
The Intel ME subsystem can take over your machine, can't be audited - cylo
http://boingboing.net/2016/06/15/intel-x86-processors-ship-with.html
======
nneonneo
Igor Skochinsky (of IDA Hex-Rays fame, among others) has been studying Intel
ME for quite some time. He gave a nice talk at Breakpoint summarizing what
he'd discovered (slides here [pdf]:
[https://github.com/skochinsky/papers/blob/master/2014-10%20%...](https://github.com/skochinsky/papers/blob/master/2014-10%20%5BBreakpoint%5D%20Intel%20ME%20-%20Two%20Years%20Later.pdf)).

Among other things, he finds that ME is capable of running signed Java code
which is pushed to the device. Due to the complexity and size of the Java
code, it's quite likely to have bugs.

ME is a bit scary partly because it's a totally closed-source and proprietary
component of your computer with full and essentially unfettered access to
everything - RAM, peripherals, and network I/O. Any bug in a publicly-
accessible component would have the potential to do serious damage. For
example, a bug in the network stack might make it possible for attackers to
remotely own your box.

~~~
Animats
_ME is capable of running signed Java code_

How much firmware is in the thing? Is there a whole JVM in there? An OS?
That's a lot of attack surface.

~~~
PeCaN
There is an embedded RTOS (ThreadX) and an embedded JVM. Curiously the
embedded JVM uses JEFF bytecode, a somewhat obscure bytecode format for
embedded JVMs. Java Card does _not_ use JEFF¹, meaning it's either an Intel-
proprietary JVM or, more likely, they licensed it from an unknown party.

And yes, there's a hell of a lot of attack surface. Someone's gonna hack ME
one day and have access to an awful lot of computers.

¹ I think. I'm far from an embedded Java expert, but from what I can tell Java
Card uses a reduced form of regular Java bytecode and not a totally different
format like JEFF. Please correct me if I'm wrong.

------
throw2016
This adds a whole new dimension to 'Intel Inside'. It says exactly what anyone
needs to know.

If it's for enterprise features as 'innocently' suggested that those who do
not need or want this feature should be able to put it off simply without
drama, debate or discussion.

Its not surprising that both AMD and ARM have it. This is an orchestrated
effort signifying the win of paranoia and security over privacy in the western
world.

This war is being fought on too many fronts by well resourced and paranoid
security agencies with all the tools to influence and the only defense would
be individuals and our sense of right and wrong. But it seems individuals have
been completely disempowered and reduced to survival mode and are not in a
position to stand up for the right thing or even talk about it.

If 'moral' individuals can so easily be quietened in well off economies then
one wonders what happens in other economies where basic survival is a day to
day fight. Who will fight the privacy war? The silence is deafening. It seems
all the activism and racket from media, academics, NGOs and human rights
organizations only come into play when a western political or strategic
objective needs to be met.

There are many who believe that by working with and supporting security
agencies they are somehow in the forefront of a nebulous fight of survival and
freedom in a dark world. This 'dark world' is a self created and self serving
fantasy and comedy for grown, well adjusted and well read individuals to fall
for that push humanity into a negative space.

It can be taken for granted unless conclusively proved otherwise with the
burden of evidence swaying the other way that any technology coming out of the
USA and Europe is compromised completely and the fight for privacy here has
been lost.

~~~
Santosh83
This is simply a barrier of resources and technology. Let's consider how
software became "free". An idealist, an university and a motivated Finnish
student, among many others, were able to create two complete, free operating
systems and toolchains, on top of which anybody and everybody in the world
could build. Now free software is a resounding reality and even increasingly
adopted by large corps who were 100% closed in the past.

The germane question is, can a similar revolution happen for hardware? Can
motivated individuals, or small groups of people, reasonably hope to design
AND manufacture ALL the hardware for a modern computer? The answer is it's
quite beyond the bounds of possibility. The tech is too complex, too closely
guarded and manufacturing has HUGE upfront costs.

THAT is why hardware is currently completely dominated by a few big players,
which allows them (and any other "agencies") complete control to essentially
do as they wish.

We were able to make software creation egalitarian. Unless we can do the same
for hardware (from ground-up), we will be ultimately controlled and never be
in full control.

~~~
SkyMarshal
You're right that the barrier to open hardware is very high, but I hope that
open firmware may at least help mitigate, if not solve, this problem. Buy a
machine with ME-like hardware, flash the firmware with something open source
and trusted and which disables ME, or returns control to the system owner.

~~~
lordcorusa
ME operates above typical UEFI firmware. ME updates must be signed by Intel
and Intel alone.

------
kriro
Joanna Rutkowska has written a nice paper on the topic, highly recommended:
[http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf](http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf)

Edit: There's also a talk from 32c3 for those more inclined to watch a video.
I am pretty worried ever since I watched that:
[https://www.youtube.com/watch?v=rcwngbUrZNg](https://www.youtube.com/watch?v=rcwngbUrZNg)

(which is why I have researched non-Intel laptop alternatives..cliffnotes:
GPUs without BLOBs are hard to find and there will be some severe tradeoffs
which is expected)

~~~
SXX

      > GPUs without BLOBs are hard to find
    

Any devices without firmware are hard to find. Even if only some have option
to upload firmware almost every device on market have closed-source firmware
inside it: NICs, USB controllers, hard drives and especially modern SSD, sound
cards, etc.

~~~
creshal
NICs exist, occasionally: Atheros Wifi chips work with open-source firmwares.
And it shouldn't be too hard to find a GBit ethernet NIC without.

Everything else is a lost cause right now. Keyboards, mice, displays, …
Everything is running proprietary firmware blobs.

~~~
qb45
> Atheros Wifi chips work with open-source firmwares.

Interesting. Isn't such firmware able to initiate unlawful transmissions? How
are they going to deal with this new FCC goodness?

~~~
kuschku
Funnily, the FCC requirement is incompatible with the EU laws.

The EU laws say that while a normal user shouldn’t be able to make unlawful
transmissions, the manufacturer may NOT prevent the customer from installing
alternative software (like openwrt) just to fulfil the first requirement.

Basically, to conform with EU law, you have to violate US law, and the other
way round.

~~~
qb45
Any sources?

And no, it's not mutually exclusive. In principle, it should be possible to
enforce regulatory constraints in hardware. But then I guess you can forget
about taking this hardware to another country, unless they make this hardware
as smart (read: complex) as drivers currently are.

------
Philipp__
And this is why monopoly of one giant monolith is bad, in any area or case!
They get to the whatever the f they want! It's not like everything is made
today to track, and give access to "authorities" when they want it. But what
really drives me mad is that I feel tricked! You put trust into someone and
it's work, and give them money for that, but they do this, without you even
knowing.

I was always making fun of sworn GNU guys, always thought they were
overblowing things out of the context. But maybe they were on the track!
Anyhow, I want more competitive CPU space, we need AMD to get back into game,
IBMs Power9, ARM, anything. But as things are standing right now, we won't see
that anytime soon.

~~~
jug
I think AMD and ARM have similar features though. ARM with TrustZone for
example, hiding the "secure world" from knowledge by the "normal world".

~~~
tremon
Trustzone in itself is not closed though, and FAFAIK is not a separate engine.
Trustzone is more like IOMMU on steroids, and runs on the main processor (it
relies on hardware support to fence off system resources).

~~~
digi_owl
And i think the variant found on Qualcomm SOCs were recently cracked open.

~~~
qb45
If you mean CVE-2015-6639

 _The Widevine QSEE TrustZone application in Android 5.x before 5.1.1 LMY49F
and 6.0 before 2016-01-01 allows attackers to gain privileges via a crafted
application that leverages QSEECOM access, aka internal bug 24446875._

then it's not strictly TrustZone that have been cracked, but some software
running within, already patched. TrustZone itself is a hardware mechanism,
basically a new level above the usual user/kernel modes.

But sure, this hack reportedly gave possibility to run arbitrary code as
"trusted" and mess up any other software running on the CPU, trusted or not.

~~~
digi_owl
I may have gotten it confused with something else. I think it said something
about Qualcomm private keys having been extracted.

~~~
qb45
Seems to be the same event.

[http://www.slashgear.com/android-soc-security-keys-
extracted...](http://www.slashgear.com/android-soc-security-keys-extracted-
qualcomm-trustzone-in-question-31442245/)

I don't know what those keys were and whether they were indeed "Qualcomm
private" or per-device or something else. Google quite uselessly returns only
news about this hack.

------
markokrajnc
It may be, that Intel didn't plan this as an NSA/XYZ back door - but it
doesn't actually matter. What matters is that we know 1) Intel has such
technology implemented in allmost all desktops/servers currently running 2)
you can access those machines remotely (even over GSM) and perform
reads/writes.

Example misuse: somebody can put illegal stuff on your machine and then sue
you...

(Intel has marketed this feature for big companies so they can format the HDD
remotely over GSM in case laptop was stolen.)

~~~
akerro
>1) Intel has such technology implemented in allmost all desktops/servers
currently running

Ever wondered why Google is working on their own CPU?

~~~
macns
Wondering - when that happens - if their firmware is open source but monitored
for ad targeting should we be OK with it?

~~~
wolfgke
Freedom 1 of the FSF is ([https://www.gnu.org/philosophy/free-
sw.html](https://www.gnu.org/philosophy/free-sw.html)):

"The freedom to study how the program works, and change it so it does your
computing as you wish"

In this sense you should be able to change the firmware (since it is open
source in the sense of the OSI definition) and remove the monitoring for ad
targeting. If this is not possible, Google's firmware is not open source (see
[https://opensource.org/osd](https://opensource.org/osd)).

~~~
akerro
opensource != free software

------
captainmuon
Very naively, I wonder what happens if you just call Intel and complain about
this. Say you want a way to remove the ME completely. They won't help you, but
I wonder how they will justify making it compulsory if pressed.

Now if I call them, I wouldn't reach anybody important. But surely there are a
couple of people on HN who are lawyers, CEOs, with the government etc.? If you
have an imposing job and a few minutes to spare, I'd like to see what Intel
has to say about this.

~~~
confounded
[https://puri.sm/posts/petition-for-intel-to-release-an-me-
le...](https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-
design/)

~~~
techdragon
Another lame petition won't get the same kind of results as a well connected
question. The PR department lives to shield a company from such negative
external noise, a well connected question can surface inside the company and
be heard by people with the capability to actually do things.

~~~
foodstances
> allowing Purism to provide this petition to our Intel Partner Account
> Manager

It's at least worth a shot to see what they have to say about it...

------
fineforyouo
I wish the European Commission study this problem and if found guilty impose a
fine in such a way and quantity that in no way those firms can continue
exposing their clients to possible economic damage.

The previous imposed fine was of EUR 1.06 billion.

Someone with the required knowledge should submit a detailed record of this
potential hazard to the European Commission emphasizing how this system could
expose clients to possible threats, its anticompetitive nature, since it could
allow hackers gain access to economic secrets, and many other important
points.

The FSF should stand up and speak clearly. I hope and wish that the FSF
execute its mission, that is to gain and gather the necessary strength to
expose the nature and extend of these problems and how to fight against them.

Those that impose on us tools that allow them to control our business, steal
our ideas and plans, and ruin our enterprises plaguing with chaos. Those that
thrive to submit our future to their will should be fined.

I certainly hope that a new economic fine be imposed. That initiative and
measure would set up a strong message and a new precedent targeted to those
threating our liberty and economy. A message encoded into an economic hammer
with the power to make them shape their will to respect our freedom and
integrity.

To be Free and Survive we should Fight. FSF.

~~~
touristtam
Unfortunately even these kind of fines are still pocket chance for such large
corporation. Moreover, this is always the same issue of imposing a penalty
without offering an alternative. In this case offering a hardware/software
platform competing with the long established Wintel.

------
confounded
I'm very surprised that no-one on HN has talked about their experiences of
using AMT for enterprise IT management. Aside from the security problems, I've
personally never encountered or seen it's use, which makes the ME's inclusion
(on all chips, for about 6 years) seem like an odd decision from Intel.

~~~
wolfgke
> I've personally never encountered or seen it's use, which makes the ME's
> inclusion (on all chips, for about 6 years) seem like an odd decision from
> Intel.

I consider it as quite plausible that the reason why Intel included ME into
all chips is that it is much cheaper to add those unnecessary gates to any
chip than to create two different versions of it. The much more interesting
question is why ME cannot be disabled. It is clear (see
[http://www.intel.com/content/dam/doc/product-brief/mobile-
co...](http://www.intel.com/content/dam/doc/product-brief/mobile-computing-
protect-laptops-and-data-with-intel-anti-theft-technology-brief.pdf)) why
Intel has a reason why ME should not be possible to disable on some chips. I
can imagine that Intel fears that if it can be disabled on some chips, hackers
will find a backdoor to also disable it on those chips where it shouldn't be
possible.

~~~
acqq
> it is clear why Intel has a reason why ME should not be possible to disable
> on some chips.

Only "under some conditions" should not be possible, that is, once you as a
user turn on the anti-theft protection. Theoretically, turn-on-once,
afterwards-no-turn-off technology can be implemented.

------
digler999
No doubt various three-letter agencies are having a field-day with this right
now.

Hopefully a robin-hood type will reverse-engineer the blob and post a
permanent fix to disable this thing before a more nefarious person/group uses
it to devastate the PC landscape with something even worse than bitlocker.

~~~
paulmd
It's impossible to "reverse-engineer" a cryptographic signature. Properly
implemented (and you can bet that Intel has had time to finalize this) it's
computationally insurmountable.

~~~
Dylan16807
Not the signature, the payload. It's very complex. I guarantee there are bugs.

~~~
joe_the_user
Indeed, the blob can be reverse engineered.

Even more, an unbreakable signature can have it's private key stolen by
hacking, by agencies inserting personnel into the companies, by agencies
blackmailing key personnel and by agencies compelling the companies legally or
ex-legally to hand them their keys.

~~~
zeta0134
Really, if someone has gone to the trouble of working out an exploit for Intel
ME, the most ironic thing they could pull off would be to use that very
exploit against Intel's own systems to steal their key, use it to patch the
bugs, and release the patch to the world.

~~~
Bartweiss
It'd be a spectacular successor to that router-patching virus that made the
rounds a while back.

------
shmerl
Why can't Intel implement proper security and open up this blob to begin with?
Not opening it and not allowing to disable it, suggests it's intended for
something sinister.

~~~
keyme
As stated in the article, some researchers have managed to unpack it, and it
can now be dissembled.

You can't (and hpefully won't) be able to execute your own code there.

There are 2 good reasons for this:

1) As per the article, to actually prevent ring -3 malware. The implemented
signature is the best way to do this. If we could run our own "libre" code
there, so could the attacker.

2) I bet this firmware controlls stuff like wether your CPU is "really" a Core
i3 or Core i7, how many cores are activated, etc. Basically, its reasonable to
assume that the silicon is the same, but what you pay determines the actual
"unlocked" performance.

~~~
Teever
> 1) As per the article, to actually prevent ring -3 malware. The implemented
> signature is the best way to do this. If we could run our own "libre" code
> there, so could the attacker.

Why can't computers have physical switches that enable/disable writing the
memory that this piece of software is located in?

~~~
IshKebab
That is actually slightly less secure - sometimes people do have physical
access to your machines.

For example, the NSA intercepted deliveries of switches and installed their
malware on them. Would be easy if there is a physical switch. Not so easy if
you need signed firmware (I'm sure the NSA could still do it, but it would
definitely be harder).

~~~
goodplay
If they have physical access, it's over regardless of what authentication
mechanisms are employed.

I'd argue that not being able to modify software subjects you to a higher risk
because you wont be able to fix security vulnerabilities yourself.

Software and hardware outlive the companies that produce them.

------
morganvachon
Nice breakdown of how ME works, but nothing new here.

Still, I'm glad I hold on to a ton of older, pre Core i-series Intel machines,
AMD machines, and ARM boards. If ME is ever truly compromised at least I have
a fallback or three.

~~~
ashitlerferad
Watch out for TrustZone. There are definitely flaws in it too, for example:

[https://bits-please.blogspot.com/2016/06/trustzone-kernel-
pr...](https://bits-please.blogspot.com/2016/06/trustzone-kernel-privilege-
escalation.html)

~~~
Grazester
Seems like this has already been patched

------
EdSharkey
The fact that the ME microcontroller can run arbitrary Java code, uploaded at
runtime rather than read from ROM is pernicious. The intel private key can
sign any blob, and ME would run it.

It makes me wonder, could an Java program uploaded to ME crash it or put it
into an infinite loop? What would the effect be on the host OS if ME suddenly
became unresponsive?

Perhaps a "Kill ME" binary could be developed as open source, and perhaps we
could get Intel to sign it? If there was a strong enough request to Intel by
consumers, why wouldn't they go ahead and sign it for us? No skin of their
noses what we do with our consumer-grade boxes, right?

------
oneplane
While that article is correct, it's full of FUD with the constant littering of
'secret' and 'take over' in the text.

We already know about Igor's research and the published ARC CPU reverse
engineering, "Ring -3" rootkits and the DEF CON presentations. This is bad,
and this needs even more reverse engineering so at some point we might add an
'open' replacement for the required ME functions and run it together with say,
LibreBoot/CoreBoot.

I wonder why there haven't been any NDA ME or ARC docs leaked yet, even some
of the Broadcom SOCs had those leaked and via cleanroom design proper FOSS
drivers for some of the wireless parts were created... this should be possible
with the Intel ME as well. Hell, even a FOSS version or at least partially
reverse engineered and modified version of laptop EC firmwares have popped up
on the 'net.

~~~
more_corn
Yeah, the language is a bit excessive, but this is downright terrifying. Given
the absurd security protections implemented in IPMI I can't imagine the
successor being trustworthy enough to satisfy serious security requirements.
Anyone remember the infamous cypher zero bug/feature in IPMI where you could
specify an undocumented connection encryption mode which made authentication
optional?

------
brudgers
The thing about scale is that it doesn't look like ordinary individual
experience. It ain't enough to run Core2/\Piledriver/\Power/\open source
microcode: ME enabled computers are connected _en masse_ to the network. The
choices are air gap or head in the sand. ME was inside before Snowden.

Google, Facebook, Amazon, Ebay, Microsoft,, 百度 etc. buy Xeons by the
bucketful. They're Intel's customers that matter. The retail box that comes
with a fan for sale at NewEgg is just exhaust fumes. 42 or "It's the cloud":
take your pick. Managing a gazillion server data center by hand just ain't
practical.

Intel's customers that matter replace CPU assets on the IRS's three year
depreciation schedule. It's why this [0] and why ME. Security by obscurity
isn't so bad when dumping the vulnerable subsystem lowers overall costs for
other reasons [performance boosts and lower power consumption].

ME is a good reason that Microsoft has been striving toward multiplatform. It
no longer has such a big say in Intel's roadmap. Yes UEFI and the Windows 10
upgrade process kinda suck, but Microsoft ain't pwn'ing anyone's computer
because Intel already pwn'd it. ME going sideways at scale would hurt and
Microsoft would be the handy victim.

There's a strategic reason Apple is making it's own chips.

[0]: [http://www.techspot.com/review/1155-affordable-dual-xeon-
pc/](http://www.techspot.com/review/1155-affordable-dual-xeon-pc/)

------
hoodoof
If you get a microscope and manage to peer into this secret hidey hole in the
CPU you will see a bunch of tiny little NSA spooks, Russian and Chinese
hackers scuttle away to hide in other dark hidden secret corners of the Intel
CPU.

~~~
goodplay
Yup. It's a good thing that we live in a universe where companies and all
their employees are completely trust-worthy, and will flat-out refuse to do
something illegal if asked (or incentivised) by others.

It's a good thing that all governments act within the confines of the law
(both wittingly and otherwise).

It's a good thing that all software we write is correct and sound, and that no
bug ever existed nor the desire to exploit such a bug should it have existed.

Paranoid people with their tinfoil hats. Shesh!

------
ksk
I think at this point pretty much anything on your PC is backdoorable. I can't
think of a single device in my computer that doesn't respond to "magic I/O
packets" which are undocumented (obviously) and prone to bugs (possibly).

Gaming mouse? Yeah send some I/O packets and you can change the DPI, USB
update rate, whatever. A write-protected USB device? Uh-huh, send some magic-
packets to the controllers to reset it/format it/whatever (Recently did this
with one of those Dell USB Mentor Media drives that they ship the OS on).
Access point? Yeah, send some magic packets and you can set the
password/SSID/whatever. Hard Disk? undocumented SATA commands allows for
reprogramming. This is just the 'easy' way, without going into JTAG and other
diagnostic interfaces.

------
rdtsc
I think this is time for AMD or IBM's POWER8/9 to step in. If anything a
little good PR vis-a-vis the "rootkit nightmare waiting to happen in your
server" would be nice.

~~~
edwintorok
See "The World Beyond x86" presentation for a presentation of alternatives,
focusing on POWER8:

[https://raptorengineering.com/TALOS/op_twbx86.php](https://raptorengineering.com/TALOS/op_twbx86.php)

[https://static.rpteng.com/TALOS/assets/the_world_beyond_x86....](https://static.rpteng.com/TALOS/assets/the_world_beyond_x86.pdf)

~~~
rdtsc
Thanks,that was a good presentation. Yap basically POWER for mid to high end
and ARM for low to mid.

And it looks like AMD has its own equivalent of ME...

------
slasaus
FWIW, there is a petition for Intel to release an ME-less CPU design:
[https://puri.sm/posts/petition-for-intel-to-release-an-me-
le...](https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-
design/)

(as mentioned in a comparable thread five days ago: "Intel and ME, and why we
should get rid of ME" (fsf.org)
[https://news.ycombinator.com/item?id=11880935](https://news.ycombinator.com/item?id=11880935))

------
endgame
Where can people go if they want a fully-libre machine and are willing to
sacrifice x86?

~~~
kriro
Pi-top like laptop with your choice of pi3 or BeagleBone running Linux. The
performance of a pi3 is actually decent. It's not perfect as there's a GPU
BLOB in the pi3 and the BB also has some issue. It's my compromise for now,
hoping the blob will be reversed/replaced eventually.

Or anything that runs libreboot:
[https://libreboot.org/docs/hcl/](https://libreboot.org/docs/hcl/)

If OpenBSD runs on it that's also a good sign usually as they won't touch
anything with BLOBs.

~~~
endgame
I do actually on a Pi3, so that's an encouraging piece of info. A GPU blob is
at least a step up from the ring-negative-3 management engine.

~~~
dividuum
I don't think it's a big difference to be honest: The GPU firmware (start.elf)
is required to boot the Pi. There is no source code available at the moment.

The GPU firmware runs in parallel to the CPU and has access to the complete
memory. Video decoding is done by the GPU and happens while the CPU is
completely idle. And it can (of course) crash. If you've done anything related
to OMX programming on the Pi, you might have experienced that.

In theory there is nothing that would prevent the a rogue firmware from
hooking into kernel structures to interface with the outside world.

------
arca_vorago
When it comes to hardware backdoors, one particular case seems to keep popping
up in my mind, and that is Bill Hamilton of the infamous Inslaw/Promis octopus
debacle. A few years ago when I was on Scheiers blog regular, he was claiming
they had prearranged the backdoor installation at the silicon manufacturing
level...

Something about that has never left my mind, and I suspect its generally
correct. Heres hoping that power8 workstation Talos gets off the ground...or
some risc equiv.

~~~
nitrogen
Is this the company you are referencing?

[https://en.wikipedia.org/wiki/Inslaw](https://en.wikipedia.org/wiki/Inslaw)

~~~
arca_vorago
Indeed it is.

------
DiabloD3
I find people freaking out about this extremely strange.

AMT is Intel's equivalent of IPMI. It is a non-standard implementation of it,
and does not follow any of the relevant specifications. It does not integrate
into most server management platforms.

AMT costs extra. Most mobos do not have it enabled as you have to pay Intel's
tax on it, even if some of the hardware to enable it is in every northbridge.

A motherboard _must_ implement it to be available. Most of the motherboards we
own don't have it enabled. You cannot "break into it" if AMT isn't available
on your motherboard to begin with.

Not all ME chips can run it due to Intel's requirements.

Now, is the ME chip a threat? Possibly, not not as much as your cell phone's
baseband modem is. The baseband modem can talk to outside networks, ME can't
unless it is paired with a NIC it can talk to (Intel does not require mobos
that have this; and generally, motherboards meant for AMT ship Intel NICs, but
not always).

Without AMT, the only thing the ME does is implement management functions that
allow you to actually boot and use the machine.

In the article, it says "Personally, I would like if my ME only did the most
basic task it was designed for, set up the bus clocks, and then shut off,"
except it is kept running so you can properly sleep and wake up your machine,
and also be able to change CPU frequencies at run time (IE, idle the cpu), and
also provide access to the sensors on the motherboard.

In addition, the ME handles Intel Smart Connect, which is also not available
on all boards (Apple uses this to implement Power Nap). It also requires
licensing, the same way AMT does, and may mobo manufs simply don't want to
license it.

ME does not connect to the network if it doesn't have a payload that is able
to do so (AMT, Smart Connect).

The reason people don't understand what ME is for is because all of the basic
tasks the ME does used to be done by lots of custom hardware, much of it not
provided by Intel and different on every board, and somewhat a bit of a driver
nightmare.

I don't like standing up for Intel, but anti-ME articles that continually
bring up AMT as if all computers have it is FUD. Very few computers have AMT,
very few computers implement this OOB access, very few computers _can_
implement AMT even if Intel let you purchase licensing for it after purchasing
the hardware.

I'm not saying that ME is not a security hazard (it can be in some cases), but
it isn't some ultra awesome NSA backdoor bullshit. Your phone, however, _does_
have the NSA backdoor.

~~~
mappu
_> Now, is the ME chip a threat? Possibly, not not as much as your cell
phone's baseband modem is. The baseband modem can talk to outside networks, ME
can't unless it is paired with a NIC it can talk to (Intel does not require
mobos that have this; and generally, motherboards meant for AMT ship Intel
NICs, but not always)._

The last ~dozen regular (gigabyte/asus/asrock/...) desktop PC motherboards
i've seen have all used intel NICs for ethernet.

~~~
DiabloD3
Intel NICs are considered a premium feature on desktop boards, it is not a
common sight.

~~~
wtallis
It's a lot more common than it was 2-3 years ago. ASRock, ASUS, and Gigabyte
are using Intel NICs even on some boards with the low-end B150 chipset, and
it's extremely common on Z170 motherboards. I can't be bothered to check the
rest of the manufacturers, but it's clear that Intel NICs are _popular_.

------
narrator
Almost makes you want to get a Lemote Laptop like Richard Stallman.

~~~
rekado
You don't have to. Libreboot is available for some Thinkpads. I use an X200s.
There are businesses that offer Libreboot flashing services or sell
refurbished Laptops with Libreboot installed.

~~~
yoo1I
Except libreboot doesn't help. ME executes below BIOS/UEFI.

~~~
SXX
That's not the case. ME code is large and not bundled inside CPU. On old
systems it's was possible to not provide ME firmware while keep CPU
operational.

On modern systems it's will just poweroff every 30 minutes if ME firmware not
present and this is why libreboot won't support any newer hardware.

~~~
jacquesm
> On modern systems it's will just poweroff every 30 minutes if ME firmware
> not present

That's highly suggestive of a hidden agenda.

~~~
kuschku
You can still turn ME into "manufacturing test mode", where it will not
execute things.

But in that mode Intel Network Cards will poweroff every 3 minutes.

I wondered why my I219-V didn’t work, until I found it worked with ME in
normal mode.

Now I’m back on a 2006 100M Realtek NIC

~~~
etatoby
> in that mode Intel Network Cards will poweroff every 3 minutes

This is ridiculous. This is not a rootkit waiting to happen, it's already an
operational rootkit!

What is this company trying to achieve? Is this a military asset designed to
attack foreign countries? Is the Cold War not over?

~~~
kuschku
And, even worse, why is there not yet a startup competing with Intel in the
desktop market?

Are fabs the issues? Knowledge? Engineers? I mean, Uber got many billions in
funding, with Ubers funding one could build easily a fab for 14nm process and
hire all of AMD.

------
textmode
Taking another angle: What if the computer's owner wants to use it to access
her computer remotely? Are there some instructions how to do this? Is it
feasible?

If not, then there seems little justification to have a relatively new feature
like this turned on by default. Who is this feature really for? If it's not
for all users then why is activation mandatory in CPUs after Core2?

I mean, if ME has to be active, then the computer's owner should be able to
use it, right?

~~~
yuhong
I think it is intended for enterprises to enable.

~~~
bhrgunatha
If that's the case and enterprises ARE using it - why isn't it more widely
known about? Even if the enterprise signs an NDA - I find it surprising that
it hasn;t leaked given the security implications.

~~~
yuhong
AFAIK Intel AMT is documented and has been since it was introduced in 2006.

------
optimiz3
Serious question: are AMD chips a viable alternative (from a security
standpoint)? I hear their new Zen chips are coming soon.

~~~
yuhong
AMD PSP don't have access to the network (as far as I know).

~~~
SXX
Source on that? If nobody prove it's have access to all system memory that
doesn't mean PSP don't have these access. Otherwise it's will have at least
MMIO-based access to the network controllers.

------
corndoge
Previously:

[https://news.ycombinator.com/item?id=10458318](https://news.ycombinator.com/item?id=10458318)
(233 days)

[https://news.ycombinator.com/item?id=11422531](https://news.ycombinator.com/item?id=11422531)
(73 days)

[https://news.ycombinator.com/item?id=8813029](https://news.ycombinator.com/item?id=8813029)
(534 days)

[https://news.ycombinator.com/item?id=11880935](https://news.ycombinator.com/item?id=11880935)
(5 days)

Among many, many others...

------
Illniyar
Thats crazy talk, in what world is it ok for my cpu to run a tcp stack on its
own?

~~~
yuhong
It is in the chipset not in the CPU.

~~~
Illniyar
Maybe I'm missing something, is this chipset on the motherboard? The article
makes it seem like its coupled with the cpu.

~~~
zf00002
I don't know how its actually implemented, but normally to enable AMT you have
to have both a compatible motherboard and processor. Intel calls it VPRO. Most
desktop consumer boards do not have this feature, but quite a few of the i5
processors do.

~~~
wtallis
> Most desktop consumer boards do not have this feature, but quite a few of
> the i5 processors do.

Considering how many firmware updates I've installed on gaming-oriented
motherboards with Z-series chipsets that have included ME firmware payload,
it's worth looking in to what it means for those boards to not have the
feature. We know that all the transistors are physically present on both CPU
and chipset. Are they truly permanently disabled with on-chip fuses, or are
they just left uninitialized on boot when the microcode checks the model
numbers? Are there required traces on the motherboard that are definitely
being omitted/disconnected?

~~~
yuhong
I think the AMT code is just omitted from the ME firmware.

------
bArray
My question is whether alternatives are secure, such as AMD or ARM? I imagine
the ARM architecture to be too scrutinised and low power to get away with that
sort of thing?

Personally I want to buy a laptop that is secure due to travelling to
questionable places, I am wondering now whether it will include an Intel CPU
in light of this.

~~~
SXX
As mentioned in comments already they are both not secure: every new AMD CPU
have ARM TrustZone core in it. For ARM I can't tell since there might be SOCs
without TrustZone.

Best usable hardware is old Intel laptops except you want something like MIPS
laptop from Lemote.

~~~
bArray
Thanks, I'll check it out.

------
Animats
The real question is what the firmware can be convinced to do remotely.
Probably most of the things in here.[1] Remote management is supposed to be
listening on TCP ports TCP 623 for HTTP and 664 for HTTPS.

[1]
[http://www.dmtf.org/sites/default/files/standards/documents/...](http://www.dmtf.org/sites/default/files/standards/documents/DSP0232_1.1.0.pdf)

~~~
aruggirello
Are you suggesting that detecting if your system is exposed to remote control
is as easy as checking to see if your machine appears to have such ports open?
And would the ports appear to be open if checked from the same machine?

~~~
Animats
Unclear. There are issues such as what IP address the ME is using. IP
addresses are an OS level thing, and the ME is below that. Ethernet
controllers don't know about IP addresses. The ME has the ability to make DHCP
requests, so it can get an IP address of its own.[1]

The real question is what the ME does in addition to what it is documented to
do.

[1]
[https://software.intel.com/sites/manageability/AMT_Implement...](https://software.intel.com/sites/manageability/AMT_Implementation_and_Reference_Guide/default.htm?turl=WordDocuments%2Fconfiguringtheintelamtipaddress.htm)

------
cocomutator
I still don't understand why this ME feature has been created to begin with.
Assuming that breaking it is a matter of time (someone clever enough thinking
about it for long enough), it seems like a serious security vulnerability,
worse still because an attack is undetectable.

Why create it in the first place? Are the enterprise uses the article mentions
worth the risk?

~~~
yuhong
Yes, I think it was originally intended for enterprises doing remote
management.

------
wfunction
Can someone tell me if people have actually spotted the Intel ME doing
unauthorized communication?

I imagine it should be easy to spot in any network firewall log (note I said
network, not OS), and in reality, if it's never been observed to communicate
with the outside world without explicitly being told to then do people really
need to worry?

~~~
ludamad
People should always worry about attack surface area

~~~
wfunction
OK, but that doesn't answer my first question.

------
happycube
Amusingly, the ARC core in the Intel ME is a descendant of the SNES SuperFX
chip.

~~~
Thoreandan
I was quite tickled to read that bit. The guy who made Starglider for the
Atari ST, and Star Fox! :-) Apparently newer chips have had other
architectures, at least one I think was actually SPARC.

------
hoodoof
Strange that Intel gives people more reason to go to other processors like ARM
when Intel is under such pressure from competition.

~~~
ferbivore
Who does this give reason to move to ARM? End-users generally don't have a
choice (good luck running AutoCAD on ARM) and OEMs either don't seem to care
or list ME as one of the selling points of their systems.

You could make the case that this might convince people to use AMD CPUs, but
from what I hear AMD has all the same issues with worse performance to boot.

~~~
therealjumbo
>AMD has all the same issues with worse performance to boot.

AMD chips aren't just slower to boot, they're slower overall!

~~~
effie
Ferbivore probably meant "in addition", not the booting process.

[http://idioms.thefreedictionary.com/to%20boot](http://idioms.thefreedictionary.com/to%20boot)

------
ssebastianj
I wasn't aware about Intel ME until recently bought a brand new Lenovo
ThinkPad and saw the "Intel Management Engine" on BIOS/UEFI boot menu.

The thing is: how can I configure this ME thing in order to avoid (or
minimize, at least) possible attacks?

~~~
foodstances
You can't. The whole point of the thing is that it can't be disabled and will
always be running to let your theoretical IT department take over your
machine.

~~~
effie
I got ME disabled in BIOS on my Lenovo S30 (manufactured around 2012 I think).
Do you think this option in BIOS setup insufficient to turn it off? Is the ME
still running and listening to commands coming from the network?

------
nthcolumn
[http://www.tomshardware.co.uk/vpro-amt-management-
kvm,review...](http://www.tomshardware.co.uk/vpro-amt-management-
kvm,review-32283-7.html)

jesus wept, how do I turn it off?

------
elchief
Has anyone on here actually used this at work?

------
sspiff
I knew about ME, but I didn't know it had an ARC processor in it. Odd that
Intel didn't opt for an in-house design, like one of their older cores
backported to a newer process. (like a P54 or 386).

------
oolongCat
Best way to deal with issues like this, make them care. How? we need to get
this message to the masses, to get enough people know about this potential
issue, that it becomes an organisational issue for Intel.

------
xlayn
I would use thunderbolt as it has DMA, create a CRC/F(x) cpu (external unit
connected thru thunderbolt) that converts/encrypt code/data to a expected
format by modified code generated by a compiler. making act the intel cpu as
surrogate to it, delegating control to the CRC/F(x) cpu.

Extra points, make all the cpus work, and create extra tasks to run at the non
used cpus to obscure the actual process running (yeah I know it's not energy
efficient but someones has to give Intel inspiration to improve).

------
dingdingdang
One thing, OK, so we have this super fantastic network enabled Java platform
running autonomously from within around 3 billion devices across the globe
since 2006 with the capability to read everything from the systems they are
running completely unnoticed.. shouldn't this generate a FAIR amount of
network traffic (and resulting suspicious log files, if not on the computers
then on the routers) or am I missing something here?!

~~~
niftich
Most are not enabled/activated or connected through the NIC.

~~~
dingdingdang
OK (sources on that being the case?), but the issue then remains that we have
no way of knowing whether it is activated or could be activated, is that
correct?

~~~
niftich
Sure, here's some documentation on how to enable remote management in the
Intel Management Engine, if it's supported:

[1] [http://www.tomshardware.com/reviews/vpro-amt-management-
kvm,...](http://www.tomshardware.com/reviews/vpro-amt-management-
kvm,3003-6.html) [2] [http://www.howtogeek.com/56538/how-to-remotely-control-
your-...](http://www.howtogeek.com/56538/how-to-remotely-control-your-pc-even-
when-it-crashes/) [3]
[https://communities.intel.com/thread/21261](https://communities.intel.com/thread/21261)

The lack of independent audit of this chip and firmware is legitimate concern.
But as you can see, if you obtain a fresh computer with access to the
BIOS/UEFI, you have control over whether this functionality is enabled. If you
don't have access to your BIOS/UEFI then you're correct that you won't know if
it's on.

------
hugdru
Oh my god it began with the oems installing a bunch of spyware on the default
install. Many of which with vulnerabilities. Not to mention "modern" OSes not
respecting users privacy. To make matters worse the hardware companies decided
to follow suit and thus added unwanted and compromising features to everyday
systems. Way to go! It seems I'll have to switch to stone age hardware just to
have a little peace of mind. Evolution! >(

~~~
whamlastxmas
This has been in every Intel CPU since 2008

------
LeoPanthera
Does this apply to Macs?

~~~
markokrajnc
More precise question is: Is Intel CPU connected with 3G laptop modem on Mac?
If YES: Data can be read/written remotely from/on your Mac (even if turned OFF
- as long batteries are installed). If NO: Most probably it can not be done!
(Source: [http://www.intel.com/content/dam/doc/product-brief/mobile-
co...](http://www.intel.com/content/dam/doc/product-brief/mobile-computing-
protect-laptops-and-data-with-intel-anti-theft-technology-brief.pdf))

~~~
floatboth
I don't think any MacBooks ever had built-in cellular modems…

------
milkey_mouse
Finally, the ME is getting the exposure it deserves. Seems like just two weeks
ago nobody knew it existed.

------
jorblumesea
It's probably safe to say that every device you own or ever owned has a back
door, intentional or not. The false sense of security people had about their
machines was a myth, glad to see it finally die.

------
SeanDav
Once a malicious 3rd party gets the keys to this kingdom it is game over.

------
ohitsdom
Maybe I missed it in the article, but why is this only present on x86 chips?
How do 64-bit processors from Intel offer the same management functionality
without this ME subsystem?

~~~
schlowmo
In this case x86 means both 32bit x86 (also referred as IA-32) and x86_64.

From
[https://en.wikipedia.org/wiki/Intel_Active_Management_Techno...](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology)

    
    
      "The Management Engine (ME) is an isolated and protected coprocessor, embedded as a non-optional part in all current (as of 2015) Intel chipsets."

------
vasili111
What about AMD?

~~~
khedoros
[https://libreboot.org/faq/#amd](https://libreboot.org/faq/#amd)

AMD has some rough equivalents to Intel's ME.

------
pmarreck
Yo dawg...

