We knew this would happen. We knew that the Management Engine was a backdoor, and we knew it was only a matter of time before someone would figure out how to exploit it. This is exactly the reason why Libreboot exists (https://libreboot.org/faq.html#intel). And now, far from being the tinfoil hat distro that is often portrayed, it will become a bare necessity.
The procedure seems far from trivial and requires special hardware(?). Is there a guide or some resources I could follow as a person with no hardware/low-level technical knowledge?
You could sidestep the whole issue by buying a C201 chromebook (quad-core ARM) and putting Linux on it.
> Internal flashing with OEM firmware
Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got forced to release a new CPU the had in their basement for years - suddently it's possible for them to release i7 notebook CPUs with more then two cores!! Even back in 2010 it would have been viable to produce 4 core notebook CPUs - but the went away because the had no competition.
I wouldn't hold my breath, though.
- releasing the source doesn't tell you what's on the chip.
- PSP is kind of "Ring ∞", so there would be no good outcome from providing general-purpose access to it. So, the keys will never be released.
- it's thusly not possible to map the signed (encrypted) firmware to the source.
- even if the source had a clearly documented "master off" in it, you can never know if the firmware's copy reads "master-except-if-A-and-B-say-C off" :(
I'm not sure what you mean by this. My Dell XPS 15 has a i7-6700HQ which is quad core, and it's not like I just bought the thing.
U-series i7s have two cores. HQ-series i7s have four cores. Both are mobile CPUs. Remember though that more cores generally means more power consumption which generally means less wallclock time on battery power.
It's my tinfoil hat theory why MS waits for an earnest update on their highend Surfacebook. A high-end quad-core Surfacebook with a 10-series GPU and 32GB LPDDR with real Thunderbolt 3 Ports would make for a 13" dreammachine...
Predating the i7 entirely, there were also quad core laptops using Core 2 Quad CPUs (Penryn QC) in 2008.
However, I strongly disrecommend buying from Leah Rowe unless you enjoy waiting months for payment confirmation and delivery. The worst webshop experience I've ever had.
I recommend you build/flash your own, contract it out or look for a different vendor.
Certainly this kind of attack is not your average script kiddy but nation-level instead, but I wouldn't put it past the NSA to pull this off.
It's not obvious to me why anyone not under an NSL or NDA would sit on this vulnerability for 5 years and wait until it's actively being exploited in the wild before public disclosure.
It's extremely negligent to global security for SemiAccurate to not immediately publicly disclose the vulnerability 5 years ago after Intel refused to fix it. Of course this is ignoring the root of the problem, which is that the US government has deeply compromised Intel since the very first security management interfaces were added to Intel chips in the early 90s.
The real solution to the root issue is legislation that forces security disclose timelines of 90 days or less for government-found vulnerabilities, and prevents the stockpiling of vulnerability exploit kits.
Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.
There's also an Intel advisory https://security-center.intel.com/advisory.aspx?intelid=INTE...
> There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.
If in doubt, you can check your CPUs here:
Edit: On the previously-mentioned scale, this sounds like a solid 8 or 9 out of 10.
Maybe then we'll finally see hardware companies taking security seriously.
Adobe Flash has a new zero-day every week, but we were saddled with it for years past when it should have been retired because some people didn't want HTML5 to have feature-parity with Flash.
Java has a new zero-day every week but we're stuck with it because enterprises are afraid of trying something new.
Windows was wide open to attacks for years, but they got away with it by saying "yeah but Apple is so expensive" and people still parrot that. They said "yeah but Linux is stolen technology/doesn't work right" and people still parrot that.
Android has a new malware/exploit warning every week, the majority of the phones never see security updates, and are running outdated software the minute they're shipped to stores but people say "yeah but Apple is so expensive/locked down" or "Windows Phone doesn't have any apps".
I have friends who lost their credit card numbers at Home Depot but refuse to shop at Lowes because they don't like the NASCAR driver that Lowes sponsors.
People get so caught up in brand loyalty that they're willing to defend "their" company like it's a family member. Even among the tech community, security means nothing. We still use Android phones to get root access, we still use Windows to save some money on our laptops, we still program in PHP because it pays the bills.
Nothing will ever be catastrophic enough. Anyone can get away with it just by creating an "us vs them" mentality with their customers.
No it doesn't. The last one was in 2015. Before that I think there was a two year gap to the prior one. Zero days in Java are actually very rare these days.
That doesn't mean bugs are rare - like any large piece of software Java gets regular security patches, but those are flaws found by the developers themselves rather than attackers, so they aren't zero days.
Remember in 2012 when Apple stopped shipping Java with their browser because it was so insecure?
Upgrading your CPU 2hs, 300$
Having no secure CPU to upgrade to: priceless
Long ago I read something about that. The psych came down to the (false) idea that changing brand would confirm that you were wrong. The example was that even if Ford made better cars back in the day so you're a diehard Ford owner, if they quality demonstrably falls behind and Chevy is demonstrably awesome today you still won't change! And that's a case where your prior decision was actually right. So people have these weird internal notions that 1) companies value doesn't change over time, 2) their value doesn't change in light of new evidence, and 3) My own value is somehow tied to making a "correct" decision in spite of cognitive errors #1 and #2.
People are stubborn, and that's being kind about it.
Well, Java applets did die. What more do you want? The Java sandbox is only used by extremely legacy software at this point, so it doesn't matter if it has holes in it. Actually, the more holes the better, so we can get rid of the last holdouts.
I still hope it's true, and that it's catastrophic for Intel. No change can happen otherwise.
If Intel aren't fighting against 5eyes then they aren't taking security seriously.
> That is the end of June for non-Intelspeak people, they will officially issue this guidance then along with OEM disclosures.
We'll know in two months whether the above claim is true or false.
Edit: Already proven wrong! We're headed for interesting times.
Looks like an almost full confirmation. They're saying consumer hardware is unaffected, but everything else matches.
>>there is literally no Intel box made in the last 9+ years that isn’t at risk
>>SemiAccurate has been begging Intel to fix this issue for literally years
Am I the only one who is so cynical to think it must have been deliberate? Intel dragging their feet for YEARS -- what could justify such a delay? The paranoid side of me asks "Were they waiting to patch this hole, until they found a different one that could be utilized?"
Which begs the next quesion: Where is the NSA in all of this? It's the sort of thing that would be mighty handy to a group wishing to snoop on everyone and everything?
Last question: Why would anyone trust the encrypted management engine after this? (Why would anyone trust it before?)
>> What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices.
What, indeed? Is this the method used to interfere with Iran's nuclear program centrifuges?
The discussion probably went something like:
Person 1: "Should we issue a recall and disable a feature which bought us a several billion dollar customer?"
Person 2: ...
Joanna Rutkowska, who is a renowned security researcher, warned of something like this happening sooner or later, so I don't think I can afford to just ignore this.
But without something more specific to act on, there is nothing I can do, except wait firmware updates to be released by various vendors. If that happens.
And what if Intel does make a statement that essentially says, "This is all total BS"? I wouldn't know whether to believe them or not.
The only scenario where I could have any degree of certainty would be if Intel came out and said, "Yeah there's an exploitable security hole in ME, here's a patch to disable it".
It confirms much of the SemiAccurate report, but also includes this:
"This vulnerability does not exist on Intel-based consumer PCs."
Which seems to differ from what SemiAccurate was saying. I'm not sure if it's SemiAccurate being... er... not completely accurate :D, or if it's Intel trying to downplay things.
I guess we'll find out more over the next few days/weeks.
When I've purchased VirtualBox hosts, I've deliberately avoided stuff with vPro.
They claim that it doesn't affect consumer CPUs, but that leaves a ton vulnerable. It's pants-shitting time.
Now a patch is coming out but Intel is still trying to keep it quiet, so he's trying to warn people disable AMT and be ready to apply patches ASAP.
Presumably he didn't even want to disclose the existence of the vulnerability publicly until there was some sort of fix, and he still won't want to disclose details before the fix is released.
Of course, you can doubt the veracity of this story, but I'm just pointing out that there would be no reason to expect details, cross references, or mentions on Google or security lists yet if it is true.
None of that means he's necessarily wrong, just that you should be very careful about believing his claims without supporting evidence. A lot of people here on HN have thought that a remote ME exploit was only a matter of time, so an article claiming to validate that belief will not get as much skepticism as it should.
Then, he saw that Intel released a patch related to the management engine, and took that as confirmation? Maybe he has access to the release notes via a source at an OEM?
That tells me he got the information from an unmentioned source. If he had the details himself he would be able to confirm what hardware it is present on by testing it.
The explanation for that error code be that the source have been vague about it or not tested it on a lot of hardware, or isn't even a firsthand source, or that the journalist misunderstood it.
Overall, though, it does seem to validate the sequence was something like "he had a suspicion" then "intel released an update".
I'd guess this would be a lot of interest for "hacker" news; i want to sign my own damn firmware.
Check out https://libreboot.org/docs/hardware/gm45_remove_me.html
This is negligence especially considering these chips control critical devices that can cause damage or even loss of life if they are successfully exploited.
Can you imagine if car maker didn't fix a hardware defect they knew for years. Oh wait...
From the perspective of an everyday user these things came out of nowhere to evolve into this para-computer running along side me that I cannot see and have no control of. It is on literally ALL hardware
Why is it that any attempts to disable it knock your whole computer out?
And this is the world of technology that we want? I'm so sick of technology companies appearing to work for their customers but secretly working against them.
If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every PC on a floor, he could, through ME, remotely reboot (force power reset if necessary) or power on every machine, have the machines boot to a (remote) OS install disk, run the install, and reboot.
ME allows one to do almost anything remotely to a PC, regardless of what the main processor is doing. That is both useful and frightening.
How many corporate IT environments buy off-the-shelf motherboards and CPUs from the same channels as consumers? OEMs get an entirely different set of parts and enterprise sales works in completely different channels. If there is such a clean separation between corporate and consumer markets then why is this hardware on everything, and why does it need to pull power on the machine if it's disabled?
In other words, the separation that you describe exists.
Systems with the full firmware sport things such as the vPro branding, and only certain combinations of CPU and chipset support it.
Even if you assert that the ME is absolutely necessary for such a use-case, I don't have that use case, it isn't work the risk for me, and I should be able to disable the ME because I, as the owner of the machine, want to. (Or really, otherwise interact with it and use it for creative use-cases.)
The filter for "Max Turbo Frequency" seems to be broken, BUT searching for "Cache: '4MB L3 SmartCache'" (which I assume means shared!) finds quite a number of results: http://ark.intel.com/Search/FeatureFilter?productType=proces...
The list is column-sortable by Max Turbo Frequency, and there are just 4 results in the 3.40GHz range:
- http://ark.intel.com/products/91169/Intel-Core-i7-6660U-Proc... - the only result with a Processor Base Frequency of 2.4GHz
I really don't understand why the would just shove it into every chipset out there. I understand it needs to get its claws all over the system, but the core should be external and optional.
Security is a cost center and most OEMs run on margins too thin
to bother with security patches even if they cared. Most simply don’t care.
I've been thinking for years about writing a virus that patches the vulnerability it used to spread as it goes.
After learning about remote management capabilities I've always suspected it had holes. Large attack surface, any exploit would have a high value, and closed source.
Perhaps one day we'll be able to buy CPU's without this "feature".
I'm betting AMD and ARM are in the same boat.
Even after reading this, I'm still not convinced it does have holes. It's so high value (pervasive, incredibly powerful, and old) that if it were possible a bad actor would have used it. The spectrum of possibilities is small:
1. The hole does not exist, but SemiAccurate thinks it does.
2. It exists, but only SA has discovered it.
3. SA discovered it along with a few bad actors, who are using it surreptitiously and haven't been caught.
4. It's being used all over the place, it's a widely acknowledged security disaster.
Also, there is a 5th (more likely) possibility: SA didn't find anything, but undiscovered holes do exist.
5. Somebody else discovered it and told SA. No idea why them rather than telling anybody else.
Made in China, designed in the USA. Everyone wants their own backdoor.
I can't say I'm surprised, but I am surprised at the fact that finally, after all these years, someone finally got down to patching some vulnerabilities in this area.
props to whomever forced Intel's hand.
Otherwise check for updates at http://pcsupport.lenovo.com.
I'm don't mean to sound oppositional. I appreciate this being mentioned.
I'm just not willing to trust it without knowing in detail that and how it works.
So if you're running a desktop that has a physical Ethernet card in it, and the Intel Ethernet isn't connected, are you OK?
And if you're running on a laptop that uses Intel's Ethernet, (and most of them do?) then are you vulnerable?
> do the first three steps of thinking for them. Make it really easy for the other person to say yes or no
source: http://firstround.com/review/how-to-become-insanely-well-con... | https://news.ycombinator.com/item?id=14195664
I've agreed to include a bit of detail when spamming all my friends links via e-mail going forward.
here's a good overview of the risk: http://hackaday.com/2016/11/28/neutralizing-intels-managemen...
But I believe newer systems with MMUs acting as "firewalls" for DMA are safe from this vector.
Looking at the recent Atom failures (with vendors told in no uncertain terms to present publicly as generic "timing component" failure), will they even admit it's an ME thing?
I'm not sure if this would be considered OT, but considering the nature and scope of these vulnerabilities I don't consider it reasonable to exclude the possibility of intent and malice.
For this reason I'd like to ask: what do you consider to be "the next, most likely to surface, conspiracy of this flavor"?
The flavor being: "the struggle for control of any and all data and computational resources".
I don't really know what AMT does, but this has me thinking, if AMT is provisioned while a machine is used inside a company and then that machine shows up on eBay still provisioned, is it going to be phoning home and still be remotely manageable? How many of these machines have what are essentially persistent rootkits managed by large corporations that have had large fleets of laptops/desktops deployed that are then sold on?
EDIT: I have a Core i3-4130T. Looks like it doesn't have vPro so I'm hoping I'm safe?
Obviously things like Xeons and Core iXs, but what about things like Atom processors in tablets?
It's ambiguous if the Atom line (and which portions) might be impacted, and I would prefer someone comment directly on if Atom has ME and if so, if it was using the dangerous version (and when).
If it's WiFi that's damn scary.
With the lead time on the silent patch before Shadow Brokers published all the Microsoft exploits, I wonder if Shadow Brokers will be publishing this one soon. No chance of an Intel ME patch going out without being noticed though!
A Shadow Brokers release would be a real mess.
IPad remote wipe is a function of IOS and the encrypted filesystem it uses on the device, not the CPU.
I recommend Platform Embedded Security Technology Revealed book  from designers and creators of ME for further information.
Thank you, SemiAccurate, for sitting on a vulnerability for years when you could've reported on it long ago and not had us left with this garbage of a security hole to deal with.
Let's hope Intel and all the other chipmakers will learn this lesson (unless it's done on purpose, in which case they won't care about any lessons learned - they'll do it anyway).