control over.

      Then you are destined for a life of unhappiness. Most of the I/O processing in your "computer" is done by dedicated computers that you have no control over. The video card, the network card, the IEEE1394 or USB.b The disk drives. Even the audio. Things that have DMA so they an access memory without the CPU knowing about it...

      You may look at the device and see a part number that you can look up, but dollars to donuts that the part is programmable in some way that makes it be what it is. FPGA, perhaps. Or just a microprocessor with firmware in EEPROM.

      I figure I have a legal right to be able to access it and run an audit on it.

      If they make it so you can "audit" it (whatever that means) then they've made it accessible to bad guys, too.

      Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.

      How do you imagine that this "unauditable" CPU is hindering you from reselling the computer? I'm really fascinated to hear the reasoning behind that.

  • true (Score:5, Informative)

    by dissy ( 172727 ) on Wednesday June 15, 2016 @03:05PM (#52323951)

    Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.

    Uh, the claims are quite true. I've been using these features at work for about a decade to perform remote OS installs and HD re-imaging at remote locations, where the on-site staff only pop in a new blank HD.

    All Core i7 CPUs have this in them standard, and many i5's too especially at the higher end.

    [PDF] Datasheet on the MEBX management engine:
    http://download.intel.com/supp... [intel.com]

    [PDF] How to enable and use the AMT active management engine:
    http://www.intel.com/content/d... [intel.com]

    And here is the SCS software used on another computer to control an AMT enabled computer:
    http://www.intel.com/content/w... [intel.com]

    RealVNC works with an AMT enabled computer out of the box too and with all the normal features you would expect like remote keyboard/video/mouse control, redirected drives, etc. But isn't a free program.

    Other VNC clients seem to be hit or miss but even when they work you only get remote KVM, you'd have to use the built-in AMT web server to configure drive redirection and issue power on/off/reboot commands.
    There is a similarly limited VNC client included in the SCS software link above, and a second web browser window will let you do the rest, even if slightly clunky, but still for free.

    • by sinij ( 911942 )
      If AMT is enabled by default, why don't we see widespread compromises?
      • Re:true (Score:5, Informative)

        by dissy ( 172727 ) on Wednesday June 15, 2016 @03:55PM (#52324375)

        Because it is not enabled by default.

        You need to know how to get to the configuration menu, then enable the engine, then assign it a method to access the network (either static IP on a unique MAC, or to piggyback on the host OS's MAC), and set a password.

        Only then are the ports opened for the HTTPS interface on port 16993 to continue the rest of the setup or use AMT.

        On boot (where you normally can hit Delete or a function key to enter bios setup), hold down control-p to get to the ME setup menu.
        Assuming you aren't at work or something and using your own computer, you'll see it is disabled.

        • Re:true (Score:4, Informative)

          by kheldan ( 1460303 ) on Wednesday June 15, 2016 @04:49PM (#52324829) Journal
          This is all true. You can disable the ME coprocessor in BIOS settings. You also aren't required to install the ME driver in your (Windows) OS in order for Windows to function.

          Could the ME coprocessor/firmware be compromised by an attacker? Maybe. But it can all be disabled. It's firmware could also be hacked out of the BIOS entirely without compromising the operation of the rest of the system.

          The ME is mainly for remote administration/management of corporate systems. It allows access to the machine remotely even in the event of a hardware failure, like the HDD failing completely. It can bring the system out of a completely powered-off state, so long as the box is still connected to the mains and the switch in the back is still 'on'. But so far as I know it's not necessary for the rest of the computer to operate.
  • by jellomizer ( 103300 ) on Wednesday June 15, 2016 @03:05PM (#52323953)

    Place the PC in a faraday cage. Record any radio transmission that is large enough to cross distance.
    Have a PC (lets go with Non-Intel) hooked up and set up to be a point to point network connection. Monitor all traffic being sent from the PC.
    Put barebones (say really old version of Linux on it)

    If something is unexpected then we have a theory to work on. Otherwise is is just some nut trying to get us to use AMD or something.

  • Yawn, (Score:4, Informative)

    by Obfuscant ( 592200 ) on Wednesday June 15, 2016 @03:06PM (#52323965)
    I've used this kind of thing on Dell servers for, umm, a decade or so? It means I can have headless high-density boxes (four independent systems in a 2U rackmount, e.g.) in my computing center and when a user wedges one of them I can reboot it remotely. I can look at system status, see failed components, and do all kinds of things that I couldn't otherwise do at all. "The system is wedged" is very unsatisfying as a diagnosis. Being able to run a remote console that shows that the swap has gone to 0 and the system is busy killing things tells me right away that someone is using all the memory is great. And then telling the iDrac to "reset the system" ... priceless.

    It may use the same physical interface, but it has its own address, and it can be disabled if someone is ultra-paranoid about it.

    • by mlts ( 1038732 )

      It makes life easy for monitoring as well. Some box loses its network connection, getting a console just means going to the iDRAC/iLO web port, logging on, seeing what is going on, and getting the NIC unstuck. It also is nice to load an ISO and install the machine from scratch if the box is a one-off and not worth making a PXE boot mechanism for what it is doing. Or, just boot the ISO stashed as a virtual CD, point it to a kickstarter file, and call it done.

  • Poorly written FUD (Score:3, Informative)

    by Anonymous Coward on Wednesday June 15, 2016 @03:12PM (#52324005)

    The author's claims that the ME lacks the ability to be audited and that backdoors cannot be removed are patently false.

    - The ME is as many have pointed out an ARC processor. There are known disassemblers for ARC and there are few custom instructions (read: beyond standard ISA) - two that I'm aware of.
    - The bootrom verifies the flashrom and provides some minimal cryptography and verification related routines. This is a mask ROM, not updatable. The flashrom is overwritten when you flash the bios, hence the main OS and binaries (threadx btw) are overwritten. This would remove any backdoor.
    - The ME region of the BIOS is a FAT16 filesystem.
    - The ME binaries are unencrypted, PE executables and contain signature verification sections to prevent unauthorized code from loading.
    - The only encrypted contents of the filesystem are data files that the binaries use.

    Now all this being said, there is a way to load additional modules from the main CPU's operating system through HECI (north bridge interface), however this again requires cryptographic signing.

    Source: Former Intel engineer. Additionally none of these are details that cannot be pieced together from Intel published documents and 5 minutes with a hex editor/disassembler.

  • And how to ensure it stays disabled?
  • This is not new & lots of others sell similar functionality Dell DRAC, HP ILO... Those usually have dedicated Ethernet ports, but generally function the same way. I've been helping our workstation guys roll out Intell vPro for remote administration of laptops & workstations. It operates in a powered down state & can do 802.1x authention to the network while the OS is powered down. So ya, there is definately an out of band processor there that can wake the system up & do remote control type stuff. It's a feature Intel is selling & marketing.

    Can't comment on the ability of it to do arbitrary memory reads & what not, but that isn't suprising in thoery. It's much less scary than the article is making it out to be, although it is another attack surface to concerned with just like RDP or SSH.

  • IME and AMT have been well documented for years. The Wikipedia article [wikipedia.org] has been around since at least 2007 and was flagged by an editor as reading like an Intel ad. It fully describes the basic design and functionality of the system and only varies from the article in that AMT has now been incorporated into the chipset and is no longer a separate chip.

    Even that its network connection is independent of the CPU and any filtering is described.

    I have been aware of AMT since it was discussed as a way to do an ps

  • by cfalcon ( 779563 ) on Wednesday June 15, 2016 @03:58PM (#52324395)

    I'm of the opinion that management features need to get data from the motherboard, and each mobo manufacturer would have to be complicit for this potential attack to affect everything (assuming a bug or backdoor exists). *IF* there's a backdoor in the ME, and *IF* all (or at least YOUR) motherboard manufacturers are complicit, even *THEN* a good external firewall would stop most conceivable attacks.

    It really is unfortunate that it is so clouded with mystery and seemingly waiting for a clever enough exploit.

    If you are concerned a little, ensure that AMT is disabled.
    If you are concerned a little more, consider grabbing an AMD next time. While AMD has similar things, Intel seems like it is both more featured and a larger attack surface, so an AMD exploit might be absent or would take longer to surface.
    If you are concerned moderately, ensure that external sources can never successfully send a packet to your PC, by use of an external firewall that is trusted.
    If you are concerned a lot, exclusively use open source products from before the mandatory inclusion of the ME. Have one to act as your firewall / router (maybe running OpenBSD or Trisquel), and another to do productivity on. You'll be limited on the power of the chip, of course.

    Frankly, I think it is wise to distrust the ME a little bit. Especially because, as part of Intel chips, it is going to be in so many places- it is a lot of faith to put in untested code. But for the ME to be able to hurt or help you, the motherboard has to support its features, and there are a lot of motherboards, a lot of BIOSes- it is still a pretty diverse setup, and many don't support AMT at all.

  • So, how do I turn the damn thing off? (I suspect the answer to be "can not", but anyone that knows otherwise - let me know)
    I do, however, notice that there are no open listening ports on my current Intel computer, when scanned externally. Is this thing always on? What conditions enable it (so that I'd know to avoid those)?

  • ...why didn't our ancient alien overlords stop the NSA from doing this?
  • The Coreboot people have been trying to work out how to deal with this stuff for a long time. See https://www.coreboot.org/Intel... [coreboot.org]. They're trying to work out how to disable it, but progress is not that good.

"If you can, help others. If you can't, at least don't hurt others." -- the Dalai Lama

Working...