Hacker News new | past | comments | ask | show | jobs | submit login

I had an interesting experience with the AMT technology fairly recently. I had updated my desktop's windows partition from Win7 to Win10 when it was free to do so, and then gone back to Linux. And because some tax information was in Quickbooks I booted it into Windows mode and it was trying to update to the latest Win10 and failing. I checked with Microsoft support and they had me download a tool to allow them to fix it, which kept failing to work. Eventually I tracked it down to the fact that I had previously disabled "Intel Management Engine Interface" in my device manager (back when there was a lot of discussion about it). Re-enabling it allowed their tool to loot through the system and fix what ever bits had given the OS fits, and then once it was running and current again, I disabled it again :-).

Based on the Intel documentation, my Surface Pro 4 is vulnerable (its a 7th gen with 11.6.0.1042) but its also disabled and I'm not sure whether or not that 'saves' me here (as the driver in the OS is disabled but it is unclear if a local network attack would work or not).




It says on the page "This vulnerability does not exist on Intel-based consumer PCs." I'm not sure if that's true or not but Intel seems to think you'll be ok.

EDIT: Ok so it seems all Intel CPUs that have AMT from Nehalem processors to the current Kaby Lake's are vulnerable. Even if AMT isn't enabled, it's still vulnerable to a local privilege escalation to ring 0. So all you people that have Celeron or AMD CPUs and got picked on for years, enjoy your moment of schadenfreude.

https://semiaccurate.com/2017/05/01/remote-security-exploit-...


"It says on the page "This vulnerability does not exist on Intel-based consumer PCs." I'm not sure if that's true or not but Intel seems to think you'll be ok."

One thing to remember is that hardware costs money each time they instantiate a new mask set. Integrations cost money, too. That's on top of developing the individual components. So, a common trick in the hardware industry for a product family is to create one product that pretends to be several with a factory switch. Two examples come to mind: hard disks; mobile SOC's as embedded chips. In hard disks, there was at least one instance where vendor had same highest amount of space on all the drives with a switch saying how much to present to user based on what they paid. More profitable since mass producing one platter was cheaper. Another was in machines that people thought wouldn't connect to anything since they just had standalone-ish ARM chips. They actually had wireless functionality one could turn on with the right code. The ASIC guy that told me said he determined with was a chip used in cheap, mobile phones that they probably had a volume deal on and/or surplus. So, they just changed the firmware or something to make it pretend to be something else without notifying users.

Intel's stuff costs vastly more to mask out and verify than the above examples. That means they probably reuse silicon for anything that ends up in a lot of processors while turning some of it off with hardware or firmware switch at factory depending on what people bought. We can't know if any of this remote access is similar. That means that, if you don't want that, you can't trust any Intel CPU's made after that was introduced. Back to buying used multi-CPU boxes with 3GHz P4's. :)

Note: The PowerPC Amiga's like MorphOS suddenly look like they could have a purpose. Beautiful desktop with good performance that's probably not backdoored. Yet.


A big problem is that you cannot trust that the bits you don't want are irreversibly fused off and not just left disabled by the current microcode/firmware. Intel once sold a software switch to enable more L2 cache on a low-end CPU, so you really can't presume that any of their product segmentation switches are truly permanent once they've left the factory.

When Intel indicates that my B250 and Z270 chipsets don't support AMT, it's still quite possible that the ME firmware on those motherboards has the vulnerable code present but not currently running.


In that case, one has to spend extra money on ChipWorks tearing it down to verify that what they saw in other one was removed. There's also companies that sell such equipment.


I have a feeling we'll all know soon enough the exact definition Intel uses for "consumer PCs" and how it differs from the reality of what consumers end up buying.


They're probably referring to which chipset is on the motherboard. AMT is not supposed to be enabled on Z series chipsets but is on Q series, for example. But even on a Z chipset board, you still have Intel Management Engine (ME) firmware.


I know! I have a thinkpad with a 3rd gen core i5 and it has AMT. Once this exploit gets out in the wild it would be only a matter of time before it expands to other Intel CPUs with AMT.


That was what prompted me to post, I didn't think anything used it so I had disabled it on my consumer PC. Only to find later that at least in some situations it seems to be used on "consumer PCs". If I had documentation from Intel on all of its capabilities and uses I might feel better about it. :-) (or not)


I also had an interesting experience.

My Intel network card would not work at all with AMT disabled. It simply refused to work, resetting every few seconds.

I ended up simply using an old Realtek network card, but that’s no long-term solution either.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: