
Intel platforms from 2008 onwards have a remotely exploitable security hole - theSoenke
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/
======
AdmiralAsshat
_The short version is that every Intel platform with AMT, ISM, and SBT from
Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole
in the ME (Management Engine) not CPU firmware._

We knew this would happen. We knew that the Management Engine was a backdoor,
and we knew it was only a matter of time before someone would figure out how
to exploit it. This is exactly the reason why Libreboot exists
([https://libreboot.org/faq.html#intel](https://libreboot.org/faq.html#intel)).
And now, far from being the tinfoil hat distro that is often portrayed, it
will become a bare necessity.

~~~
frik
Let's hope one of the other CPU manufacturers (e.g. AMD) starts supporting
LibreBoot and allows to officially disable the ME-equivalent hardware feature,
so that Intel get's forced by market-pressur to follow.

Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got
forced to release a new CPU the had in their basement for years - suddently
it's possible for them to release i7 notebook CPUs with more then two cores!!
Even back in 2010 it would have been viable to produce 4 core notebook CPUs -
but the went away because the had no competition.

~~~
dewyatt
That was the top request in their March AMA:

[https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_crea...](https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_creators_of_athlon_radeon_and_other/?s)

I wouldn't hold my breath, though.

~~~
i336_
The sad thing with that is that

\- releasing the source doesn't tell you what's on the chip.

\- PSP is kind of "Ring ∞", so there would be no good outcome from providing
general-purpose access to it. So, the keys will never be released.

\- it's thusly not possible to map the signed (encrypted) firmware to the
source.

\- even if the source had a clearly documented "master off" in it, you can
never know if the firmware's copy reads "master-except-if-A-and-B-say-C off"
:(

------
Sephr
> For obvious reasons we couldn’t publish what we found

It's not obvious to me why anyone not under an NSL or NDA would sit on this
vulnerability for 5 years and wait until it's actively being exploited in the
wild before public disclosure.

It's extremely negligent to global security for SemiAccurate to not
immediately publicly disclose the vulnerability 5 years ago after Intel
refused to fix it. Of course this is ignoring the root of the problem, which
is that the US government has deeply compromised Intel since the very first
security management interfaces were added to Intel chips in the early 90s.

The real solution to the root issue is legislation that forces security
disclose timelines of 90 days or less for government-found vulnerabilities,
and prevents the stockpiling of vulnerability exploit kits.

~~~
gtirloni
It gets more confusing because Intel is crediting Maksim Malyutin from Embedi:
[https://security-
center.intel.com/advisory.aspx?intelid=INTE...](https://security-
center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr)

 _Intel would like to thank Maksim Malyutin from Embedi for reporting this
issue and working with us on coordinated disclosure._

~~~
jacquesm
I interpret that as SA got wind something like this was going down, guessed
some of the details and possibly forced Intel to disclose but they didn't
actually find anything themselves nor do they have the details. Which explains
why Intel credits someone else and they overplayed their hand by claiming that
either ME or VPro are breached when it really is AMT. (Bad enough...)

------
tomku
Is there a better source for this than SemiAccurate? The article doesn't
really have much beyond self-aggrandizement and "we can't tell you any
details, but you're screwed". For something that could be anything from
"Charlie Demerjian heard a rumor about a ME patch and wanted some pageviews"
to the actual security apocalypse, I'd like credible sources.

~~~
na85
Credibility issues of the author/website aside, I actually hope this is true,
and I hope it's catastrophic for Intel.

Maybe then we'll finally see hardware companies taking security seriously.

~~~
thraway2016
IME is likely not a case of Intel "not taking security seriously". It's almost
certainly a case of doing what FiveEyes demanded of them.

~~~
na85
You're probably right.

I still hope it's true, and that it's catastrophic for Intel. No change can
happen otherwise.

If Intel aren't fighting against 5eyes then they aren't taking security
seriously.

------
jackhack
>>every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby
Lake in 2017 has a remotely exploitable security hole in the ME (Management
Engine) not CPU firmware.

>>there is literally no Intel box made in the last 9+ years that isn’t at risk

>>SemiAccurate has been begging Intel to fix this issue for literally years

Am I the only one who is so cynical to think it must have been deliberate?
Intel dragging their feet for YEARS -- what could justify such a delay? The
paranoid side of me asks "Were they waiting to patch this hole, until they
found a different one that could be utilized?" Which begs the next quesion:
Where is the NSA in all of this? It's the sort of thing that would be mighty
handy to a group wishing to snoop on everyone and everything?

Last question: Why would anyone trust the encrypted management engine after
this? (Why would anyone trust it before?)

>> What about embedded devices that are increasingly PC based? Digital signage
perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air
traffic controls. Medical devices.

What, indeed? Is this the method used to interfere with Iran's nuclear program
centrifuges?

~~~
regularfry
Believe incompetence before malice, and I'd stick economic incentives
somewhere in the middle.

The discussion probably went something like:

Person 1: "Should we issue a recall and disable a feature which bought us a
several billion dollar customer?"

Person 2: ...

~~~
sixothree
In this day and age the choice between malice and incompetence seems to fall
more on the malice side.

------
krylon
As a sysadmin at a Windows shop, I don't know what to make of this. Has Intel
commented on this, yet? Any OEM?

Joanna Rutkowska, who _is_ a renowned security researcher, warned of something
like this happening sooner or later[1], so I don't think I can afford to just
ignore this.

But without something more specific to act on, there is nothing I _can_ do,
except wait firmware updates to be released by various vendors. _If_ that
happens.

And what if Intel does make a statement that essentially says, "This is all
total BS"? I wouldn't know whether to believe them or not.

The only scenario where I could have any degree of certainty would be if Intel
came out and said, "Yeah there's an exploitable security hole in ME, here's a
patch to disable it".

[1]
[http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf](http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf)

~~~
justinclift
As pointed out by another commenter, Intel has released the advisary:

[https://security-
center.intel.com/advisory.aspx?intelid=INTE...](https://security-
center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr)

It confirms much of the SemiAccurate report, but also includes this:

"This vulnerability does not exist on Intel-based consumer PCs."

Which seems to differ from what SemiAccurate was saying. I'm not sure if it's
SemiAccurate being... er... not completely accurate :D, or if it's Intel
trying to downplay things.

I guess we'll find out more over the next few days/weeks.

~~~
tyingq
Looking at the Intel link, they take you down a path to see if you have vPro.
That's on some i5s and i7s. So they are defining "consumer" roughly as
"purchased at best buy or similar". There are certainly desktops in people's
homes that have vPro. Even some of the higher end NUCs have it.

~~~
mirimir
Easier path:
[https://ark.intel.com/#@Processors](https://ark.intel.com/#@Processors)

When I've purchased VirtualBox hosts, I've deliberately avoided stuff with
vPro.

------
_wmd
Zero details and zero cross references, zero mentions on Google and zero
mentions in any security list I'm on. Charlie blowing nonsensical steam yet
again?

~~~
resoluteteeth
The article implies that they have been privately trying to get Intel to fix
it, so there is no reason it would have been mentioned publicly anywhere.

Now a patch is coming out but Intel is still trying to keep it quiet, so he's
trying to warn people disable AMT and be ready to apply patches ASAP.

Presumably he didn't even want to disclose the existence of the vulnerability
publicly until there was some sort of fix, and he still won't want to disclose
details before the fix is released.

Of course, you can doubt the veracity of this story, but I'm just pointing out
that there would be no reason to expect details, cross references, or mentions
on Google or security lists yet if it is true.

~~~
tomku
If Charlie was a security researcher and SemiAccurate was a well-regarded
security firm, I would not expect details or cross-references or mentions on
security lists. Charlie is not a security researcher, he's a journalist, and
SemiAccurate is the tech equivalent of a supermarket tabloid. He is not a
credible primary source for anything security-related, particularly given
SemiAccurate's reputation for publishing rumors as facts.

None of that means he's necessarily wrong, just that you should be very
careful about believing his claims without supporting evidence. A lot of
people here on HN have thought that a remote ME exploit was only a matter of
time, so an article claiming to validate that belief will not get as much
skepticism as it should.

~~~
i336_
FWIW, Intel published this: [https://security-
center.intel.com/advisory.aspx?intelid=INTE...](https://security-
center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr)

------
bnmathm
FTA, Intel confirms? [https://security-
center.intel.com/advisory.aspx?intelid=INTE...](https://security-
center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr)

------
electic
I think it is high time for companies who make hardware be financially fined
for lapses like this. In this particular case, the manufacturer was warned and
did nothing for years.

This is negligence especially considering these chips control critical devices
that can cause damage or even loss of life if they are successfully exploited.

Can you imagine if car maker didn't fix a hardware defect they knew for years.
Oh wait...

------
tomc1985
What is the motivation behind Management Engine?

From the perspective of an everyday user these things came out of nowhere to
evolve into this para-computer running along side me that I cannot see and
have no control of. It is on literally _ALL_ hardware

Why is it that any attempts to disable it knock your whole computer out?

And this is the world of technology that we want? I'm so sick of technology
companies appearing to work for their customers but secretly working against
them.

~~~
jnwatson
The functionality ME attempts to provide is lights out a.k.a. out-of-band
management (like IPMI) to the desktop.

If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every
PC on a floor, he could, through ME, remotely reboot (force power reset if
necessary) or power on every machine, have the machines boot to a (remote) OS
install disk, run the install, and reboot.

ME allows one to do almost anything remotely to a PC, regardless of what the
main processor is doing. That is both useful and frightening.

~~~
tomc1985
Fine, but putting it on _all_ hardware?

How many corporate IT environments buy off-the-shelf motherboards and CPUs
from the same channels as consumers? OEMs get an entirely different set of
parts and enterprise sales works in completely different channels. If there is
such a clean separation between corporate and consumer markets then why is
this hardware on _everything_ , and why does it need to pull power on the
machine if it's disabled?

~~~
DrPizza
It isn't on all hardware. Intel has two ME firmwares, a small one for consumer
systems, and a big one for corporate/enterprise systems. The small one does
not (or at least, should not; is not supposed to) include the remote
management features.

In other words, the separation that you describe exists.

Systems with the full firmware sport things such as the vPro branding, and
only certain combinations of CPU and chipset support it.

~~~
tyingq
I'd be careful with assumptions on what "consumer hardware" means. There are
desktops, NUC units, etc, that shipped with i5 and i7 chips that had vPro.

~~~
DrPizza
Even with the CPU, you also need the right chipset and the right firmware to
actually light this stuff up. While especially in the laptop sector there are
consumer devices that include this, it's far from universal.

------
joatmon-snoo
/r/netsec link:
[https://www.reddit.com/r/netsec/comments/68lqzq/remote_secur...](https://www.reddit.com/r/netsec/comments/68lqzq/remote_security_exploit_in_all_2008_intel/?submit_url=https%3A%2F%2Fsemiaccurate.com%2F2017%2F05%2F01%2Fremote-
security-exploit-2008-intel-
platforms%2F&already_submitted=true&submit_title=Alleged+remotely+exploitable+vulnerability+in+Intel+AMT%2C+ISM%2C+and+SBT+since+2008)

------
devy

       Security is a cost center and most OEMs run on margins too thin 
       to bother with security patches even if they cared. Most simply don’t care.
    

I think that sums up pretty well why downstream vendors are treating security
casually. So the billion dollar question is, how do we fix this, as a tech
community?

~~~
dom0
OEMs are not involved at all with ME afaik, it's exculusively controlled by
Intel.

~~~
wmf
OEMs have to ship ME firmware updates; Intel has no way to get them to you
directly.

~~~
cynix
Can't they install an update remotely via this vulnerability? :p

~~~
etherealG
No joke, this would be the best thing for everyone. Especially if we find a
way to do it ourselves rather than wait for a vendor to.

I've been thinking for years about writing a virus that patches the
vulnerability it used to spread as it goes.

------
lurker456
Great news that this finally came to light.

After learning about remote management capabilities I've always suspected it
had holes. Large attack surface, any exploit would have a high value, and
closed source.

Perhaps one day we'll be able to buy CPU's without this "feature". I'm betting
AMD and ARM are in the same boat.

~~~
LeifCarrotson
> After learning about remote management capabilities I've always suspected it
> had holes. Large attack surface, any exploit would have a high value, and
> closed source.

Even after reading this, I'm still not convinced it does have holes. It's so
high value (pervasive, incredibly powerful, and old) that if it were possible
a bad actor _would have used it_. The spectrum of possibilities is small:

    
    
        1. The hole does not exist, but SemiAccurate thinks it does.
        2. It exists, but only SA has discovered it.
        3. SA discovered it along with a few bad actors, who are using it surreptitiously and haven't been caught.
        4. It's being used all over the place, it's a widely acknowledged security disaster.
    

We're not in state 4. The article suggests we're in 2 or 3. 2 seems unlikely -
SA does not have special abilities that transcend those of other security
research firms. 3 seems especially unlikely: with this much power available,
and with the hole being patchable, could they resist using it? Which leaves
option 1.

~~~
tomku
SemiAccurate isn't a security research firm, it's a tech news blog. There's
basically no chance that they've discovered anything. If there's an exploit,
they would've had to have heard about it from either a source inside Intel or
an actual security researcher of some kind.

------
kartan
"It is this last point that has been causing some political unrest in the US,
and the rest of the Western world. As you undoubtedly know, China is very
nearly the sole producer of all electronic goods. It would be very, very easy
for the Chinese government to slip a hardware backdoor into the firmware of
every iPad, smartphone, PC, and wireless router." 2012
[https://www.extremetech.com/computing/133773-rakshasa-the-
ha...](https://www.extremetech.com/computing/133773-rakshasa-the-hardware-
backdoor-that-china-could-embed-in-every-computer)

Made in China, designed in the USA. Everyone wants their own backdoor.

------
discreditable
Patching is going to be a nightmare considering that many OEMs drop support
for a motherboard after 3 years. There will be unpatched systems floating
around for a very, very long time.

------
imode
I've got a Lenovo T530 and a Lenovo T450s. I wonder if they've released a
firmware update yet...?

I can't say I'm surprised, but I am surprised at the fact that finally, after
all these years, someone finally got down to patching some vulnerabilities in
this area.

props to whomever forced Intel's hand.

~~~
ymse
One nice feature of (some) Thinkpads is that the AMT and ME can be
"permanently disabled" through the BIOS, presumably by blowing a fuse or
similar. Check if yours has this capability.

Otherwise check for updates at
[http://pcsupport.lenovo.com](http://pcsupport.lenovo.com).

~~~
pasbesoin
Hopefully, someone can speak further to whether this is a real mitigation and
what "permanently" and "disabled" really mean, in this specific context.

I'm don't mean to sound oppositional. I appreciate this being mentioned.

I'm just not willing to trust it without knowing in detail that and how it
works.

------
PhantomGremlin
Can anyone add any details? The article is very very vague. Doesn't this work
thru the Ethernet port in the chipset silicon?

So if you're running a desktop that has a physical Ethernet card in it, and
the Intel Ethernet isn't connected, are you OK?

And if you're running on a laptop that uses Intel's Ethernet, (and most of
them do?) then are you vulnerable?

------
shdon
Worrying about the ME and my dislike of secure boot is what has kept me from
upgrading beyond the Core 2 Duo with BIOS. It's starting to feel slow now, but
I still don't feel I can upgrade unless there is at least a way to disable the
ME. So far, there don't seem to be any reliable methods of doing so.

------
snackai
Even without any newly discovered backdoor. The Intel ME was always a fu __ing
security issue. A BACKDOOR. It is completely naive to think the NSA can 't use
the ME to get access to anything, but hey it needs another Snowden for people
to listen again.

------
akeck
Intel ME always reminding me of the saying, "Absolute power corrupts
absolutely."

------
mtgx
Relevant discussion:

[https://news.ycombinator.com/item?id=11913379](https://news.ycombinator.com/item?id=11913379)

~~~
j_s
"The Intel ME subsystem can take over your machine, can't be audited" \- OP's
discussion's title

> _do the first three steps of thinking for them. Make it really easy for the
> other person to say yes or no_

source: [http://firstround.com/review/how-to-become-insanely-well-
con...](http://firstround.com/review/how-to-become-insanely-well-connected/) |
[https://news.ycombinator.com/item?id=14195664](https://news.ycombinator.com/item?id=14195664)

I've agreed to include a bit of detail when spamming all my friends links via
e-mail going forward.

------
thrilleratplay
For those who cannot switch to Libreboot,
[https://github.com/corna/me_cleaner](https://github.com/corna/me_cleaner) may
be a solution to this issue.

------
pmoriarty
What is the management engine, and how does one access it remotely?

~~~
woodrowbarlow
it's a closed-source binary blob on intel chipsets with unfettered access to
the CPU. it is also (often) directly connected to the RJ45 port.

here's a good overview of the risk:
[http://hackaday.com/2016/11/28/neutralizing-intels-
managemen...](http://hackaday.com/2016/11/28/neutralizing-intels-management-
engine/)

~~~
pmoriarty
So if you don't use the RJ45 port on the motherboard but instead use an RJ45
port on an expansion card instead you're safe?

~~~
mschuster91
Partially. Expansion cards use PCI-E which has DMA capability, so a
bug/backdoor in their firmware can very well be used to attack a system.

But I believe newer systems with MMUs acting as "firewalls" for DMA are safe
from this vector.

~~~
woodrowbarlow
there's also the concern of physical attacks, via the motherboard's RJ45 or
USB.

~~~
mschuster91
At least USB doesn't have device-initiated DMA, but USB descriptor parsing
bugs have in the past led to exploits (I remember the PlayStation jailbreak).

------
drudru11
Does this affect an Apple MacBook?

~~~
muricula
Assuming that what the author says is true and there is a local exploit for
non-enterprise versions of the Intel ME, then yes.

------
pinewurst
It'll be interesting to see how Intel deals with it.

Looking at the recent Atom failures (with vendors told in no uncertain terms
to present publicly as generic "timing component" failure), will they even
admit it's an ME thing?

------
metalliqaz
The way this article is written leads me to believe that it is not entirely
accurate.

------
cryptarch
Now this less-mainstream theory about the precarious state of our
communication systems has confirmed to a greater degree, would anyone here
know of similar risks that few seem to be aware of right now?

I'm not sure if this would be considered OT, but considering the nature and
scope of these vulnerabilities I don't consider it reasonable to exclude the
possibility of intent and malice.

For this reason I'd like to ask: what do you consider to be "the next, most
likely to surface, conspiracy of this flavor"?

The flavor being: "the struggle for control of any and all data and
computational resources".

------
irl_
I have a Sun workstation that seems to be no longer supported by Oracle (Sun
Ultra 24 with a Q9300). I guess I'll just be vulnerable forever.

I don't really know what AMT does, but this has me thinking, if AMT is
provisioned while a machine is used inside a company and then that machine
shows up on eBay still provisioned, is it going to be phoning home and still
be remotely manageable? How many of these machines have what are essentially
persistent rootkits managed by large corporations that have had large fleets
of laptops/desktops deployed that are then sold on?

------
zyordz
I'm a total n00b to how this stuff works, but I can't seem to find any
information for this sort of stuff online. I have an Intel CPU with a Gigabyte
Motherboard and BIOS. If I'm running Linux without a GUI (headless) is this
something that I have to worry about? If so, how do I turn it off? I don't see
any options for the Intel AMT or ME in my BIOS settings.

EDIT: I have a Core i3-4130T. Looks like it doesn't have vPro so I'm hoping
I'm safe?

------
SomeStupidPoint
My ignorance is showing, but what product lines are impacted?

Obviously things like Xeons and Core iXs, but what about things like Atom
processors in tablets?

~~~
yjftsjthsd-h
The post appears to claim that literally everything is affected, albeit
probably only locally exploitable. I think that's what it means at least.

~~~
SomeStupidPoint
It claims that things with IME are (which I'm not sure if Atom has), and lists
a series of architectures of which Atom isn't part. (Its architectures have
different names.)

It's ambiguous if the Atom line (and which portions) might be impacted, and I
would prefer someone comment directly on if Atom has ME and if so, if it was
using the dangerous version (and when).

------
api
Vulnerable as in how vulnerable? Do you need to be physically connected to
local Ethernet for this? WiFi?

If it's WiFi that's damn scary.

------
j_s
_Warning: Baseless, Idle Speculation_

With the lead time on the silent patch before Shadow Brokers published all the
Microsoft exploits, I wonder if Shadow Brokers will be publishing this one
soon. No chance of an Intel ME patch going out without being noticed though!

A Shadow Brokers release would be a real mess.

------
some1else
Are remote management functions of portable consumer electronics (i.e.:
remotely wiping your iPad) also supported by similar hardware chips from other
vendors?

~~~
bradyd
There is a laptop theft recovery/tracking software called LoJack for Laptops
(AKA CompuTrace). Some laptop manufactures have added BIOS support for this
service (Dell, HP, Lenovo, etc). According to the Wikipedia article [1] this
BIOS service copies a downloader into the System32 folder on Windows, which
then downloads the full service. It doesn't appear that the BIOS service
itself is remotely exploitable, however it can be used for persistent root-
kits [2].

[1]
[https://en.wikipedia.org/wiki/LoJack_for_Laptops](https://en.wikipedia.org/wiki/LoJack_for_Laptops)
[2]
[https://en.wikipedia.org/wiki/LoJack_for_Laptops#Vulnerabili...](https://en.wikipedia.org/wiki/LoJack_for_Laptops#Vulnerabilities)

------
elorant
I've disabled ME on my PC because at some point LMS (Local Management Service)
started consuming too much resources for no apparent reason.

~~~
the_common_man
How do you disable it? In the BIOS? Is it enabled by default?

~~~
elorant
I'm running Windows and I just disabled the service. There are a couple of
them, one is Local Management Service and the other is User Notification
Service.

~~~
hdhzy
ME is a separate chip running alongside main CPU. You can't disable it via
Windows services :)

I recommend Platform Embedded Security Technology Revealed book [0] from
designers and creators of ME for further information.

[0]:
[https://link.springer.com/book/10.1007/978-1-4302-6572-6](https://link.springer.com/book/10.1007/978-1-4302-6572-6)

~~~
elorant
I stand corrected :)

------
mattcoles
Site is throwing NET::ERR_CERT_AUTHORITY_INVALID on latest Chrome Canary, is
anyone else seeing that?

~~~
rys
StartCom is untrusted by Chrome these days.

------
lightedman
So they (SemiAccurate) knew about this for years, and STILL haven't bothered
with disclosure to force Intel's hand earlier?

Thank you, SemiAccurate, for sitting on a vulnerability for years when you
could've reported on it long ago and not had us left with this garbage of a
security hole to deal with.

------
mtgx
A back door is a back door is a back door.

Let's hope Intel and all the other chipmakers will learn this lesson (unless
it's done on purpose, in which case they won't care about any lessons learned
- they'll do it anyway).

------
shmerl
Is there an analog of this issue on AMD chips?

------
eberkund
I've always wondering why nobody seems to notice the fact that this site is
literally called "Semi Accurate". I mean sure, everyone makes mistake and even
the most credible news sources are not entirely accurate all the time. But
what am I to think when your organization is literally named after being only
half truthful?

~~~
davidgerard
It's a semiconductor news site.

~~~
eberkund
Semiconductor Accurate? Doesn't really sound right grammatically, also the
arrows missing the target in their logo lead me to believe half accurate was
how they intended the name to be interpreted.

~~~
wmf
The name is a joke. The whole purpose of SemiAccurate is to report leaks and
rumors and one can never expect such reporting to be fully accurate.

