
“We have obtained fully functional JTAG for Intel CSME via USB DCI” - cryogenic_soul
https://twitter.com/h0t_max/status/928269320064450560
======
WhitneyLand
One way to think of ME is, we all woke up one day and discovered we have had
high resolution night vision spy cams installed in our bedrooms.

The next realization is there is no way to turn them off or remove them. It’s
posisble even moving won’t help.

And yet we really don’t seem to care much. Lesser issues generate national
outrage and high volumes of press coverage. Why?

HN may be uniquely positioned to show us the answer. Take a community of
people with generally above average interest and/or knowledge in this stuff,
and the comments are filled with questions asking what the hell ME even is.

Apparently, ME is the perfect combination of opaque, obtuse, and obscure. It’s
not rocket science, but complicated enough it’s hard to explain well quickly.
It’s easy to be a highly technical person yet never have the need to cross
paths with the subject. There has been some press, some activity, but all of
that is simultaneously dampened for the same reasons.

~~~
fragmede
> And yet we really don’t seem to care much.

I know we're used to "Internet speed" and the tweet happened an entire 24
hours ago, but give it a bit of time before declaring it dead. Wired and Vice
need a second to write it up, and see if it hits the mainstream _before_
declaring the issue ignored.

Not saying it _will_ get picked up, though I sure hope it does, but as you
point out, it's a bit obscure and takes some explaining.

Still, there are numerous reports that the Facebook app on your phone _listens
to every word you say_ to show you ads for things you were talking aboutm but
on HN and other web forums, there are always an element of disbelief. We may
believe that it must be something else - correlation to web searches from the
same IP, but there's never been proof one way or the other. (A Facebook exec's
claim doesn't count as proof.)

So there's a section of people that believe they _already have_ high
resolution recording devices that we take into to bed. What's one more?

(Typing this, very gratefully, from an ARM Chromebook.)

~~~
madez
Can you use an ARM Chromebook without it constantly leaking data to Google? I
tried to use the C201 without Chrome OS, but with libreboot, and Debian with
mainline Linux. I didn't succeed.

~~~
kn0where
A little late to the party, but I also have a libreboot C201, and have
successfully installed mainline Debian on a USB drive connected to it. I'm
going to put up a comprehensive guide + shell scripts in December when I'm on
break from school, but until then, check out these links:

[https://github.com/atopuzov/c201/blob/master/debian-
install....](https://github.com/atopuzov/c201/blob/master/debian-install.md)

[https://archlinuxarm.org/platforms/armv7/rockchip/asus-
chrom...](https://archlinuxarm.org/platforms/armv7/rockchip/asus-chromebook-
flip-c100p)

The main thing I haven't gotten working yet is the touchpad. For wifi, I'm
using an atheros dongle with open firmware.

~~~
curioussavage
The gallium os guys have everything working perfectly on my asus chromebook.

~~~
kn0where
Yes, but gallium doesn't support arm [1]

[1]
[https://wiki.galliumos.org/Support/ARM](https://wiki.galliumos.org/Support/ARM)

------
nolok
At first it looks nice "oh now we can get rid of it" but it also opens up a
very scary near future security-wise.

We've now entered a realm where an attacker could simply plug a device on an
usb port of your computer for a few seconds to have it access your cpu's ME
through USB JTAG and take over it, allowing him to have full access and
control over what you do/read/open/type over the network, without you ever
knowing it since you can't see it. And the only way to get rid of it for sure
would be to pretty much throw that cpu away and buy a new one.

Or am I being overly paranoid and there is something I haven't considered that
makes this scenario impossible ?

EDIT: given the answers I think my main concern wasn't well expressed above.
I'm not saying this as in "ME is making it easier to be compromised". That may
or may not be true, but that's not my point.

My point is, we all know that once compromised, you can't clean it and need to
burn it all and start from scratch: recover from backup (not files on the
compromised machine), format everything, reinstall. Due to the nature of the
ME, this is not a solution here. The cleanup needs to be done at the hardware
level. Unless I misunderstood something, once it happens, your cpu is done
for, period. And 'using a hack to cleanup the hack' is still in the realm of
cleaning up rather than start from scratch, it's not a solution for the same
reason than cleaning up your comprised linux box is not one and you need to
start from scratch.

~~~
gargravarr
The 'evil maid' attack is well known, and states that once someone has
physical access to your computer, all bets are off. Anything that has DMA
enabled (e.g. Firewire or Thunderbolt) offers an external device direct access
to the system RAM that is very difficult to defend against, or they could
attach a keylogger or modify your bootloader, basically unleash all manner of
havok. USB JTAG is really no different from a security POV.

The concern with the Intel ME is that it has a native network adapter. You can
bet efforts are currently underway to discover how to exploit the ME remotely.
THAT'S when things get scary.

Your paranoia is not unjustified. Personally, I am nervous that some of my
systems have the ME. When attention turned to it about a year ago, i knew it
would only be a matter of time before someone broke into it.

~~~
_jal
> The concern with the Intel ME is that it has a native network adapter.

Yep, this is the big deal. After I "discovered" the ME, my first stop on my
home network was the switch, to block all that crap. (And I found my storage
server, equipped with a Supermicro all-in-one motherboard, helpfully grabbed
an IP for the ME to listen on with an 'admin/admin' password.)

I just wish the empire builders at the NSA would care about something other
than their own little power center. They knew this would happen - it always
does. The NSA is probably the biggest security threat to the U.S. people[1] at
this point, because they keep building concentrated, high-value targets and
then lose control of them.

[1] Not to be confused with 'U.S. government interests'.

~~~
ricw
Am curious how and what exactly you blocked?! What precautions can be taken to
make systems more secure?!

~~~
_jal
As usual, it depends on what exactly you have. Not all chips have the AMT
enabled, for instance.

This is a useful document for understanding what exactly you're dealing with
and what to do about it:

[https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov...](https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov-
Intel-AMT-Stealth-Breakthrough-wp.pdf)

------
mrschwabe
Companies like Intel, who are complicit in helping CIA or any intel agency
(government, rogue or otherwise) infiltrate and exploit our systems - need to
be held accountable by the market.

Intel ME and the (assumed [0]) partnership with CIA to design and build this
system - should be an absolute travesty blow to the integrity of their
business long-term. Will you, as lead engineer or sys admin for your mission
critical business now continue to choose Intel products to help build your
infrastructure?

Unfortunately it seems that our modern market has not yet evolved enough to
punish companies involved in such reckless behavior. I suspect the reason is
primarily the ease of which governments can mass tax and create fiat currency.
Perhaps there is some alternate decentarlized currency system that would limit
government's ability to tax, print and award juicy big-brother contracts to
these companies.

Anyway, for now at best - and perhaps somewhat encouraging - is the subsequent
brain drain of engineers and hackers alike who want nothing to do with
faceless corporations like Intel, Google, Facebook, IBM, et all who routinely
deceive/exploit and work against the best interest of their own customers.

[0]
[https://twitter.com/9th_prestige/status/928740294090285057](https://twitter.com/9th_prestige/status/928740294090285057)

~~~
throwaway230958
> Intel ME and the (assumed [0]) partnership with CIA to design and build this
> system

I worked at Intel on ME and the things that came before it until around 2013.
I can tell you two things --

1\. No, Intel ME wasn't born out of a desire to spy on people nor was it -- to
the best of my knowledge but I honestly believe I would know -- created at the
request of the US government (or others). It was an honest attempt at
providing a functionality that we believed was useful for sysadmins. If it was
something done for the CIA, I believe it would probably have been kept secret
instead of marketed.

2\. It was initially going to be much "worse". Early pilots with actual
customers -- such as a large british bank -- were going to run a lot more
stuff -- think a full JVM -- and have a lot more direct access to the user
land.) Security concerns scrapped those ideas pretty early on though.

In retrospect, I personally believe the whole thing was a bad idea and
everybody is free to crap on Intel for it. But the thing was never intended as
a backdoor or anything like that.

~~~
daxorid
Right. ME does make sense as a feature for sysadmins. Except . . . . Well, can
you shed light on the following:

1\. Why did your team deem it necessary to deny the end-user the capability to
disable this feature?

2\. Why did your team decide to enable ME on ALL consumer grade chips? You
could have only enabled it on, say, Xeon, as a value-add - exactly like you do
for ECC support. You could have _made more money_ this way. But . . . you
didn't.

Without legitimate, sensical answers to the above questions, there is no
reason for anyone to believe your team did anything other than design a
backdoor for the Feds. Sorry.

~~~
ddalex
> Why did your team decide to enable ME on ALL consumer grade chips?

Can you please provide a reference? I've been trying to enable ME forever for
my consumer-grade i7 with Intel motherboard for remote management, and I can't
seem to be able to.

~~~
cyphar
The core of Intel ME is enabled on all chips since 2008. But features like
remote management aren't. Intel ME is used for things like DRM (see PASP) or
hardware bring-up and power management.

------
retrac98
Can someone explain like I have a degree in computer science from a good
university, but opted for a career as a software engineer in some relatively
high level languages?

~~~
dsr_
Intel CPUs have an embedded supervisory CPU called the Management Engine. It
can read all of memory, control power states on the main CPU, and generally
has super-root privileges on everything. You, an end-user, aren't allowed to
program it. The current MEs run a form of Minix. They represent an incredible
security and privacy risk, because we don't know what code they run and it is
widely believed that the NSA or other intelligence agencies have backdoor
access. Remote backdoor access, even: the ME can talk to the network.

A JTAG is a standard minimal serial port used for debugging purposes. You'll
find them on nearly all embedded devices - routers, phones, TVs, refrigerator
controllers... usually appearing as a set of two or three contact points.
Sometimes they connect directly to a debugger.

In this case, it appears that at least some Intel CPUs have a JTAG on the ME
that can be routed through the on-CPU USB handler, and thus physical access to
the right USB ports can be used to access the ME.

~~~
cmh1729
Is it known/suspected that AMD have an equivalent?

~~~
mkesper
Yes they do:
[https://www.reddit.com/r/security/comments/4ot223/do_amdproc...](https://www.reddit.com/r/security/comments/4ot223/do_amdprocessors_have_something_like_intel/)

------
throwaway230958
I worked on what became ME at Intel from the mid 2000s through around 2012 ou
2013.

I completely agree that in retrospect, it wasn't the best idea. However, I
really want to say that it was never a project for the CIA as some keep
saying.

This was a widely-marketed product at the time of its inception. It was the
whole point of the Intel vPro line. I've been to a ton of roadshows between
2008 and 2009 where the marketing people demoed the heck out of ME to
everybody. It was a feature thought to be THE differentiator from AMD. Of
course, later AMD came up with their own equivalent and ME became "a
commodity"

So again, we can all argue whether it was a bad idea, but the notion that it
was designed by/with the CIA is simply not true to the best of my knowledge,
but I really think I'd know, as I've been to way too many design meetings and
saw the decisions being made by Intel engineers.

~~~
cyphar
I've never bought into the "NSA/CIA made Intel create this" line of reasoning
because, as you say, there was a legitimate use for this technology (misguided
as its implementation was). Of course, I have no doubt that the NSA/CIA may
have added further backdoors, or are withholding vulnerabilities in ME.

However, one thing that I've always felt conflicted about is why this feature
is present in _all_ CPUs. Usually if someone wants to use Intel's AMT then
they have a giant support contract with specialty hardware, so it seems odd
that the core CPU feature necessary is present on all CPUs despite no user
actually using outside of enterprise.

Is it because the bring-up, other low-level stuff, and things like PASP (DRM)
were implemented on top of ME, and so it was not considered viable to re-do
that on chips that didn't have ME (though I was under the impression that very
early ME was not used for anything else)? Or was it just a matter of "it's
easier to just use what we have for every chip"?

~~~
pault
I really don't understand why I have to pay out the nose for ECC memory
support but I get this surveillance device "for free".

~~~
slobotron
Officially, you still need to pay extra to enable the remote management
capabilities of ME...

------
userbinator
Now that we know for sure people who have worked on or are working on Intel ME
actually read and post here, I'd like to take the opportunity to refer those
of you to a previous post of mine about it:

[https://news.ycombinator.com/item?id=15120207](https://news.ycombinator.com/item?id=15120207)

If you choose to defect and leak all the information you can, you will almost
certainly be greatly praised for it by many. Of course there will be negative
consequences, but no one ever said that standing firm and adhering to your
morals was easy. Maybe if enough employees stood up for what they think is
right instead of continuing to silently comply like slaves and let --- or even
assist --- companies and governments slowly take away their freedom and
privacy, there would be some actual change happening.

~~~
yuhong
Andy Glew had a post: [http://blog.andy.glew.ca/2017/05/intel-iamt-bug-
strncmptrust...](http://blog.andy.glew.ca/2017/05/intel-iamt-bug-
strncmptrusteduntrusteds.html)

------
Asdfbla
Any reason Intel doesn't just offer IME-free CPUs too? There's obviously
interest considering the lengths organisations like Google go to to disable it
and Intel supposedly already has such offers for governments.

~~~
exikyut
> _the lengths organisations like Google go to to disable it_

TIL about this detail. Where can I learn more?

EDIT: So this is now at 0 points. Interesting...

~~~
jjevanoorschot
A recent talk [0] by Ronald Minnich from Google gives a nice overview of their
efforts to replace parts of Intel ME and UEFI with Linux, mostly for security
reasons.

[0]
[https://www.youtube.com/watch?v=iffTJ1vPCSo](https://www.youtube.com/watch?v=iffTJ1vPCSo)

------
jlgaddis
This particular submission is a dupe:
[https://news.ycombinator.com/item?id=15656931](https://news.ycombinator.com/item?id=15656931)

This one has a bit more info (although not much as far as details go):
[https://news.ycombinator.com/item?id=15668363](https://news.ycombinator.com/item?id=15668363)

------
SEJeff
Absolutely fantastic video from a google engineer (and the original author of
LinuxBios / Coreboot) on how they replaced the UEFI firmware with Linux to get
Dell servers to boot in 20 seconds:

[https://www.youtube.com/watch?v=iffTJ1vPCSo](https://www.youtube.com/watch?v=iffTJ1vPCSo)

------
jarym
'Intel inside' was clearly not just a marketing slogan but a reference to spy
agencies.

------
amelius
But ... Perhaps Intel has a _second_ ME installed on the processor. The first
one was just a decoy.

~~~
AceJohnny2
That would be a hilarious waste of silicon

~~~
amelius
A ME can be as simple as just another thread context, that is shared with the
rest of the CPU. Basically, just a bunch of registers, and some simple logic
to activate it.

------
TheNewLab
I think many don't realise that DCI is not supposed to be activated on
production CPUs.

~~~
kbeckmann
Sure, but this makes it possible to dump the firmware for further analysis. I
think that's the big news here. Think we might read about a few new bugs over
the coming months. Also it might be possible to flash new firmware (to lock it
down).

~~~
turblety
It's a nice thought, but I don't think it'll allow us to flash new firmware.
We can already flash firmware on Intel chips, but the firmware has to be
signed using Intels keys. The signing verification still happens on the mask
rom which is impossible to overwrite.

Maybe this discovery will help us understand more how the verification step
works. But I think the best we can hope for is a way of overwriting Intel ME
very quickly after it's booted every time.

------
SideburnsOfDoom
If you are finding the jargon in that tweet too dense (JTAG? ME?), these
articles cover the same with more explanation

[https://thenextweb.com/security/2017/11/09/researchers-
find-...](https://thenextweb.com/security/2017/11/09/researchers-find-almost-
every-computer-intel-skylake-cpu-can-owned-via-usb/)

[https://www.theregister.co.uk/2017/11/09/chipzilla_come_clos...](https://www.theregister.co.uk/2017/11/09/chipzilla_come_closer_closer_listen_dump_ime/)

------
kyberias
If someone told me that most Intel processors are internally running MINIX I
would have laughed but there you go:

[http://www.cs.vu.nl/~ast/intel/](http://www.cs.vu.nl/~ast/intel/)

Anyway, how do I know whether my CPU has it and is vulnerable via USB?

------
f2f
Here's the presentation slides of the guys who figured it out:

[https://www.troopers.de/downloads/troopers17/TR17_ME11_Stati...](https://www.troopers.de/downloads/troopers17/TR17_ME11_Static.pdf)

~~~
kyberias
Love the Minix slide. It's a wonder this news didn't reach Tanenbaum until
recently.

------
craftyguy
Wait, the screenshot shows that they are using ITP/DAL.. I didn't think that
was publicly available. Is this true? If so, then what they have done is only
something an OEM, with appropriate permission from intel, could do.

~~~
Kliment
Some motherboard vendors host downloads of it, whether they're allowed to or
not is irrelevant at this stage, it's out in the wild.

------
campuscodi
Here's the research team's talk from last year's 33C3
[https://www.youtube.com/watch?v=2JCUrG7ERIE](https://www.youtube.com/watch?v=2JCUrG7ERIE)

------
_nedR
Apparently Intel ME can be killed by setting an undocumented flag discovered
by the same group?

[https://www.csoonline.com/article/3220476/security/researche...](https://www.csoonline.com/article/3220476/security/researchers-
say-now-you-too-can-disable-intel-me-backdoor-thanks-to-the-nsa.html)

Anybody can shed light on this tool and whether it can mitigate the attack
mentioned in the tweet?

------
spchampion2
Discussed previously here:
[https://news.ycombinator.com/item?id=15656931](https://news.ycombinator.com/item?id=15656931)

------
anovikov
And the main question - did they found anything NSA-ish in there?

------
binaryapparatus
This is fantastic news. I expect to see some reliable and easy to apply (usb?)
solution to wipe and tame ME.

Greatest news is that it works for latest Intel processors so even if they
change protection (they certainly will) we at least have very good processors
that can work without spyware. All the previous tests I read about only
tackled first few generations of Intel ME, for processors/boards over 8 or 10
years old.

~~~
Kliment
The core problem with this is that if you have debug access to the core
running ME, you can put it back even if it was wiped - or replace it with
anything you like.

------
waynecochran
Has anyone used the Intel Management Engine Verification Utility?

[https://www.intel.com/content/www/us/en/support/articles/000...](https://www.intel.com/content/www/us/en/support/articles/000005974/software/chipset-
software.html)

~~~
kyberias
I tried it. Didn't find ME on my i5-4690K.

------
Confiks
Does anyone know if Intel ME being compromised and the recent Tanenbaum letter
have anything to do with each other? For example if the researchers discovered
the use of Minix through this compromise.

The articles referenced in Tanenbaum's blog post don't really reveal the
source of the Minix discovery, other than it was due to some recent discovery.

------
microcolonel
You mean finally cracked _again_.

~~~
cryogenic_soul
I mean, it is a first time that researchers get full access to the Intel ME
firmware, so now it is became possible to reverse engineer it.

------
whage
Where should I start if I want to dip my toe in this topic? Have a few years
of web development experience and a Bsc in software engineering in progress.

~~~
exikyut
Go google "intel ME" and wade through the results. Optionally use date
filtering to progressively skip back through the years.

Next, download Minix and get a good handle on it. The next step is getting
access to the Minix kernel on the ME, and after that, it'll be a case of who
has the best apps for the CPU in their CPU.

------
jlebrech
would it be possible to use minix os inside the cpus directly as desktop os or
rewrite the firmware or is it read only?

------
reacharavindh
Ah, I’m so glad and proud of the hacker community now. The nasty and opaque
backdoor is now out in the open So the researchers can now find a way to close
the hole. I have a feeling the current gen intel processors are going to be in
demand amongst the security community and privacy conscious users because the
newer ones will definitely have an even shittier backdoor in place of the now
bust ME.

------
wslh
Ask HN: How would you organize an Intel boycott?

~~~
24gttghh
Find a manufacturer in Shenzhen who can mass-produce older Intel pre-ME
motherboards/CPU die clones and start your own fabrication...

------
0xfeba
You can disable all the phone home stuff by not plugging in the ethernet port
it uses, eg. using wireless or an add-on card. Or in some motherboards, the
secondary ethernet.

~~~
0xfeba
Would the downvoter care to state any reasons for disagreeing? The IME only
has drivers for a specific ethernet port. They also don't use the secondary
ports if equipped, though I imagine that's just a configuration setting.

------
CalChris
In principle, how is the Intel Management Engine different from the Apple
Secure Enclave coprocessor on iOS devices?

~~~
jzl
ME can see everything coming in on your ethernet port, with no accountability
to the host OS. It's like a wiretap, ostensibly for remote control commands,
but again with no accountability for what it is up to.

------
jerianasmith
Thank you so much for your help i really appreciate it.

------
sidcool
Can someone ELI5 this for me?

~~~
ksk
Intel created a product (Similar to Dell's iDRAC) which has a co-processor for
system admin type stuff. This product and/or associated modules have security
flaws. Those flaws can be potentially used to takeover the machine and allow
malware to exist outside of the CPU/RAM/HDD architecture and stay undetected.

------
dvfjsdhgfv
On an unrelated note, did anyone hear about any answer from Intel to Prof.
Tanenbaum's open letter? It's high time they pulled their heads out of the
sand and started explaining the whole issue.

~~~
nolok
Why do you think would they have to answer him anything? He published
something, using a license saying you could use it without telling anyone nor
giving back changes, and that's exactly what Intel did. And in his letter he
acknowledged that.

There was no call nor need for an answer...

~~~
exikyut
I agree.

I think this was Minix's first real-world use case (read: ego validation), and
Andrew Tanenbaum was just unimpressed he learned about it by proxy.

