Intel x86s Hide Another CPU That Can Take Over Your Machine -- You Can't Audit it (boingboing.net) 368
A report on BoingBoing, authored by Damien Zammit, claims that recent Intel x86 processors have a secret and power control mechanism implemented into them that runs on a separate chip that nobody is allowed to audit or examine. From the report: When these are eventually compromised, they'll expose all affected systems to nearly unkillable, undetectable rootkit attacks. Further explaining the matter, the author claims that a system with a mainboard and Intel x86 CPU comes with Intel Management Engine (ME), a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an "extra general purpose computer." The problem resides in the way this "extra-computer" works. It runs completely out-of-band with the main x86 CPU "meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend)." On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU. From the report: The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system. Update: 06/15 18:54 GMT by M :A reader points out that this "extra computer" could be there to enable low-power functionalities such as quick boot and quality testing.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Just as well (Score:4, Interesting)
That my PC has an AMD CPU
Re:Just as well (Score:5, Funny)
Comment removed (Score:5, Interesting)
Re: (Score:3)
One would hear the difference. I used to be an AMD only guy for more than a decade, but then Core2Duo came out and suddenly I was able to have a fast CPU without a fan. And even now I have a passive cooled i5 - same cooler BTW as the Core2Duo from years ago.
Re:Just as well (Score:5, Informative)
AMD market cap: $3.54 Billion
That is a lot of kiddie gamers........
The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue. AMD is a sad joke compared to Intel. They are not peers, hell they arent even really competitors. If they were sodas AMD would be RC Cola, to Intel's Coca-Cola, not Pepsi.
Re: (Score:3)
One of the best turkey sandwich's in town comes from a place that serves Royal Crown products.
And this business has been successful and expanding for 30 years.
Re: (Score:2, Insightful)
Ironically, RC scores better in blind taste tests than Coca-Cola and Pepsi.
Re: (Score:2, Insightful)
I use AMD's 8 core CPUs extensively for video editing/encoding and other tasks that benefit from a fast multicore CPU. Intel makes CPUs that offer comparable, or better, performance, but they are significantly more expensive.
Intel's dominance has been largely the result of illegal tactics. They are the Microsoft of the CPU world. Every OEM has been told by Intel "If you buy from anyone other than us, then, in the future, you may find that we are unable to supply you with the parts you need"
Re: (Score:3)
Re: (Score:3)
Re:Just as well (Score:4, Insightful)
The plain truth is that Intel spends 4 times as much on R&D as AMD generates in revenue.
The plain truth is that there is no necessary correlation between spending on R&D and useful results. It is an unfortunate modern delusion that spending vast amounts of money is somehow meritorious in itself. You see government officials doing it all the time. "We have spent $50 billion of [your] money on this, so congratulate us on a job well done!"
Re:Just as well (Score:4, Insightful)
While true, it's also true that without doing any R&D you tend to find yourself short on new products.
Give me $5bn on R&D and I promise I'll give you a more valuable new product opportunity than if you give me $5m
I don't promise I'll give you a positive ROI ;)
Re:Just as well (Score:5, Informative)
AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?
Re: (Score:2)
AMD is the one that came up with x86-64 which Intel subsequently copied. Has anyone ever used an Itanium?
Someone at HP or Intel must have financed a pretty great bender for our operations team in the early 2000s, because we bought in huge to the HP-UX Superdome on Itanium architecture. All we wanted was a platform to host our Tomcat web farm. We ended up supporting our application on that steaming propriety cow pie for about 5 years before we moved to cheap Intel Linux servers.
Re:Just as well (Score:4, Informative)
I have always suspected that Itanium was merely a piece of FUD intended to discourage users from buying Alpha systems - which actually worked, and performed extremely well. (First time I tried out an Alpha running VMS, I ran a standard benchmark. Every time I ran the benchmark I just saw the command prompt come up immediately. Eventually I realised that the benchmark was running to completion faster than the terminal could move its carriage mechanism).
Re:Just as well (Score:4, Interesting)
Re:Just as well (Score:5, Informative)
AMD is a cheap knockoff whose entire design philosophy revolves around avoiding patent and copyright lawsuits from Intel. Its in house technology is extremely inferior. The only good thing they can possibly do for the market now is to completely open up all development resources.
And, let's bring back the alpha chip. It already is superior to Intel. Always has been.
And GODDAMMIT! Where's our 3D printers that can print homemade computers? We were supposed to have that shit 30 years ago.
Really...
Its not like they are the one that made the AMD_64 instruction set that was then in turn licensed to intel...
While its manufacturing technique is inferior that is because the brain-dead executives sold off their fab and they now have to contract with someone else to do it.
As for bringing back ALPHA it may have been superior then they stopped developing it in 2001. Intel/AMD have come a long way in 15 years.
Re: (Score:3)
AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel. Intel made the mistake of not releasing their 64 bit earlier, and they easily could have, so AMD gets the bragging rights. There are quite a few articles about the whole deal.
Now the lower level bits and pieces that make it all work down deep, AMD has not done a decent core de
Re:Just as well (Score:5, Interesting)
AMD64 was a set of completely obvious extensions to the Intel X86 model. Expand the existing 32 bit registers to 64 bit and add 64 bit versions of the existing 32 bit instructions as necessary. Nothing earth shaking or even novel.
Ideas are a dime a dozen. It's the actual implementation that makes a difference in the real world. If the idea were so obvious, you'd think that Intel would have been in a much better position to bet on the new idea, with all their resources.
It's interesting that after about 14 years of AMD64, we are still haunted by x86-32 in many places with closed binary-only software. For instance, Skype on Linux was only released as a 32-bit binary, so you had to maintain all these ugly compatibility libraries. I wonder how much of this is due to the AMD origins of the architecture, and the subsequent slowness of the Intel and Microsoft camp to adopt it.
Re: (Score:3)
I sometimes think that AMD's genius isn't what they added, but what they dropped by design. If it had been up to Intel, x86-64 would have a 64-bit "real mode", an even more complicated TSS, and yet another incompatible segmentation type.
This. AMD64 feels cleaner in some sense, though I'm not qualified to comment on the details of memory management. For example, consider the x32 initiative that was floated around the Linux community in the past few years: using the AMD64 ISA with only 32-bit pointers. The idea was that it would speed up a lot of software, and the 4 GB limit per process would not hurt most users. To me this seemed like a step backwards: just as we finally got a nice flat memory space, these guys want to go back to something
Re: Just as well (Score:4, Interesting)
What makes you think x86 is not already Alpha under the hood?
Re:Just as well (Score:4, Interesting)
Don't forget, AMD brought us x86_64. Otherwise, Intel would probably still be pushing 32 bit Xeon to the masses and ultra expensive Itanic for 64 bit.
AMD CPUs perform well as long as you don't use the Intel compiler. Unfortunately, most benchmarks are compiled with Icc complete with the built in sandbag code.
Re:Just as well (Score:4, Informative)
In practice, they do well with heavy parallel computation, especially when measured on a cost per performance basis. It helps that quad socket designs are cheaper for AMD as well.
Re:Just as well (Score:5, Insightful)
Exactly so. For years I used to wonder which was more important: hardware or software. It was after the Alpha debacle that I came to understand that neither is very important compared to marketing.
Re: (Score:3, Interesting)
I tried to like Alpha, I really did. But it was impossible to like. The DEC Alpha workstations were horribly unreliable - you often had a third of your workstations out of service at any given time due to power supply or mainboard failures. They used far too much power and ran too hot. And Sun UltraSPARC quickly leapfrogged them in performance. Add to that the annoying ISA and horrible weak memory model that made it really hard to do any concurrency, and no-one wanted to touch it. NetBurst was basical
Re:Just as well (Score:5, Interesting)
Working at DEC in 1992-3, I never saw anything like that. The Alpha computers I used were exactly like their VAX predecessors except that they ran a whole lot faster. No unreliability, no overheating. Perhaps your experience was running Ultrix, which was always an unhappy compromise - like all proprietary version of Unix.
My assessment, as a 20-year DEC employee, was that Alpha was perhaps the greatest hardware achievement the company ever brought off.
Re: (Score:3)
That's quite a bit earlier than my experience with them - I only dealt with Alpha workstations (not servers), running Ultrix (not VMS), and towards the end of their run. It's possible they'd gone downhill by then.
Re: (Score:3)
That's because the design considerations for a console are very different from a desktop PC.
Price is far more of a factor when you are selling the hardware at a loss, and it's undisputed that AMD products are inexpensive in comparison to Intel.
Re: (Score:2)
Not true, I have a pile of IBM servers running XEON processors. I also have the raft of AMD servers as well, but it's not like one has a significant market over the other.
And a lot of data centers I know of have Intel XEON servers. typically the high power ones that have 16-32 cores.
Re: Just as well (Score:5, Informative)
Umm no, they don't. Maybe back in 2000 to around 2008, after Intel went with that netburst shit, but not anymore. Every datacenter I've managed for the last 3 years has almost no AMD gear at all.
Love and use AMT (Score:4, Interesting)
I love AMT. AMT is definitely one feature of the Dell Optiplex small form-factor systems that I like to use for my headless home servers. Its like having a built-in Cyclades serial console server. For running headless systems its almost essential.
The only thing I don't like about it is that you need to have Windows installed to be able to update it as part of the updates released by Dell.
TROLOLOLOLO!!!! (Score:2, Informative)
DUPE ALL THE THINGS!
Anononymous poster, check!
Be sure to mine the +5 comments from old stories for cheap karma!
Re: Love and use AMT (Score:5, Informative)
I use AMT a lot as well, and have for years. My main question here is: How the fuck is this even remotely news material? Furthermore, why is it presented as some sort of conspiracy? Intel advertises this as a feature and never made any attempt to hide it. AMT is also off by default, by the way.
The only Intel feature I'm at all concerned about is SGX, which by design can't be audited, and has nothing to do with anything mentioned in TFS.
Re: (Score:2)
Maybe the next /. story will be how all mobile devices have a secret, hidden OS called the bootloader that can be compromised by three-letter agencies...
Re: (Score:3)
Did you know that some doors—maybe even your door—can be opened by using a MASTER KEY! This, and other secret conspiracies, at 11...
Re: (Score:2, Interesting)
Except AMD chips appear just as problematic.
https://libreboot.org/faq/#amd
Re:Just as well (Score:5, Informative)
... and guess what, AMD CPUs have an extra ARM core in them, as well as multiple little cores of various architectures attached to the GPU. All running proprietary firmware.
Throwing random little CPUs at problems is nothing new. What makes you think the firmware in your PCIe WiFi card also can't access all main memory and be turned into a rootkit? What about the Embedded Controller on laptops, that runs even when it's off?
Yes, the state of firmware auditability of modern PCs is dismal. It's been like this for at least a decade. Yes, Intel does it one way, AMD does it another way, and just about every other peripheral on your board is also an attack surface. GPU? Dozens of little auxiliary cores (unrelated to the GPU unified shaders); Nvidia or AMD, doesn't matter. That USB 3.0 host controller? Probably runs firmware too. Ethernet? Yup, often has firmware these days. That LSI SAS controller? Full PowerPC core with enough oomph to run Linux itself. Your hard drive? 3 ARM cores, you can make them run Linux too. And all of those things can scribble all over your main memory unless you enable the IOMMU (except the HDD, that one can scribble all over your storage instead).
Sleep tight.
Re: (Score:3)
shit, secondary processors have been inside PCs since the 80s.
Remember things like "A20 gate" in old pcs? It was a hack on the AT keyboard controller. It was introduced to solve an addressing issue with ram above 1mb in real mode.
Using secondary chips to do things in memory is an ancient idea. The amiga relied on it quite heavily in fact.
Own a Wii? There's a secondary ARM core nicknamed "scarlet" in there, running beside the PPC core.
While having this system compromised by malware is a worrisome prospect,
Re: (Score:3)
Hell, Commodore 1541 floppy drives contained their own 6502 for an on-board DOS. Programming the drive was a hot topic for years.
Re: (Score:3)
SD cards have a 32-bit micro-controller on them. They're used to mark bad sectors and keep writes from being on adjacent memory locations (disturbing memory locations a lot on SD cards can corrupt data). There's a talk out there somewhere, where a researcher reprograms the SD cards on-board processor, while keeping it functioning as an SD card. In theory, you could take a 25GB card, have it report it's 15GB and write a small program to make a copy of all writes to a hidden part of the card for retrial late
Re: (Score:3)
Something which is called an IOMMU.
https://en.wikipedia.org/wiki/... [wikipedia.org]
Memory is protected from malicious devices that are attempting DMA attacks and faulty devices that are attempting errant memory transfers because a device cannot read or write to memory that has not been explicitly allocated (mapped) for it. The memory protection is based on the fact that OS running on the CPU (see figure) exclusively controls
Re: (Score:3)
You are fscked up the same way by AMD: https://libreboot.org/faq/#amd [libreboot.org]
Re:Just as well (Score:5, Informative)
This is such overblown pap - the only way to provision Intel AMT / vPro is to either have physical access to the keyboard during reboot, or to have a certificate signed by a trusted provider specifically for provisioning AMT / vPro if you would like to do it over the network. And no, you can't add in your own self-signed nonsense because the CAs that can do this are in the AMT firmware. If you don't get a cert from Verisign / Comodo / etc., the firmware tells you to stick it up your ass and refuses to provision.
Having done manual provisioning, scripted provisioning, and network provisioning in a technology trial for using vPro on a network with ~55,000 PCs spread across the continent, I can say that Intel thought about this "back door" and made it so that you have to go through some extraordinary work in order to use it. And, even then, unless you paid for full-blown vPro on each and every PC, you get access to basically what you could have done with Wake-on-LAN back in the day, with a few extras. With vPro you can do remote control and remote virtual disk mounts, but doing so causes big flashing red and yellow bars on the border of the screen letting a local user know someone's doing it.
Moreover, Intel has been actively marketing this functionality for over 5 years to big business as a way to cut software costs for costly (and shitty) remote control solutions that don't work when the OS is fucked. To think that this is some super secret clandestine operation is complete horseshit.
What an overblown piece of trash this 'article' is.
Re: (Score:3)
Re: (Score:3)
You're absolutely right, we can't.
But do not be surprised that some people want to talk about it. And certainly do not be surprised when foreign nations decide not to buy US hardware and software. I'm not saying Chinese hardware is any more innocent, that's not the point I'm making, the decision that the NSA made (was anyone consulted?) to subvert the security of every PC on the planet will have repercussions. And this will have significant impact on the IT economy of the US.
As an individual wanting to use
Nefarious Headline for Practical Feature (Score:3, Funny)
This is key to enabling low-power functionality in Intel CPUs - think quick boot and quality testing. It doesn't have any surveillance or other purposes.
Re: (Score:2, Insightful)
Sure, and there's no way it could be used by three letter agencies, ever.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:3, Funny)
On one hand, I think this whole thing is overblown. On the other hand, playing devil's advocate, the TLAs can't access a machine that is powered down; this potentially allows them to turn it on remotely.
There are many levels of "powered-down". Many enterprise PC have had wake-on-lan and pxe-boot for a while. Often these are simply controlled via bios settings (which we know are completely secure against TLAs)...
Quick shut the barn doors, the horses have escaped!
Re: (Score:2)
You really think AMD will mess around with Intel's CPU?
Re:Nefarious Headline for Practical Feature (Score:5, Insightful)
I'm sure it can be used, just like the rest of the hardware "can be used."
But these things in one form or another have been around for over two decades and everyone who has ever set up real server hardware from scratch knows they're there and their existence has never been a secret. (The closed-source code they run, on the other hand...) It's not even "news" that chipset manufacturers have started to integrate these systems directly into CPUs.
The earliest one of these I remember was called iLOM on a Sun Systems but I'm sure they predate that. Just LOM and ILO are other names I've seen.
Once desktops started to need active runtime heat management, many of them got a "systems management" co-processor that helped with thermal/power control.
Personally I'd be just as worried about whatever firmware is running on the ethernet card these days... which is to say, not very, because there's not much to be done about it, unless you have the reason and time to invest in completely open hardware from top to bottom and the willingness to live within the limitations that might entail. So while I would normally suggest the mildly paranoid just not use the onboard ethernet ports, I can't say I really trust ethernet cards, either.
Also since there are so many gaping holes just staring me in the face in commercial OSes when it comes to (software) VPN and WPA drivers, I figure it'll be a long, long time before I can get around to finessing things down to the metal, if ever.
Re: (Score:2)
They have been around a lot longer than that. Mainframes have had 'service elements' and 'support processors' for at least 40 years. And those things can do a heck of a lot more than the Intel AMT stuff. Like alter/display ANY register or ANY storage.
Re: (Score:2)
There are already many platforms (even some workstation/desktop class) that have IPMI or similar remote support. There are similar constructs in the "standard" ACPI (after all, Microsoft made it). If you could hack those chips, yes, you could run whatever you wanted on them and it's a real threat. This is not a feature that Intel is 'hiding', it's actually advertising the feature.
Re: (Score:2)
Re: (Score:2)
I think the critical part is that intel doesn't let anyone write code for that chip, basically making it a black box.
BUT I think its better to have it in the hands of Intel than, say, Microsoft.
Re: (Score:2)
This is key to enabling low-power functionality in Intel CPUs - think quick boot and quality testing. It doesn't have any surveillance or other purposes.
None that you know of. The point of the article is that there has been no way to be sure about what's really in there and what isn't. The code appears to have been deliberately obfuscated by Intel at a hardware level. It's true that this subsystem is not new and has been known about for years, but I gather the point of the article is not to announce its existence, rather he wants to say that he has figured out some (but not all) of the subsystem's functionality that was previously hidden, and he wants to ev
"No surveillance or other purposes" -- really? (Score:5, Informative)
If the only goal was simply to provide low-power functionality, the coprocessor would be fully controlled by the operating system (ultimately, by the owner of the machine).
In fact, the main goal is to provide remote administration capabilities (what they call Intel Active Management Technology [wikipedia.org]). In other words, the idea is to allow a remote administrator to take over the machine in a way that is independent of and invisible to the main operating system and processor. This serves a legitimate purpose in an "enterprise" environment (one person administers a large number of diverse machines) -- for example it allows taking back control of a cracked machine, or recovering critical data from memory after OS crashes. However, this feature is not useful for a privately administered single-user machine.
Finally, by definition a remote administration feature is a back door. This one is incredibly dangerous: a rootkit running on the coprocessor is entirely invisible to the operating system, has its own independent network access, and can monitor the disk, the memory and all other peripherals. In principle the remote management features must be activated via the System BIOS and you can set a password there, but really your only measure of safety against this back door is your trust that there are no bugs in Intel's code.
Why isn't Intel allowing you to replace the firmware? Because it's hard to ensure that the owner of the machine is the one initiating the firmware replacement. The real troubling point is that Intel isn't allowing you to disable this feature with a hardware switch. Hardware switches (jumpers on the motherboard) are a way of controlling the system available only to the physical owner of the machine. Having a hardware switch would satisfy both the enterprise and security-concious customers.
Re: (Score:3)
Older schemes where the BMC couldn't access the system memory were safer. One safety feature would be to replace memory access with specific interfaces (serial and a general access port used by SMM) and their own independent network interface (allowing effective vlan isolation with no need for the honor system). To complete the picture, the BMC could emulate a USB device connected on the MB to an actual USB chip. At least that way they would need to compromise 2 firmware images to get anywhere.
Don't Blame Me (Score:2)
Re: (Score:2)
I voted VIA.
Re: (Score:2)
Also turn off Javascript.
And CSS.
No need to verify story (Score:5, Informative)
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?
Re: (Score:2)
This is a discussion site not the New York Times. It's perfectly acceptable to post a rumor or unverified claim. It's good that they identified it as such... usually the Slashdot editor just clicks publish on whatever swill caught his eye in the submissions.
Re:No need to verify story (Score:5, Informative)
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Everyone is used to getting their news from social media anyway, so why bother verifying the claims before posting it as news?
I'd like to go the other way, why are we adding an "unverified" disclaimer to something that has been known about for many years? Intel aren't hiding anything. The existence of this miraculous CPU is documented on their website and it's function is accessible using their provided tools. Heck AMD do it too they just happen to call it PSP instead of IME. The only thing they are hiding is what's in their firmware which everyone has done for a long long time.
Old news (Score:5, Informative)
https://libreboot.org/faq/#int... [libreboot.org]
https://libreboot.org/faq/#amd [libreboot.org]
Both Intel and AMD had this for years - read above links ...
Re: (Score:2)
Somebody needs to hack Intel and AMD and release their private keys and source code.
Re:Old news (Score:5, Informative)
The ME [Intel Management Engine] also has network access with its own MAC address through an Intel Gigabit Ethernet Controller.
How would I not notice this in my router or edge device logs?
Mainly only by not looking.
That may sound stupid at first glance, but the fact Intel AMT articles keep popping up a decade later written as some form of surprise that the feature exists seems to prove most people don't bother looking.
ME/AMT utilizes HTTPS by default on port 16993, can support HTTP by default on port 16992, and VNC protocol on I believe it's default port (I've never had to specify an alternate port in the VNC client to connect)
Also of note is that older ME versions don't let you upload your own SSL certificate for HTTPS, and although I may be wrong but I'm fairly sure VNC by default is not encrypted either.
This means someone in your posistion of control over the core and edge network would both see this traffic if looking, and potentially be able to setup a MITM to obtain the ME/AMT login credentials fairly easily depending on your desktop admins setup.
Normally LAN to LAN traffic over a proper switched network is relatively safe, seeing that an ARP storm to a switch for redirecting LAN traffic would ALSO be noticed by you the network admin, and ideally has been proactively prevented as well.
For desktop admins and/or network admins without this knowledge or skill however, if the LAN doesn't prevent or log/notify about such things, ideally the ME/AMT hasn't been enabled either.
Only those with a tiny amount of knowledge (just enough to be dangerous) are likely to shoot themselves in the foot with a horribly insecure setup.
Re: (Score:2)
Normally LAN to LAN traffic over a proper switched network is relatively safe, seeing that an ARP storm to a switch for redirecting LAN traffic would ALSO be noticed by you the network admin, and ideally has been proactively prevented as well.
Storms maybe, but just try to secure a server core where the systems guys want to just keep moving VMs from hypervisor to hypervisor from even just plain old arp spoofing, and I'll see you a year or so later crawling out of the dot1Qaw rabbit hole looking for a career change to something that involves staring calmly at growing plant life.
What the fuck? (Score:3, Insightful)
Re: (Score:2)
And we're safe anyway. It's really easy to know what's dangerous or not on the Internet since the creation of the evil bit.
"Trusted" (Score:5, Insightful)
From the article:
We have no physical separation between the components that we can trust and the untrusted ME components, so we can't even cut them off the mainboard anymore.
Why do you trust the main CPU, if you don't trust the ME chip?
Out of band management (Score:2)
This is for out of band management so devices can be monitored and restarted remotely (think: enterprise environments). Nothing to get wrinkles in your tin hat over. :)
Illegal? (Score:2)
If it's really there and Intel has hidden it, I wonder if they could be successfully prosecuted for conspiracy to commit unauthorized computer access.
Re: (Score:2)
Only if you can prove they are using it without your authorisation. It simply existing is not enough.
Re: (Score:2)
Only if you can prove they are using it without your authorisation. It simply existing is not enough.
IANAL, but I wonder if "Conspiracy with intent to ..." would be a crime in this case.
Re: (Score:2)
Prove the conspiracy, and prove the intent - Intel has a huge amount of resources setup around this for enterprise systems management, so you have a massive uphill (almost a vertical cliff one might say) battle to climb in order to prove any malicious intent here.
Just because you dont like it, doesnt mean anything illegal is being done.
Here's the thing (Score:4, Insightful)
I don't like the idea of a computer inside my computer I don't have any control over.
I find the article a little on the high side of paranoia, however. Yes, it is possible to have unnamed people from unnamed places get in and get data from your system. The article does go out of it's way to point out that this isn't very likely. The firmware running the second CPU is heavily encrypted and hash-checked at runtime. Making it unlikely to be broken until the heat-death of the universe or we finally figure out the P=NP thing.
Conversely, I'd like to know what's going on under the cover Intel. If this is in the stuff I bought, I figure I have a legal right to be able to access it and run an audit on it. Without having to go through you. Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.
Re:Here's the thing (Score:4, Interesting)
I don't like the idea of a computer inside my computer I don't have any control over.
Then you are destined for a life of unhappiness. Most of the I/O processing in your "computer" is done by dedicated computers that you have no control over. The video card, the network card, the IEEE1394 or USB.b The disk drives. Even the audio. Things that have DMA so they an access memory without the CPU knowing about it...
You may look at the device and see a part number that you can look up, but dollars to donuts that the part is programmable in some way that makes it be what it is. FPGA, perhaps. Or just a microprocessor with firmware in EEPROM.
I figure I have a legal right to be able to access it and run an audit on it.
If they make it so you can "audit" it (whatever that means) then they've made it accessible to bad guys, too.
Conflict of interest and right of first sale and a few more things spring to mind as to why that's not a something I'd want to do.
How do you imagine that this "unauditable" CPU is hindering you from reselling the computer? I'm really fascinated to hear the reasoning behind that.
true (Score:5, Informative)
Editor's note: The summary is written with inputs from an anonymous reader, who also shared the story. We've been unable to verify the claims made by the author.
Uh, the claims are quite true. I've been using these features at work for about a decade to perform remote OS installs and HD re-imaging at remote locations, where the on-site staff only pop in a new blank HD.
All Core i7 CPUs have this in them standard, and many i5's too especially at the higher end.
[PDF] Datasheet on the MEBX management engine:
http://download.intel.com/supp... [intel.com]
[PDF] How to enable and use the AMT active management engine:
http://www.intel.com/content/d... [intel.com]
And here is the SCS software used on another computer to control an AMT enabled computer:
http://www.intel.com/content/w... [intel.com]
RealVNC works with an AMT enabled computer out of the box too and with all the normal features you would expect like remote keyboard/video/mouse control, redirected drives, etc. But isn't a free program.
Other VNC clients seem to be hit or miss but even when they work you only get remote KVM, you'd have to use the built-in AMT web server to configure drive redirection and issue power on/off/reboot commands.
There is a similarly limited VNC client included in the SCS software link above, and a second web browser window will let you do the rest, even if slightly clunky, but still for free.
Re: (Score:2)
Re:true (Score:5, Informative)
Because it is not enabled by default.
You need to know how to get to the configuration menu, then enable the engine, then assign it a method to access the network (either static IP on a unique MAC, or to piggyback on the host OS's MAC), and set a password.
Only then are the ports opened for the HTTPS interface on port 16993 to continue the rest of the setup or use AMT.
On boot (where you normally can hit Delete or a function key to enter bios setup), hold down control-p to get to the ME setup menu.
Assuming you aren't at work or something and using your own computer, you'll see it is disabled.
Re:true (Score:4, Informative)
Could the ME coprocessor/firmware be compromised by an attacker? Maybe. But it can all be disabled. It's firmware could also be hacked out of the BIOS entirely without compromising the operation of the rest of the system.
The ME is mainly for remote administration/management of corporate systems. It allows access to the machine remotely even in the event of a hardware failure, like the HDD failing completely. It can bring the system out of a completely powered-off state, so long as the box is still connected to the mains and the switch in the back is still 'on'. But so far as I know it's not necessary for the rest of the computer to operate.
Re:true (Score:5, Informative)
You forgot the part where you write Intel a big fat check to use the feature. Intel charges big bucks for vPro software and these features are part of vPro and you can't enable them without the vPro software. IIRC it's all tied to a digital signature that Intel controls and you can't even look at it without giving Intel money.
I didn't forget it, because that isn't true.
The control software is free. I didn't pay for my web browser, VNC client, or the intel SCS client (I even have you the download link)
The firmware is already included in any vPro CPU, you turn it on by holding control-p at boot.
I've even played with this feature at home on my own hardware before deploying it at work. Other than having purchased the computer/CPU, there is no further cost.
I'm not sure where you got your information from but it is certainly incorrect.
Re:true (Score:5, Informative)
With RealVNC - can I remote into a machine which is still at the bios / boot stage?
Yup, AMT can provide remote access when the system is in any of its sleep states from s0 (fully on) down to s5 (powered off), so long as the system is plugged in and has power available.
You will see the whole BIOS bootup sequence, including seeing and able to send the usual interrupt keys like del or F9 or whatever to get to BIOS setup.
I've had some older HP workstations be a little funky between the BIOS setup and the OS taking using the GPU. Generally I'll see a screen flash and get disconnected, after which VNC reconnects immediately and all is well again.
Newer HPs we have haven't done this that I recall, nor have the Dells or my home built franken-pc so guessing it's a fixed bug with older AMT versions?
In fact one of the main purposes of ME is to change the power state, meaning you can turn the main system on or off or reboot it just from there.
That's how I re-image a remote system after a hard drive failure.
I have someone on-site power off the system and replace the hard drive with a new one, then let me know.
I then connect to the remote system via ME/AMT and setup a dvd-rom redirect to an ISO image on my PC, start the AMT VNC server and connect to it from my PC, lock the remote systems keyboard so anyone local can't over-type me, and then instruct the remote system to power on.
Then during boot if the remote system gets stupid and tries to boot from the new blank HD and stops, I can issue a reboot command and use the F11 boot menu from the BIOS to point it to the DVD drive. Usually that part just works though (like I said, all related to the older HPs)
Once the linux image boots and runs clonezilla, it's just an [enter]-[yes]-[yes] away from writing the backup image back to the new HD.
You can of course point to an OS install media instead and do that manually, I just tend to try and avoid that for installers using a mouse, since over remote links that can suck pretty bad. Over LAN it seems nice and responsive however.
Once done I do a normal "shutdown -h now", disable the DVD drive redirect, and power the system back on. Once I see the windows loading screen I'll disconnect VNC and shut down the VNC server in the AMT, and logout of the https interface.
Since I let AMT piggyback on the host MAC and IP, it basically intercepts any tcp ports it is using instead of passing that info up the stack to the OS.
I don't leave VNC running in the AMT just in case the host OS needs to run a VNC server on the default port for any reason - plus nothing good can really come from leaving it running when not needed.
ME uses https over port 16993, which isn't likely to be used on the OS (or if so, too bad for that app I guess)
If you already have RealVNC and a Core i7 at home to play with, boot the i7 and hit control-p where you normally would hit delete or a function key, and you'll be in the ME setup menu.
You can enable both ME and AMT (they are separate sub-systems) and play around.
We have technology to validate such claims. (Score:3)
Place the PC in a faraday cage. Record any radio transmission that is large enough to cross distance.
Have a PC (lets go with Non-Intel) hooked up and set up to be a point to point network connection. Monitor all traffic being sent from the PC.
Put barebones (say really old version of Linux on it)
If something is unexpected then we have a theory to work on. Otherwise is is just some nut trying to get us to use AMD or something.
Yawn, (Score:4, Informative)
It may use the same physical interface, but it has its own address, and it can be disabled if someone is ultra-paranoid about it.
Re: (Score:3)
It makes life easy for monitoring as well. Some box loses its network connection, getting a console just means going to the iDRAC/iLO web port, logging on, seeing what is going on, and getting the NIC unstuck. It also is nice to load an ISO and install the machine from scratch if the box is a one-off and not worth making a PXE boot mechanism for what it is doing. Or, just boot the ISO stashed as a virtual CD, point it to a kickstarter file, and call it done.
Poorly written FUD (Score:3, Informative)
The author's claims that the ME lacks the ability to be audited and that backdoors cannot be removed are patently false.
- The ME is as many have pointed out an ARC processor. There are known disassemblers for ARC and there are few custom instructions (read: beyond standard ISA) - two that I'm aware of.
- The bootrom verifies the flashrom and provides some minimal cryptography and verification related routines. This is a mask ROM, not updatable. The flashrom is overwritten when you flash the bios, hence the main OS and binaries (threadx btw) are overwritten. This would remove any backdoor.
- The ME region of the BIOS is a FAT16 filesystem.
- The ME binaries are unencrypted, PE executables and contain signature verification sections to prevent unauthorized code from loading.
- The only encrypted contents of the filesystem are data files that the binaries use.
Now all this being said, there is a way to load additional modules from the main CPU's operating system through HECI (north bridge interface), however this again requires cryptographic signing.
Source: Former Intel engineer. Additionally none of these are details that cannot be pieced together from Intel published documents and 5 minutes with a hex editor/disassembler.
How to disable it? (Score:2)
It's not new, most servers had this years ago... (Score:3)
This is not new & lots of others sell similar functionality Dell DRAC, HP ILO... Those usually have dedicated Ethernet ports, but generally function the same way. I've been helping our workstation guys roll out Intell vPro for remote administration of laptops & workstations. It operates in a powered down state & can do 802.1x authention to the network while the OS is powered down. So ya, there is definately an out of band processor there that can wake the system up & do remote control type stuff. It's a feature Intel is selling & marketing.
Can't comment on the ability of it to do arbitrary memory reads & what not, but that isn't suprising in thoery. It's much less scary than the article is making it out to be, although it is another attack surface to concerned with just like RDP or SSH.
Wow! This is SUPER SECRET! (Not) (Score:2)
Even that its network connection is independent of the CPU and any filtering is described.
I have been aware of AMT since it was discussed as a way to do an ps
I think this is oversold as a risk (Score:4, Interesting)
I'm of the opinion that management features need to get data from the motherboard, and each mobo manufacturer would have to be complicit for this potential attack to affect everything (assuming a bug or backdoor exists). *IF* there's a backdoor in the ME, and *IF* all (or at least YOUR) motherboard manufacturers are complicit, even *THEN* a good external firewall would stop most conceivable attacks.
It really is unfortunate that it is so clouded with mystery and seemingly waiting for a clever enough exploit.
If you are concerned a little, ensure that AMT is disabled.
If you are concerned a little more, consider grabbing an AMD next time. While AMD has similar things, Intel seems like it is both more featured and a larger attack surface, so an AMD exploit might be absent or would take longer to surface.
If you are concerned moderately, ensure that external sources can never successfully send a packet to your PC, by use of an external firewall that is trusted.
If you are concerned a lot, exclusively use open source products from before the mandatory inclusion of the ME. Have one to act as your firewall / router (maybe running OpenBSD or Trisquel), and another to do productivity on. You'll be limited on the power of the chip, of course.
Frankly, I think it is wise to distrust the ME a little bit. Especially because, as part of Intel chips, it is going to be in so many places- it is a lot of faith to put in untested code. But for the ME to be able to hurt or help you, the motherboard has to support its features, and there are a lot of motherboards, a lot of BIOSes- it is still a pretty diverse setup, and many don't support AMT at all.
Disable? (Score:2)
So, how do I turn the damn thing off? (I suspect the answer to be "can not", but anyone that knows otherwise - let me know)
I do, however, notice that there are no open listening ports on my current Intel computer, when scanned externally. Is this thing always on? What conditions enable it (so that I'd know to avoid those)?
What I want to know is... (Score:2)
Coreboot has been trying to work around this stuff (Score:3)
The Coreboot people have been trying to work out how to deal with this stuff for a long time. See https://www.coreboot.org/Intel... [coreboot.org]. They're trying to work out how to disable it, but progress is not that good.
Re: (Score:2)
Agreed, I had been using IME for long time. This is not new. In fact, it's so old I expect that if it were compromised, those exploits are in their 3rd generation by now. The one where sovereign hackers usurp the previously installed tools and the fight is for the C&C net.
And I suspect it has been tried, repeatedly. By everyone of note.
Re: (Score:2, Interesting)
I'd be surprised if the spooks don't have an exploit for it for targeted use, but as you point out, nothing has been found in the wild for all these years, so the cost/benefit is obviously not good enough for your average blackhat. Software-only APTs are good enough and don't rely on proprietary hardware features.
There was a conspiracy theory going around when it was new that the IME included a GSM modem (and presumably a hidden SIM card tied to a subscription paid for by the Illuminati) and could be used f