Hacker News new | past | comments | ask | show | jobs | submit login

The article is dated.

The game changed fundamentally with the introduction of the Intel Management Engine (or the AMD Platform Security Processor) on the x86 platform. The system is now "deep pwned" as described in point 3.1.1 of the article. The manufacturer has ultimate control of the platform, the user has been disowned.





Thanks for the links but your claim against the article is a bit heavy handed

The article is much larger than CPU level access and control..It discusses high level issues worth thinking about such as communications and social elements

The article lacks any real actionable advice to date it too much.. when will it be out of vogue to suggest reading 1984 to aide in 'anticipation'?

But the value of the article aside.. your language: dated; made me interested in finding out when ME was first introduced and I was having trouble finding any concrete dates of introduction

A lot of your links and their references date around 2015+, yet the authors of your linked book worked at Intel around 2007 and failed to discuss introduction dates

Then I found this at the libreboot FAQ that states ME was introduced into all Intel chips 2006+(o) with the real issues after implementations dating after ~2009+

Also in my search I found some promising leads on overcoming the ME issue:



What an unfortunate and reason defying battleground

(o) https://libreboot.org/faq/#intelme

Well, you are right that it is slightly heavy handed. I also thought that a lot of the higher level stuff in it might still be valid.

But at the fundamental level the battle is lost, you will never own your (x86 based) PC as long as there is an IME/PSP in it.

Concerning the introduction of the IME/PSP, it says already in the first link that I provided: "All post-2013 (AMD) and virtually all post-2009 (Intel) systems".

I think we are very far from neutralizing the IME. Earlier implementations can be manipulated to some degree (not "neutralized" though), but recent versions are rather fool proof.

The book is written by one of the engineers of the IME. While it might not discuss introduction dates it discusses pretty much everything else and is THE reference when studying the IME :)

Shouldn't it be possible to effectively neutralize the IME/PSP by controlling the data that enters or exits it, so that it can't be activated remotely, or communicate with the "mother ship"?

In the recent AMD AMA thread on Reddit there was a highly upvoted comment asking AMD to look into working with the Coreboot/Libreboot community to improve the PSP situation. It's nothing solid but the AMD guys did answer and say that they would discuss it internally. Better than nothing I guess.

Yes, AMD was asked if they would release the PSP source code. But IMHO that doesn't change anything as discussed here:


Worth noting, it is possible to disable this on certain systems that come with Intel ME out of the box:


There's work in progress on removing the ME blob on the Thinkpad x220 and the Librem 13.

But for most modern systems, yes, you're right.

Yes right, but the gm45 chipset is a core2Duo chipset. And the X220 features Sandy Bridge (2011).

While it is possible to mess around with older implementations of the IME it is pretty much impossible with recent versions. It sits now on the CPU die and is inaccessible.

An it is only removing the ME blob in the system's flash memory. The ME has also it's own internal ROM which contains firmware which cannot be altered or read.

I'm not quite sure why the IME/PSP is relevant.

Unless you've inspected the silicon on your CPU, then you are inevitably trusting the manufacturer of the chip to some extent.

What new threat model does the Intel ME add?

You are right, also before IME/PSP we trusted the manufacturer to some extent.

But the IME/PSP is intentionally and officially implementing an architecture which ensures that the manufacturer has ultimate control on the platform, and can run any code it pleases anytime on your computer. It runs at the deepest level (below OS, BIOS, VTd, SMM), and has maximum privileges on the platform. It runs all the time, so even as you have your computer switched off.

Have a look at Intel Anti Theft Technology for example.


It utilizes the IME. It shows that the IME is able to completely take control away from you. It can be triggered while the computer is switched off by sending it a specific packet over 3G network. And while activated you cannot switch it on anymore and it does whatever it pleases, like continuously sending location data to Intel servers across whatever network it manages to get hold of. Nothing you could do about it.

Less spectacular is the problem that CoreBoot/LibreBoot are facing. It is not possible to install the firmware you wish, because the IME is more powerful than you on the platform and does not allow you to do so.

So you have a second computer sitting inside your computer which has full access to your resources and the manufacturer is controlling what it is doing.

So while we were maybe speculating about trusting the CPU manufacturer before, now we have no choice anymore. We have to trust him, he is the boss on the platform.

We weren't speculating before - we were trusting them - Intel has long produced the entire chip and chipset (i.e. the entire path between the CPU and the network interface). They could have implemented backdoors previously.

All that's changed is that they are implementing function which makes it obvious that this is possible.

Yes right, we were. But we were able to install our own firmware before there was the IME.

And it has also changed in the sense that the IME is a full fledged autonomous universal computer which has it's own RAM, ROM, clock etc. It is not just some very specific chip with hard-coded functionality, no, it can e.g. load and run Java applets. So it is a very powerful moving target which can be used for whatever it is programmed to. Rootkit researcher Joanna Rutkowska called it the perfect rootkitting infrastructure.

Are there any documented cases of this vector being used against a user?

Not documentation, but... a former co-worker had done some work for intel agencies. He told me about something that was similar to this (though back in the 2008 time frame, so not using IME). If he can be believed (and I can neither confirm nor disprove what he told me, nor can I now prove that he ever said anything), this approach has been used for a long time.

The CPU maker can now send commands to your system over the network, or even update the ME code running on your specific system.

I have heard that this only works over the built-in network interface- so perhaps it can be defeated by installing a separate network card and not hooking up the built-in card? Anyone care to comment on if that is an effective mitigation?

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact