
Malware Uses Obscure Intel CPU Feature to Steal Data and Avoid Firewalls - vezycash
https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/
======
oneplane
Another round of crappy journalism. It's not obscure, it's not a CPU feature
but a platform feature, and there are plenty of out-of-band communication
channels out there, this isn't the only one. On top of that, this was already
published two DEF CONs ago.

You can exfil data and even do practival bi-directional communication over:
SOL, IPMI, ASF, MT's ARC CPU via injected firmware and then via TCP/IP. Any of
them will work. Add vendor-specific firmware addons on top of that (i.e.
Broadcom tends to have exploitable firmware in their NIC controllers)

Most of them are in a vulnerable state by default because the technology was
supposed to be 'easy' and 'user friendly', but 'users' don't even know what
they are, and most deployments are done by the WinTel horde that doesn't
actually know anything outside the Microsoft framework. (and thus leave the
defaults as-is)

I probably posted something similar on
[https://news.ycombinator.com/item?id=11913379](https://news.ycombinator.com/item?id=11913379)

Is it bad? Yes. Is it new? No. Is it ever reported on correctly? Also no.

~~~
mycall
Of these techs, which does AMD support? Would switching to AMD make us more
secure?

~~~
acdha
> Would switching to AMD make us more secure?

That's not quite the right question: this is just standard use of a remote
management feature which is disabled by default. If you enable any remote
management service, which are extremely common on server class hardware and
many enterprise desktop devices regardless of vendor, you have to take
responsibility for securing the management features you enable.

The only real news would be if this was enabled by default or if the design
didn't allow it to be secured.

~~~
microwavecamera
It's not secure, that's the problem. AMT relies on security by obscurity.

~~~
oneplane
It also seems to rely on "unexpected functionality by buggy code". There were
flaws in basic luxury functionality like JPEG parsing that allows anyone to
overwrite certain pieces of memory regardless of it's signature or write
protect bits. It was then used as a jumping pad to enter the ARC CPU and have
total system control from there. Basically, unless you desolder the flash,
it's a rootkit you can't get out.

------
zkms
Aaaand I think this is the first public disclosure of malware using the Intel
Management Engine / AMT's network connection (that uses SMBus, i talked about
it here
[https://news.ycombinator.com/item?id=14309557](https://news.ycombinator.com/item?id=14309557)
and gave links to appropriate datasheets). Welp.

AMT/ME being used by malware created by well-resourced adversaries is no
surprise, and is why Intel needed to give an irreversible and verifiable way
of completely disabling it.

~~~
rufugee
_is why Intel needed to give an irreversible and verifiable way of completely
disabling it._

The article said it comes disabled by default. Isn't this a verifiable way, or
is the article incorrect?

~~~
tyingq
There's a second bug that allows a non-privileged local user to provision it.

 _" An unprivileged local attacker could provision manageability features
gaining unprivileged network or local system privileges on Intel manageability
SKUs"_

[https://security-
center.intel.com/advisory.aspx?intelid=INTE...](https://security-
center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr)

~~~
SXX
Isn't it supposed to be enabled in BIOS in order to provision it? On most
laptops and desktop motherboards such features simply disable by default like
VT-d (IOMMU).

~~~
tyingq
See this question on the Intel forums. Seems difficult to actually disable it.
[https://software.intel.com/en-us/forums/intel-business-
clien...](https://software.intel.com/en-us/forums/intel-business-client-
software-development/topic/563988)

~~~
SXX
Oh this isn't looks good at all. Didn't knew that. Thanks.

------
endymi0n
Money Quote:

> When contacted by Microsoft, Intel said the PLATINUM group wasn't using any
> vulnerability in the Intel AMT SOL interface, but this was another classic
> case of bad guys using a technology developed for legitimate purposes to do
> bad things.

Worst excuse ever. "Look guys, at least it's not a backdoor we left on
purpose!!!"

m(

~~~
hellbanner
Are there any open hardware computers of comparable computing power?

How can the consumer stop someone from exploiting this hack?

~~~
_jal
1) No, not even close.

2) Disconnect from the network. This, of course, won't stop local attacks on
the AMT or ME.

This is why I've been complaining about the ME forever. Forcing a privileged
black-box that can't be disabled in to every CPU is... not suspicious all.

Even worse are some implementations. I have a Supermicro all-in-one MB that I
used in building a home storage server. It has two gig-ethernet ports. About
two months ago, I was rearranging around the machine, and when I plugged it
back in, apparently I switched the ethernet port plugged in to the switch to
the "primary" interface.

And one of the monitors goes off a few minutes later - there's a new network
device on my private network. Turns out a web interface to the ME comes up
automatically when using the primary NIC - it got a DHCP lease and was happily
waiting to be managed - with the default creds ADMIN/ADMIN.

I thought that we had that one figured out, but apparently not. Yes, I should
have read the manual for the motherboard, but that's beyond absurd. And, I
guess, a good reminder to trust nothing.

------
ccrush
It's surprising that everyone is up in arms about AMT and ME while not
complaining in the slightest about SGX. SGX allows third parties to run code
on your processor that is outside of your control. We're losing our computers
to corporate interests. You are buying a device they can remotely manage,
exert control with a higher privilege than yours, hide secrets inside your
machine, and make all the decisions for you. To be even more dramatic, you are
purchasing your own enslavement.

~~~
MichaelGG
SGX, if they allow arbitrary code to be signed, is amazing. It enables remote
trust. You could execute jobs "in the cloud" without anyone being able to see
your data. You could write a known-correct coin tumbler or trading platform.

If it does only get locked to a few code authors, that would be a tremendous
shame.

~~~
SXX
Yeah it's will bring new amazing spyware and ransomware on millions of PCs.

~~~
MichaelGG
Can you explain how, exactly? Spyware would need to call out to system APIs to
do anything useful, and that's not something that can be done inside an
enclave.

Sure, it'd let you be a bit sloppier with randomware, not needing public key
crypto to make it all work. Not really a huge deal.

~~~
SXX
Yes I can. In past there was many cases when normal software and even
distributed drivers contained different kind of malware. After some point
someone find it and it's become detectable, there was scandal and way to
remove it. Also there was very serious risk that if some company put backdoor
into their software it's will be found and company will be sued at least.

If something like SGX become publicly available then a lot of proprietary
software and content manufacturers going to use it for DRM purposes. So
efficiently it's will be everywhere.

Now imagine that every company can put sleeping backdoor in their software
that can't be found by reverse engineering. Then they can activate it on
demand for purposes of industrial espionage. Or they can simply ship own
version of backdoor to ever customer and then pretend it's was some "bug" when
someone detected it's activity.

~~~
MichaelGG
I think you might not understand SGX's capability. It's just a compute kernel.
So if they're taking data from your system, that's still very visible. And if
they are sending data, that's also visible. So, sure, it's handy to hide
logic. So the WannaCry thing, you'd be able to see it does DNS queries, but
not how it determined a certain outcome based on the inputs. But you can't
hide, for instance, a keylogger.

~~~
SXX
I perfectly understand what you pointing to, but problem of black box running
in every piece of software is massive. Anyone could use it to implement remote
backdoor in software and then pretend it's just a DRM that talking with
licensing server.

Yeah it's could be detected when it's start to be active, but it's doesn't
have to. It's could be idle on PC for years undetected just waiting for remote
command, trigger or special payload just for you.

PS: Also fact that secure enclave itself can't access system API mean nothing
because half of software already have interpreters in it as well as frameworks
for every possible activity bad or good.

~~~
johncolanduoni
It's not a black box. SGX code is unencrypted even at runtime, and as long as
its running that code has to remain present and unencrypted. You can detect it
at any time, not just when it starts up.

~~~
SXX
A bit too late response, but anyway. There is already apps that use SGX to
safely work with DRM or private keys. If there is a way keep keys secret what
would stop anyone from implementing interpreters that will keep code secret?

------
siegecraft
For those who want to try and disable their ME:
[https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner)

------
userbinator
It's funny that the image of the CPU in the article is a P4-era socket 478
model, which AFAIK comes from a time when Intel ME didn't exist in its current
form yet... somewhat like showing a late 80s vehicle in an article about
hacking self-driving cars.

"Intel AMT SOL technology" \- a most ironic acronym for this situation...

------
dmix
> Intel ME runs even when the main processor is powered off, and while this
> feature looks pretty shady, Intel built ME to provide remote administration
> capabilities to companies that manage large networks of thousands of
> computers.

So they exposed millions of consumer and business computers in order to
satisfy a niche enterprise usecase? Why is this not something that has to be
manually turned on?

Intel ME has always sounded like a glaring security risk. Another operating
system running in the background that can run it's own network stack? This is
100% being exploited by intel agencies.

~~~
darksim905
It _does_ have to be manually turned on.

~~~
theossuary
Extensions like AMT do need to be manually enabled, but ME itself is always
running a big old pile of encrypted code that we'll never get to look at, and
yes there's a better than even chance there are exploits in that code only
nation states could find (hopefully anyway).

------
mental_
Issues with that doesn't seem to have scratched Intel's reputation as much as
I expected.

~~~
kbart
Maybe because everyone, who had any clue, knew since the begging what was ME
intended for. The only news here is that "wrong" guys used this backdoor
(again, nothing unexpected).

~~~
ant6n
Cynicism is consent

------
godmodus
Do ARM cpus have this? Seriously... _profanity here_

~~~
userbinator
ARMs vary from simple microcontrollers to the SoCs used in smartphones and
tablets.

The former, probably not.

The latter probably have something similar --- and they're even less publicly
documented than Intel ME/AMT or AMD's equivalent.

~~~
SXX
AMD PSP it is ARM TrustZone.

------
Cieplak
I suspect that one can partially mitigate this risk by removing the network
card from a laptop motherboard and using a USB network device that requires a
software driver.

------
mtgx
Intel AMT strikes again. I imagine this problem will only increase in the
future, now that more malware creators know they can try to use this CPU
backdoor (okay, this _" totally-not-intended-for-bad-things and super-useful
remote connection enterprise feature"_).

~~~
kakarot
Exploiting vPro / AMT / any remote access mechanism from any chip maker is
hardly a new idea.

AMT and AMD's equivalent (don't remember the name) has been a holy grail for
security researchers and malware authors alike for many years. People have
been begging Intel for a very long time to make business-tier chips without
remote access capabilities.

For personal computing, at least we have enthusiast chips. For example, my i7
K model lacks the technology.

EDIT: AMD's remote tech is called Platform Security Processor (PSP). Thank
you, jacquesm!

~~~
mschuster91
Who knows if the feature is not still present in silicon but just software-
disabled?

It's not really new that Intel and AMD do binning to get more yield.

~~~
kakarot
It isn't present AFAIK, because Intel cuts corners on enthusiast chips they do
not expect to be used in a networked environment in order to save money, and
still charge you more than the non-enthusiast counterparts.

~~~
rasz
ME is there (ability to execute below ring -1). Go ahead and check it right
now, look at lspci/device manager for Management Engine Communications device.
Its present on cheapest desktop H81 motherboards, and on highend (at the time)
Z87 ones, no matter the cpu.

~~~
kakarot
I have done that before, and I've just done it again, and I don't get
anything. The only thing present on my system related to ME afaik is the MEI
linux driver, which is pretty useless without a ME to talk to.

According to ARK [0], vPRO is absent. I have done various other system queries
and nothing has turned up.

Anything else you want me to query? And where do you get this information that
ME is present in all chips? Having a motherboard that supports ME is
irrelevant, if the chip has no ME.

[0] [https://ark.intel.com/products/88195/Intel-
Core-i7-6700K-Pro...](https://ark.intel.com/products/88195/Intel-
Core-i7-6700K-Processor-8M-Cache-up-to-4_20-GHz)

~~~
rasz
[https://github.com/zamaudio/intelmetool](https://github.com/zamaudio/intelmetool)

sudo intelmetool -s

Im pretty sure Intel BootGuard is ME based

~~~
kakarot
I'll check this out tonight, thanks!

------
ComodoHacker
This site denies access to the article from a German proxy. What a weird
reason can be for this?

~~~
krylon
FWIW, I can access the site from Germany without problems.

------
goosh453
is it possible to avoid this problem by using a good hardware-firewall? Or
maybe only surfing through a tunnel on a beaglebone/raspberry?

