
How to hack a turned-off computer, or running unsigned code in Intel ME [pdf] - danjoc
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How-To-Hack-A-Turned-Off-Computer-Or-Running-Unsigned-Code-In-Intel-Management-Engine-wp.pdf
======
saulrh
Money quote, though this may be slightly old news and this is just a summary
of known information:

    
    
      One of the most common questions regards
      the possibility of remote exploitation.
      We think that remote exploitation is possible
      if the following conditions are true:
        1. The target platform has AMT activated.
        2. The attacker knows the AMT administrator
           password or can use a vulnerability to
           bypass authorization.
        3. The BIOS is not password-protected (or
           the attacker knows the password).
        4. The BIOS can be configured to open up
           write access to the ME region.
      If all these conditions are met, there is no
      reason why an attacker would not be able to
      obtain access to the ME region remotely.
    
      Also note that during startup, the ROM does
      not check the version of firmware, leaving the
      possibility that an attacker targeting an
      up-to-date system could maliciously downgrade
      ME to a vulnerable version.
    

That list of conditions does not seem incredibly unusual to me. Consumer
hardware should have AMT disabled and be safe, but on business machines the
highest bar is an AMT vuln, and given the huge size and apparently terrible
code quality of the AMT I expect to be seeing auth bypasses for it on a
regular basis.

~~~
ksk
Could you elaborate on why you think its apparent that AMT has 'terrible code
quality'? Specifically, versus other high profile products that continue to
have multiple security bugs being introduced every release cycle - Windows,
iOS, Android, Linux, etc.

~~~
zaxomi
I can give you an example of why I think the code quality is questionable:

At my work we use AMT for legitimate purposes: remote administration and
support (we have offices in different cities). A big problem for us is that
the AMT crashes by itself and the computer needs to be power-cycled for the
AMT to work again. Sometimes the web-interface don't answer, sometimes the
passwords doesn't match anymore. I think there is a process that is writing
where it shouldn't, because it works again after the computer is power-cycled
by removing the power-cord.

I now have a script that checks every registered computer twice a day , to see
if it is still possible to login to the AMT, and if not, it sends an email to
a person at the local office requesting them to restart the computers that
fails.

When it works it is a great tool, allowing us to fix computers and give
support without the need to travel to each city.

~~~
acdha
It's sad hearing that it hasn't changed much in over a decade — back when I
was primarily doing sysadmin work, of the various manufacturers, only Sun's
ILOM (on the V20z/V40z Opteron servers) seemed to reflect the existence of a
QA department.

IBM, Dell, HP, etc. all had problems like you described where the management
processor would hang after receiving unexpected traffic (e.g. nmap scans), too
many simultaneous logins, etc. and, naturally, nobody had thought to implement
a watchdog timer to reboot if it became unresponsive even if they had the same
functionality available for the actual server.

------
gtcode
In the meantime, a high level of technical proficiency is needed to defend
against monolithic personal computing environments that are hostile by design.

* Assume personal computing environment is hostile

* Use an external firewall and have a whitelist-only policy

* Use an external NIDS

* Physically disable all hard-connected non-wired interconnectivity

Monitors and keyboards ("I leave message here on service but you do not call")
still leak, of course, but this is a good start, and most people need to be
concerned with practical attacks that could be carried out over the internet.

New Year's 2018 resolutions: 1) Review backup policy including backup testing
procedures 2) Implement personal digital security measures

I've often thought that the current mentality of a "convenient" monolithic
personal computing environment (whether an iPhone, laptop, or PC) doesn't
properly assess threats.

When broadband internet first became popular in my area growing up, it was
acceptable practice (and recommended by ISP's) to simply plug your non-
firewall'ed DSL modem ethernet directly into your computer. It truly was
unprotected sex in the worst possible way. Perhaps the next evolution will
fundamentally reconsider personal computing design from a security-first
perspective.

~~~
marcosdumay
> Use an external firewall and have a whitelist-only policy

How much do you trust that firewall?

> ...it was acceptable practice (and recommended by ISP's) to simply plug your
> non-firewall'ed DSL modem ethernet directly into your computer

You have to plug that modem into some non-firewalled computer. Honestly I
trust a well kept PC much more than a firewall appliance.

~~~
guelo
The only firewall I trust is a hardened openbsd running pf.

~~~
squarefoot
Hopefully on a non ME plagued platform.

~~~
mulmen
You can just disable ME in the BIOS to mitigate this right?

~~~
Houshalter
How?

~~~
mulmen
Hmm, looks like I conflated the AMT and ME. This does make it significantly
worse.

------
userbinator
Note that this document is dated 2017-12-05, so it's not anything new to those
who have seen the previous items about ME on HN.

According to page 12, one of the conditions for remotely exploiting this is
that AMT has to be activated, something which probably isn't going to be true
for PCs used at home and not part of a corporate network.

 _Such a vulnerability has the potential to jeopardize a number of
technologies, including Intel Protected Audio Video Path (PAVP),_

Good. Fuck DRM.

------
JoshMnem
Why aren't companies pressuring Intel to remove or disable the ME? It seems
like a huge security risk for entire organizations. It's especially difficult
to fix when running Linux, and many organizations/servers use Linux.

~~~
confounded
\- Purism petitioned Intel to open source it, or make it optional, and sell
machines with it as disabled as possible

\- Dell sell machines with it disabled

\- System76 sell machine with it disbaled

\- Google have been working to try and neuter it

~~~
forapurpose
> Dell sell machines with it disabled

Which ones?

~~~
benchaney
It’s no longer available.

------
brndnmtthws
Intel ME is frequently featured here on HN, but the general population is
completely clueless.

This is quite possibly the worst and most widespread computing vulnerability
that has ever existed, and it's likely that Intel will just maintain the
status quo until there's some sort of black swan event.

~~~
benevol
> Intel will just maintain the status quo until there's some sort of black
> swan event.

I absolutely hate Intel and AMD for sabotaging their customers like that.
Please people, get to that black swan event ASAP.

~~~
Filligree
If we're unlucky, the 'black swan event' will be something along the likes of
Pluto's Kiss. Imagine a Morris worm equivalent, but which bricks the computers
it infects after destroying the filesystem.

Even if everyone has backups of everything, offline, it'll be years before all
the destroyed computers can actually be replaced. This isn't a scenario I want
to happen for real.

~~~
LeoPanthera
On the plus side, you can probably guarantee it would only ever happen once.

~~~
Zopieux
Haha, no, you can't. Since when do humans learn from their mistakes?

~~~
knowaveragejoe
Not infrequently, but it's in vogue to hold the belief that they don't.

------
based2
[https://www.reddit.com/r/IntelME/](https://www.reddit.com/r/IntelME/)

------
anonymousDan
How does this affect SGX?

------
MichailP
What can an ordinary person do? Plugging out the network cable? What about
laptops? Can this vulnerability hack into Wi-Fi and allow itself to the
internet? But then again the moment you plug internet back in you're done.

~~~
kogepathic
_> What can an ordinary person do?_

Use non-x86 platforms such as an ARM based Chromebook, or _potentially_ an x86
with the ME partially disabled (coreboot or similar, but it's not a 100%
guarantee).

 _> Plugging out the network cable?_

It depends on the vulnerability scope. If it's over HECI (virtual PCI device
between host OS and ME) then removing the network cable won't save you from
local malware owning the ME via HECI.

 _> But then again the moment you plug internet back in you're done._

Well considering how few people ever update the firmware of their devices,
it's unlikely a majority of computers would ever be patched against an ME
vulnerability anyway.

Starting with ME12 Intel is going to start checking the ME firmware version
number in the ME's silicon (read-only) boot ROM to prevent firmware downgrade
attacks. [1] This version number is stored in single use eFuses which can only
be incremented, and are during an ME update.

But it depends on your threat model. As stated in the PDF, there are only 3
known exploits against the ME, and only one results in unsigned code
execution. Until someone weaponizes such an exploit, which at the moment it
seems physical access is needed, then Intel x86 owners are safe.

If your adversary is a three letter agency or nation state attacker, then
you've got bigger concerns than someone hacking your ME (starting with, say,
your OS).

[1]
[https://github.com/corna/me_cleaner/issues/111#issuecomment-...](https://github.com/corna/me_cleaner/issues/111#issuecomment-350480591)

~~~
MisterTea
> Use non-x86 platforms such as an ARM based Chromebook

Careful there. Microsoft has been slipping PC bits into their Windows Arm
systems because Windows is so hopelessly tied to the PC platform that they had
to PCify their Arm with EFI, ACPI and other PC legacy junk. Just be sure your
Arm does not have any of this anti-consumer crap and you should be good to go.

~~~
johncolanduoni
How is ACPI anti-consumer?

------
m3kw9
Now a days, a computer not really off if it has power connected to it.

------
niceperson
The talk was kind of disappointing honestly

SORRY

