
How to hack a turned-off computer, or running unsigned code in Intel ME - edejong
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
======
sounds
In case you haven't already used the following, please note that the NSA had
an undocumented "backdoor" included which "disables" the ME. (Man, oh man, I
wish I was making this stuff up.)

[http://blog.ptsecurity.com/2017/08/disabling-intel-
me.html](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)

I put quotes around "disables" because the ME is not fully disabled. The
blog's analysis does show how it is in a "safe" state, i.e. forced to ignore
the outside world very early in its code path. Also, not likely to brick your
computer, assuming unscrewing your case and using a SPI flash programmer
hasn't already bricked your computer.

Edit: "backdoor" in quotes too.

~~~
dmichulke
If there is a "safe" state, there's also an "unsafe" state and it was
obviously introduced knowing it might be unsafe, otherwise there'd be no
"safe" state.

Long story short, it's not a backdoor but a key to a backdoor which implies
there is a backdoor.

~~~
TeMPOraL
ME _is_ the backdoor - it's unsafe by default meaning it can be used to
inspect/control your machine remotely. That, AFAIK, is it's primary and stated
function!

~~~
lima
False. ME by itself does not do any remote communication whatsoever. Zero
external attack surface. Different story for vPro, but you can disable it.

It's a great place, however, to gain persistence after an initial compromise
as the talk shows.

~~~
sounds
Do you have proof that the ME does not do any remote communication and has
zero attack surface? Be sure to include "internal" attack surfaces that may be
accessible from malware in ring 0.

~~~
lima
I was talking about the external attack surface, and there's absolutely no
indication that ME has any such attack surface as far as software
vulnerabilities go. They could have built a deliberate backdoor into the
network code, but that's highly unlikely.

It obviously has a lot of _internal_ attack surface, which is bad enough.

------
m1el
I would be glad if this made Intel reconsider their stance on enforcing
untrustable CPU features onto users.

CPUs aren't cheap! Just give your customers full control over the product!

~~~
FooHentai
It's almost as if there's some mysterious third factor at play, above and
beyond giving your customers what they want, and above making a profit.

What could it be? This mysterious additional factor.. What could make the US
company with the biggest CPU market share in the world possibly want to put an
omnipresent overlord control chip onboard every processor it ships? It's
almost like there's some kind of outside force at play, but that's a crazy
idea. There's No Simple Answer here, for sure.

What indeed, such a mystery! It's a mystery, I tells ya!

~~~
jwcacces
You're not Intel's customer. Dell, Lenovo, Amazon et al. are. And they want
management systems, because the large companies who buy from those guys also
want management systems. This isn't some super conspiracy, (even if it's
something the three letter organizations try to take advantage of it) this is
pure business. Pwning a computer across the internet that your dumbass sales
manager left on a train is a feature.

~~~
FooHentai
In a world where the clipper chip, snowden leaks, NSAKey, room 641a, NSA/RSA
deal, and national security letters didn't exist, I'd be in the realms of
crazy conspiracy theorist and you'd sound like the rational voice of evidence-
based reason.

But that's not the world we live in. What I list above are not conspiracy
theories, they are proven, factual happenings. There is a clear evidential
basis to infer the NSA's intent and capabilities in this area.

There are obviously security/privacy snafus that companies make all the time
that have nothing to do with nation-state influence and spying. Superfish, for
example, was more-likely-than-not a really bad judgement call on the tradeoff
between analytics and customer privacy.

>this is pure business.

If that were true then the ability to disable ME, which clearly exists, would
be made available to parties other than the NSA.

~~~
eivarv
Nah, it's still conspiracy theories. At best conspiracy conjecture.

Unlike "... proven, factual happenings", your idea isn't backed by any
evidence - at least not any that appear in your post.

~~~
FooHentai
What kind of evidence would you imagine one would find, if that were
happening?

~~~
eivarv
Your point doesn't push the burden of proof unto those that disagree (see
Russel's teapot[0]), nor make it OK to skip evidence altogether.

[0]:
[https://en.wikipedia.org/wiki/Russell%27s_teapot](https://en.wikipedia.org/wiki/Russell%27s_teapot)

~~~
indrax
Things change once we've found the rest of a tea set in various orbits. There
may not be strong direct evidence but it's no longer a silly conjecture, it's
the kind of thing that we find.

So those other examples mean you do have the burden of justifying your
'conspiracy' label.

~~~
eivarv
Not really; it isn't actually proven until you have proof.

As FooHentai originally said, "There is a clear evidential basis to infer the
NSA's intent and capabilities in this area" \- but it tells us nothing about
this particular case, which remains speculation. One could say the odds have
changed, but we still don't know anything about the real state of things.

The "'conspiracy'-label" is applicable regardless, whether we're talking about
fact or fiction.

~~~
yellowapple
If you find that someone broke into your house and stole your Xbox, and
there's a guy down the street who you already know has a long criminal record
of home burglaries, is it unreasonable to suspect that guy to be a likely
culprit?

Likewise, if there's a backdoor in every new PC's CPU, and there's a three-
letter agency presiding over that CPU vendor's jurisdiction that has a long
track record of backdooring things, is it unreasonable to suspect that maybe -
just maybe - that TLA is responsible?

Now of course the ex-con or the TLA can be totally innocent here, but if I
were a detective, they'd be the first ones from whom I'd be asking for alibis.

~~~
eivarv
I don't think your analogy holds up;

The hypotheticals aren't comparable, nor is the prior available information -
and even though the Intel AMT/ME situation is egregious, explaining it simply
as "a backdoor" is an oversimplification.

I'd agree that probabilities with regard to what is reasonable to _assume_
(the operative word here) shift as a consequence of circumstantial
information, but you can't really draw any conclusions based on that - hence
the burden of proof, i.e. the presumption of innocence in your analogy.

------
onikolas
Let me dial the paranoia up a little by calling your attention to this
historic text:

[http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomps...](http://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf)

A quote from the conclusions:

"In demonstrating the possibility of this kind of attack, I picked on the C
compiler/ I could have picked on any program-handling program such as an
assembler, a loader, or even hardware microcode. As the level of program gets
lower, these bugs will be harder and harder to detect. A well-installed
microcode bug will be almost impossible to detect."

~~~
theWatcher37
Once we get to the point where machine learning can develop and deploy
exploits/low-level bugs like these will become very interesting, and likely
weapons of nation states.

~~~
Relys
I'm pretty sure that was the entire point of the DARPA Cyber Grand Challenge.
XD

~~~
brian_herman
[http://archive.darpa.mil/cybergrandchallenge/](http://archive.darpa.mil/cybergrandchallenge/)

------
Keyframe
I hate to be a Debbie Downer / conspiracy borderline, but nothing will change
if all of this is true. Some apologies, "it's an oversight, we'll do better",
"we take security seriously"... and nada. Maybe some provisional solutions
which seem good, but in the back - things will remain status quo.

~~~
KGIII
For a very brief moment in time, there was some hope that AMD would release
their equivalent as open source. That hope was dashed and they will be doing
no such thing.

For the time being, ARM is making headway in creating usable chips for more
serious computing. Well, I guess I should say designing, as opposed to making.

I do have current gen hardware and some older hardware, should it reach the
point where I need to be concerned. Though, at least theoretically, a good
hardware firewall should prevent this from being exploited but most consumers
aren't going to invest the effort and money to do so.

I'm not really sure what this means for the future of personal computing. Like
you say, nothing is going to change. They will continue to roll things like
this out onto unexpecting users.

I don't have a problem with this being included, but I do have a problem with
it not being something you can disable. In fact, I'd prefer it to be off by
default. I suppose it'd be okay to have it configured by the OEM, as some
large orders may wish it in by default.

Either way, it is insecure by design and they show no signs of changing that.
It's rather disappointing. I have read, but not yet verified, that AMD's
version can be turned off in the BIOS. That also assumes that off means
actually off.

~~~
ece
It seems like SVM turns on and off with the extensions KVM (AMD-V) uses in my
gigabyte motherboard for a Ryzen 7. All the TPM related functions (including
PSP/AMD SP) are another separate option called "AMD CPU fTPM", and are
disabled by default.

Business models based around certain kinds of binning (security instructions
that are openly documented) and tying functions together (in case of a 3rd
party chipset ever using the same chip) need to stop. 3rd party chipsets or
desktop class arm/risc-v to break the x86 oligopoly at this point around
security need to be developed.

------
bluesroo
Wow this sounds huge. I remember people speculating about this since it came
to light... But people always talked about it like it was a vague hypothetical
that only scary 3-letter agencies would figure out. I'm curious to see what
kind of access they need in order to actually make use of this. If they
somehow don't need physical access this is going to be nuts.

~~~
EasyAI
Yeah I’m really curious about that too, and I wish the guys would at least
give that much detail but I guess they’d prefer to hype up the reveal at their
event instead. I want to believe it requires physical access... For now I find
comfort only in knowing that it’s a skylake+ vulnerability, and just continue
to hope it doesn’t work down to other models as they learn more about the
internal workings of the ME.

------
breatheoften
This is the kind of thing that will cause Apple to switch to internally
designed arm chips for their Mac line with great alacrity.

One could argue that it’s surprising they haven’t already.

~~~
oroup
Give me a break. The same three letter agency that convinced Intel to do this
will convince Apple to do the same. I'm guessing you're basing your faith in
Apple based on their refusal to cooperate in the San Bernadino case[1] and the
so-called "cop button" in iOS 11[2]. (And some generic "we value privacy"
rhetoric that I won't bother linking.)

That stuff is great but doesn't mean much. Just because they're blocking
border agents from trivially imaging phones at the border doesn't mean that
they won't cooperate at a higher level with some undocumented baseband
features.

Just as Defense in Depth is a concept in security, we've already seen a
corollary "Offense in Depth" from the intelligence community. Is the best
attack in the random number generator[3] or undocumented silicon[4] or
intercepting your boxes on the way to your data center[5] or tapping your
fiber[6] or stealing your certs[7] or paying your employees to go rogue[8]?
Why choose when you can just do them all.

Apple hardware is vertically integrated and utterly undocumented. The AMT chip
has been present on motherboards since 2006[9]. The Snowden Introspection
Engine found that the Wifi Chipset remains powered up even when Wifi is turned
off.[10] I find it hard to believe that the same government who went to all
these lengths to compromise our infrastructure would really let Apple get away
with refusing. How did that turn out for Joseph Nacchio?[11]

[1] [https://www.washingtonpost.com/world/national-security/us-
wa...](https://www.washingtonpost.com/world/national-security/us-wants-apple-
to-help-unlock-iphone-used-by-san-bernardino-
shooter/2016/02/16/69b903ee-d4d9-11e5-9823-02b905009f99_story.html?utm_term=.28bb85453e0a)

[2] [https://www.cultofmac.com/498052/ios-11-lets-quickly-
disable...](https://www.cultofmac.com/498052/ios-11-lets-quickly-disable-
touch-id-prevent-forced-unlocks/)

[3]
[https://en.wikipedia.org/wiki/Random_number_generator_attack...](https://en.wikipedia.org/wiki/Random_number_generator_attack#Possible_Backdoor_in_Elliptical_Curve_DRBG)

[4]
[https://en.wikipedia.org/wiki/Hardware_backdoor#Examples](https://en.wikipedia.org/wiki/Hardware_backdoor#Examples)

[5] [https://www.extremetech.com/computing/173721-the-nsa-
regular...](https://www.extremetech.com/computing/173721-the-nsa-regularly-
intercepts-laptop-shipments-to-implant-malware-report-says)

[6] [https://arstechnica.com/tech-policy/2013/10/new-docs-show-
ns...](https://arstechnica.com/tech-policy/2013/10/new-docs-show-nsa-taps-
google-yahoo-data-center-links/)

[7] [https://nakedsecurity.sophos.com/2013/12/09/serious-
security...](https://nakedsecurity.sophos.com/2013/12/09/serious-security-
google-finds-fake-but-trusted-ssl-certificates-for-its-domains-made-in-
france/)

[8] [http://www.ocweekly.com/news/fbi-used-best-buys-geek-
squad-t...](http://www.ocweekly.com/news/fbi-used-best-buys-geek-squad-to-
increase-secret-public-surveillance-7950030)

[9]
[https://libreboot.org/faq.html#intel](https://libreboot.org/faq.html#intel)

[10]
[https://www.documentcloud.org/documents/2996800-AgainstTheLa...](https://www.documentcloud.org/documents/2996800-AgainstTheLaw.html#document/p2)

[11]
[https://en.wikipedia.org/wiki/Joseph_Nacchio](https://en.wikipedia.org/wiki/Joseph_Nacchio)

~~~
KGIII
You're asserting that a 'three letter agency' convinced Intel to do this, and
asserting it as factual. I'm not convinced that it is, and think market focus
is more probable than nefarious agencies. Though, to be sure, those types of
agencies would probably be willing to take advantage of this.

No, it seems more probable that they did this because their largest customers
want centralized management at a low level. They want to be able to track and
control assets, and to prevent asset loss. They, being the largest customers,
control the features that Intel offers. It then makes no sense, financially,
to make two versions of the CPU.

Unfortunately, the market for people who care is vanishingly small. Most
people don't much care about privacy or security, other than to pay it lip
service - if even that much. Prevalent is the idea that they've nothing to
hide and, thus, nothing to fear.

So, without evidence that this was inspired by a three letter agency, I'm
going to assume it is a financial decision. That seems much more reasonable
and probable.

Do you have any evidence to prove three letter agency coercion? I'd expect it
to be quite the news event, if you did.

~~~
amigoingtodie
If what you say is true, why has vPro not seen wider adoption?

It has been around long enough.

Anybody work for an MSP or enterprise that actually uses this in the field?

~~~
KGIII
I can't say, really. My contention was largely around the idea that it was
asserted as fact that it was at the behest of a three letter agency and the
remainder of the comment presented based on that. It has not been established
that it was at the behest of a three letter agency and presenting arguments
based on that is like building a house on the sand.

It hasn't anything to do with quality specifics, nor of alternatives. Without
factual evidence to support the three letter agency theory, the rest of the
argument is invalid.

Don't get me wrong, I think it's a horrible idea. I've just seen no reasons to
assert that it was done because of a three letter agency being the directors.
As near as I can tell, and I've followed this fairly closely, no such evidence
exists. At best, it's speculation. At worst, it's conspiracy theory. Either
way, presenting it as fact and then basing an argument on that is illogical.

We can do better than that. There are lots of valid complaints that don't need
speculation, disinformation, or hyperbole. IME is a horrible idea, at least it
is so long as you can't disable it as the end user. This very thread is a fine
example of one of the reasons that it is horrible. It's a security nightmare
and should be user controlled.

No three letter agency needed to point this out. Wild, unsubstantiated,
accusations may make people take the complaints less seriously. That seems
less than helpful.

~~~
gras
Do you then have substantive evidence that market forces/centralized
management caused this?

~~~
EasyAI
Occam’s razor. I’m a very conspiratorial person and I’ve seen nothing to
suggest any nefarious activity or collusion so I’m not getting carried away on
this.

[https://securingtomorrow.mcafee.com/executive-
perspectives/a...](https://securingtomorrow.mcafee.com/executive-
perspectives/agile-secure-intels-approach-designing-world-class-security/)

This is a statement by the Intel CTO from 2016 on the ME discussions, and
briefly reassured us that Intel is conscious of the security of the ME, and
that they have teams dedicated to it and can push firmware updates out to
cover vulnerabilities.

[https://www.intel.com/content/www/us/en/architecture-and-
tec...](https://www.intel.com/content/www/us/en/architecture-and-
technology/intel-amt-vulnerability-announcement.html)

Intel made an official announcement in May that they have discovered an
escalation of privilege vulnerability and are addressing it accordingly as you
would expect. It also notes that consumer hardware and firmware is not
affected by the vulnerability, demonstrating that Intel actually does release
two different chips, and prioritizes privacy and security more over features
on the consumer models.

[https://newsroom.intel.com/news/important-security-
informati...](https://newsroom.intel.com/news/important-security-information-
intel-manageability-firmware/)

Intel releases a software tool for checking if your system is one of the
vulnerable units or not, they have a fix already for the firmware and confirm
it is not due to physical design flaws, and are working with manufacturers to
push the updates ASAP.

Overall, I don’t feel like Intel is at all intentionally sabatoging it’s
customers, and genuinely considers the ME a valued feature by consumers, even
though it bothers me that one is included on every product, they do differ and
consumer models have fewer privileges than business models, which seems to be
more of a firmware design than a hardware design, so I tend to believe that
they simply don’t design extra chips without the ME and instead lock it down
more on a software level. Vulnerabilities also appear to be firmware based,
and the extremely vague announcement by black hat doesn’t suggest otherwise
either. Intel very obviously takes the security of their devices very
seriously and makes themselves available to users who need help identifying
whether or not they’re vulnerable and what to do about it.

~~~
int_19h
In post-Snowden era, I'm not sure that Occam's razor applies that way anymore.

------
jorvi
What I don't understand is why AMD doesn't jump into this niche market: just
include a switch on their version of the ME (forgot name) that turns it off.
Corporate clients still get their ME if they need it and AMD catches the
security-focussed market. This would also mean lucrative orders from non-US
governments.

~~~
zanny
Because a lot of three letter agencies demand these hardware backdoors exist,
and AMD has no will to fight them on it.

They announced intent when they released Ryzen to "look into" disabling their
ME (they call it the PSP), and then six months later made a backroom comment
that it is never going to happen.

------
CookieMon
Joke's on them, my computer's never turned-off.

But seriously, I take it we won't know the attack vector until December,
however if remotely exploitable they would surely have used the word "remote"?
Is any mundane malware with admin rights able to update Intel ME?

~~~
1001101
If it is remote, I have a feeling we won't be seeing the presentation.

------
ysleepy
"Wouldn't it be kind of great if millions of people were secretly running
minix, it would finally go mainstream!"

The engineers probably thought something like this when deciding to use minix.

Now it might achieve the opposite result by associating it with a worst-case
scenario of computing freedom and security.

------
yellowapple
"One of the reasons is the transition of this subsystem to a new hardware
(x86) and software (modified MINIX as an operating system)"

Whoa! So wait, every recent desktop and laptop is actually running a tiny
MINIX in it? Or am I reading that wrong?

If I'm reading it right, then it means that we've totally leapfrogged Linux to
usher in the Year of the MINIX Desktop™.

~~~
avodonosov
It would be interesting to login into that minix.

------
na85
I actually really hope that this is exploitable remotely and causes a massive
global problem.

Maybe then we'll see companies that take security seriously, thinking twice
before they include things like ME in their products.

~~~
k_sze
I'm afraid this won't be enough.

If it doesn't hurt the shareholders' and creditors' bottom line, corporate
behavior is unlikely to change.

You need an event like the government banning Intel ME from their agencies, or
the shareholders' bank accounts getting hacked due to this bug. I'm not
suggesting that anybody do that - that's illegal - I'm just cynical about
wealthy people in those positions.

~~~
Terr_
Right -- there are so many problems with boil down to a broken chain of
liability.

I mean, just look at the Equifax blow-up, and how companies have rebranded
"someone stole from us because of our shitty authentication" into "someone
stole your identity, good luck with that."

------
zzzcpan
Can someone repost the content into a comment? I cannot solve cloudflare's
captcha.

~~~
JohnicBoom
Here you go:

Intel Management Engine is a proprietary technology that consists of a
microcontroller integrated into the Platform Controller Hub (PCH) microchip
with a set of built-in peripherals. The PCH carries almost all communication
between the processor and external devices; therefore Intel ME has access to
almost all data on the computer, and the ability to execute third-party code
allows compromising the platform completely. Researchers have been long
interested in such "God mode" capabilities, but recently we have seen a surge
of interest in Intel ME. One of the reasons is the transition of this
subsystem to a new hardware (x86) and software (modified MINIX as an operating
system) architecture. The x86 platform allows researchers to bring to bear all
the power of binary code analysis tools.

Unfortunately, this changing did not go without errors. In a subsystem change
that will be detailed in the talk of Intel ME version 11+, a vulnerability was
found. It allows an attacker of the machine to run unsigned code in PCH on any
motherboard via Skylake+. The main system can remain functional, so the user
may not even suspect that his or her computer now has malware resistant to
reinstalling of the OS and updating BIOS. Running your own code on ME gives
unlimited possibilities for researchers, because it allows exploring the
system in dynamics.

In our presentation, we will tell how we detected and exploited the
vulnerability, and bypassed built-in protection mechanisms.

~~~
komali2
This is how the robots win, by social engineering ;P

~~~
JohnicBoom
I use a VPN whenever I'm not at work, so I know how frustrating it is to be
told I didn't pick all the images with a street sign or whatever ridiculous
hoop I have to jump through. Especially when I'm only casually interested in
the article.

Plus, I'm totally fine to help robots out. If they can convincingly post
online comments or converse with me, who am I to discriminate?

~~~
danjoc
I really like the captchas. I regularly answer them incorrectly but
"correctly" to F up Google's training. Just doing my small part really.

~~~
dsfyu404ed
If enough people don't flag low speed limit signs as signs we'll have faster
self driving cars

~~~
nasredin
If enough people don't flag large bodies of water... we will have a lot less
cars!

It really is an environmental thing to do!

------
EdSharkey
Well, it finally happened. This is potentially the ultimate hack. I can see it
now: billion dollar class action lawsuits. Intel, you were too cocky, and now
you're gonna eat humble pie.

You'd best offer us the firmware to completely and finally _eliminate_ this
giant, ossified, ticking timebomb software stack you've dumped into the
world's computers. And I want it ALL out, even the trusted path garbage!

As if you don't have enough troubles already, Intel. Let's take this one off
your plate. How's about doing the right thing and earn back a little respect
from the consumers.

~~~
aargh_aargh
Shaming Intel? I'm sure they'll be laughing all the way to the bank.

~~~
EdSharkey
aargh_aargh! You're right, of course.

There's bound to be tons more rot elsewhere, though. And, if they don't eat
humble pie now, perhaps they will next time when the exploit can't be
mitigated in firmware or via microcode updates. Then lawsuits are filed and
consumer protection laws get passed and we see some actual positive change.

------
davidw
> modified MINIX as an operating system

Say what?! Anyone know more about this? MINIX is neat in some ways, but I
never thought of it as a production ready OS.

~~~
edaemon
Intel ME has the MINIX license copyright message in it:
[https://twitter.com/qrs/status/857342798420422657](https://twitter.com/qrs/status/857342798420422657)

Positive Technologies, the people doing the presentation in the OP, have this
blog entry about earlier findings surrounding Intel ME (some of the language
from this entry is used in OP): [http://blog.ptsecurity.com/2017/08/disabling-
intel-me.html](http://blog.ptsecurity.com/2017/08/disabling-intel-me.html)

~~~
otakucode
I know I watched a presentation on YouTube from a hacking convention from the
same folks who figured out how to disable the IME, but after 15 minutes of
searching YouTube I can not find it at all. If you come across it, it's a good
watch.

------
sillysaurus3
Finally, some hard evidence that BadBIOS was possible.

(BadBIOS was lax on details, but people were remarkably resistant to the idea
that it was even possible in theory.)

~~~
lawnchair_larry
Nobody was resistant to the idea of it being possible, they were resistant to
the actual claim being made, which was based on the reasons that the victim
cited for believing that they were infected. This lends no further credibility
to that claim.

------
trizic
Maybe this could be used disable Intel ME when other methods do not work?

------
e12e
OT: Sweet Jesus! 1 319 gbp for early registration? It's not exactly accessible
to students and amateur Hackers, is it? :-(

~~~
driverdan
Nope. Blackhat is for corporate lackeys attending on the company dime. It's
disappointing how many major exploits get announced there rather than more
traditional hacker confs.

------
et-al
Are the specifics of this published anywhere else, or does the public have to
wait until Dec 4, 2017?

------
jwilk
Archived copy, which can be read without JS enabled:

[https://archive.is/DFvwm](https://archive.is/DFvwm)

------
0x0
Everything is terrible and everything is going to crash and burn. :-/

~~~
Varcht
No argument here

------
Fej
They don't mention how easy or difficult this exploit is to carry out... so
I'm betting that it's extremely difficult and will affect practically no one.

That's not to say that Intel ME isn't an awful idea, just that we shouldn't
necessarily panic yet.

~~~
yeahsure
I would rather be easily exploitable so people realize how bad this is. The
alternative is only governments/powerful corporations exploiting it forever
without repercussions.

------
bri3d
Finally. Everyone knew it was just a matter of time - now hopefully we can see
some change.

------
Animats
This is very bad. A strong attack based on this could run through entire data
centers.

------
LeoPanthera
Is Intel ME functional on Macs?

~~~
deathanatos
It is functional regardless of OS.

> _Intel AMT uses a hardware-based out-of-band (OOB) communication channel[1]
> that operates regardless of the presence of a working operating system. The
> communication channel is independent of the PC 's power state, the presence
> of a management agent, and the state of many hardware components such as
> hard disk drives and memory._

> _Almost all AMT features are available even if the PC is in a powered-off
> state but with its power cord attached, if the operating system has crashed,
> if the software agent is missing, or if hardware (such as a hard drive or
> memory) has failed._

—
[https://en.wikipedia.org/wiki/Intel_Active_Management_Techno...](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)

~~~
LeoPanthera
OK, but we know Macs don't have AMT, so... ME doesn't apply to Macs?

~~~
language
It applies to Macs. I think AMT is just one particular application/feature of
ME. ME is a piece of hardware on Intel chipsets.

------
rubin55
Really time to take a look at Thalos II
([https://www.raptorcs.com/TALOSII/](https://www.raptorcs.com/TALOSII/))

------
iam-TJ
It's been getting under my skin how many of these kind of articles repeat the
inaccurate (lie)

"Hack a turned-off computer" theme

For the sake of accuracy stop persisting this myth.

Take away the wall power/remove the battery and the thing is dead, nothing is
active (obviously doesn't apply to systems with internal battery if they're
holding charge).

What these articles actually mean is, if the system has power but is in the
'Standby' state (+5V standby), the Intel PCH/ME is active.

------
MichaelMoser123
What is the severity of this? Can the ME be patched or will we see half of all
current computers owned by a botnet? (or mining ether) Can the ME bypass a
firewall by interfacing directly with the NIC?

~~~
MichaelMoser123
I guess home users who are not behind a restricted firewall are most likely to
be vulnerable to this attack vector.

------
Szpadel
Here is nice presentation about hacking intel ME in older processors

[https://www.youtube.com/watch?v=lR0nh-
TdpVg](https://www.youtube.com/watch?v=lR0nh-TdpVg)

------
exikyut
> _In a subsystem change that will be detailed in the talk of Intel ME version
> 11+, a vulnerability was found._

Okay, so this effects 11.x, but I wanted to clarify that there seem to always
have been circumventions floating around out there.

I stumbled on
[https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsaf...](https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_to_defeat_tor_on_95/dbkxlw2/?context=10000)
(mirror: [http://archive.is/T8yVz](http://archive.is/T8yVz)) some months ago.
It reads a little like a skiddie (a well-connected one) strutting a bit, and I
think some of this person's views on ME as a viable attack vector are slightly
careless and un-thought-through, but whoever this person is, they seem to be
very confident about some of the things they said, particularly the following
quotes (to be completely clear, I've removed first-person references):

> _[This person] know[s] that at least up to firmware version 8 is traded
> underground, and version 11 (the latest) is available without difficulty to
> people who know how to find it. [This person has] access to version 8 's
> signing keys [themselves] ..._

> _It 's certainly not common but it is absolutely something that FVEY and
> related contractors (Raytheon, Leidos, half the people you'll see at ISS,
> etc) will be able to get their hands on, if they haven't already._

> _[This person has] an enterprise ThinkPad that proudly boasts having WiMax
> support, requiring extensive configuration. It was expensive. If you don 't
> have a BMC card (and you do not), then it is not possible to remotely
> control your system. Even if you did have a BMC, simply having the signing
> keys and toolchain for the ME would not be sufficient to get in. An attacker
> would need either a 0day, or your credentials._

..... _Well_ then. Oops.

> _Having the signing key allows nothing more than writing malicious firmware
> over SPI and allowing it to persist. It 's just a little more powerful than
> the UEFI kits cr4sh can write, and just as easily detectable by reading your
> flash chip._

That's still bad! (And I have no idea who cr4sh is.)

> _But it 's not like you're analyzing your microcode (of which there are
> likely signing keys being traded as well), which can also be installed on a
> large number of systems, considering the BIOS functions to load the latest
> microcode it has into the CPU._

The above bit is unrelated, but I couldn't leave it out, because that's worth
filing away too (...ouch).

\--

Sources/past comments:
[https://news.ycombinator.com/item?id=15187540](https://news.ycombinator.com/item?id=15187540)

~~~
snakeanus
Please use archive.org instead of archive.is as a mirror next time. Archive.is
blocks VPNS and tor while making it impossible to see the target url and use
it directly or via another archive. Moreover since it uses cloudflare every
connection to it is being MITMed by them.

~~~
jgrahamc
I just visited archive.is with the Tor Browser Bundle and had not problem
accessing it.

~~~
snakeanus
With JS disabled as well?

This is quite weird, I was never able to access it with TBB nor with any proxy
without the cloudflare captcha page popping in.

~~~
jgrahamc
Just restarted TBB and turned off JavaScript (High Security) and went there:
[https://imgur.com/a/CXCw4](https://imgur.com/a/CXCw4)

~~~
exikyut
I'm curious - does archive.is flag the WAF more than the average (if there is
such a thing as an "average" for a planet-wide WAF, heh)?

(Also - if I can ask/clarify a couple things I've been curious about for a
while: based on released info, I get the idea that the Lua part of the WAF is
mostly regexes and "precompiled"/predetermined-ahead-of-time-based-on-past-
incidents "possible issue" flagging, and a bunch of Go code (which I theorize
runs slightly behind realtime, but not too far) follows up on those flags and
makes the actual executive decisions about blocking/tracking/dropping/etc the
Lua-generated event. I've also learned (from solving an ISP glitch with the
guy who coincidentally manages the WAF!) that your copy of Lua is a bit
special (although I don't know specifically how). I just wanted to let you
know that there are people out there very interested to learn more about the
"boring" (non-proprietary) parts of the CF stack. "Go/no-go within 999
nanoseconds" is amazing, I'd love to learn more about it. It's a cool
platform.)

~~~
exikyut
Experimentally mentioning the word cloudflare just in case my previous message
(the comment this comment is a reply to) simply wasn't noticed. Now I can have
high confidence the comment above this one was at least seen, even if a reply
can't work (which is fine).

~~~
jgrahamc
Yes, if you mention Cloudflare in a comment on Hacker News I see it very
quickly:
[https://github.com/jgrahamc/hncomments](https://github.com/jgrahamc/hncomments)

------
gaia
someone pls tell me that this vulnerability at least requires the computer to
be physically attached to a network.

------
nol13
uh oh

------
snakeanus
I wish that they would just publish that "hack" into the public, that way
people would hopefully understand the dangers of "black boxes" and maybe even
push intel and AMD to remove ME and PSP from their products.

I wish that open hardware (CPUS specifically) were more popular and closer to
the market. RISC-V is still quite a long way off for everyday use (though I
did see a risc-v based arduino thing, which is nice)

~~~
tomxor
I think if the hack were published we can expect some things from intel with
reasonable degree of certainty:

1\. They would have to respond publicly (to the general public not just dev
community).

2\. Somewhat less satisfyingly I expect their first action wont be to issue
some kind of widespread automatic disarm of ME, but instead just patch it.

They are unlikely to receive the message as "this is insecure by design" and
more likely to interpret it as "there was a small bug in out very marketable
management engine, we will patch it and all will be fine in the world".
Unfortunately the general public wont appreciate the difference and perceive
intel to have had a "hicup" which is exactly what intel would want of course,
because it's the same general public which make the biggest dent in buying up
all those intel-inside stickers.

------
snakeanus
Considering this, remember to push AMD to allow the disabling the PSP (their
version of ME) or share the source of it. Recently they said that they won't
do it
[https://news.ycombinator.com/item?id=14803373](https://news.ycombinator.com/item?id=14803373).

------
SomeStupidPoint
This sounds like an announcement of an announcement, which generally is
frowned upon on HN -- though this might merit alerting people.

~~~
insulanus
Don't care. This is so big, I'm happy to be alerted a little early.

------
JBReefer
Holy shit

