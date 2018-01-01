You can exfil data and even do practival bi-directional communication over: SOL, IPMI, ASF, MT's ARC CPU via injected firmware and then via TCP/IP. Any of them will work. Add vendor-specific firmware addons on top of that (i.e. Broadcom tends to have exploitable firmware in their NIC controllers)
Most of them are in a vulnerable state by default because the technology was supposed to be 'easy' and 'user friendly', but 'users' don't even know what they are, and most deployments are done by the WinTel horde that doesn't actually know anything outside the Microsoft framework. (and thus leave the defaults as-is)
I probably posted something similar on https://news.ycombinator.com/item?id=11913379
Is it bad? Yes. Is it new? No. Is it ever reported on correctly? Also no.
That's not quite the right question: this is just standard use of a remote management feature which is disabled by default. If you enable any remote management service, which are extremely common on server class hardware and many enterprise desktop devices regardless of vendor, you have to take responsibility for securing the management features you enable.
The only real news would be if this was enabled by default or if the design didn't allow it to be secured.
Read about AMD PSP / ARM TrustZone.
AMT/ME being used by malware created by well-resourced adversaries is no surprise, and is why Intel needed to give an irreversible and verifiable way of completely disabling it.
The article said it comes disabled by default. Isn't this a verifiable way, or is the article incorrect?
If ME firmware not found CPU will shut down every 30 minutes or something. There also way to neutralize some part of ME firmware while keeping system operational, but it's hard to tell how effective this is actually.
Am I missing something?
"An unprivileged local attacker could provision manageability features gaining unprivileged network or local system privileges on Intel manageability SKUs"
https://security-center.intel.com/advisory.aspx?intelid=INTE...
Another way that hasn't been verified since in theory the ARC controller could access other PCI devices anyway, is to install a new ethernet card in a free expansion slot and use that instead. AMT is supposedly only supported with a specific CPU, firmware, PCH and PHY combination. Breaking that chain by swapping one of those components with an unsupported one should work. If you simply don't use any of the AMT-enabled interfaces, it shouldn't be able to communicate at all. Best plug in a chopped off ethernet jack to make sure nobody plugs in a cable by mistake.
I believe there was a 802.11 variant as well, but that might have been before AMT and around the Centrino era. Best disconnect that as well...
And moreover, the article continues with Microsoft can't say if these state-sponsored hackers found a secret way to enable this feature on infected hosts
> When contacted by Microsoft, Intel said the PLATINUM group wasn't using any vulnerability in the Intel AMT SOL interface, but this was another classic case of bad guys using a technology developed for legitimate purposes to do bad things.
Worst excuse ever. "Look guys, at least it's not a backdoor we left on purpose!!!"
Does anyone know about similar AMD vulnerabilities?
The cynic in me thinks that some execs got FISA orders.
How can the consumer stop someone from exploiting this hack?
2) Disconnect from the network. This, of course, won't stop local attacks on the AMT or ME.
This is why I've been complaining about the ME forever. Forcing a privileged black-box that can't be disabled in to every CPU is... not suspicious all.
Even worse are some implementations. I have a Supermicro all-in-one MB that I used in building a home storage server. It has two gig-ethernet ports. About two months ago, I was rearranging around the machine, and when I plugged it back in, apparently I switched the ethernet port plugged in to the switch to the "primary" interface.
And one of the monitors goes off a few minutes later - there's a new network device on my private network. Turns out a web interface to the ME comes up automatically when using the primary NIC - it got a DHCP lease and was happily waiting to be managed - with the default creds ADMIN/ADMIN.
I thought that we had that one figured out, but apparently not. Yes, I should have read the manual for the motherboard, but that's beyond absurd. And, I guess, a good reminder to trust nothing.
IBMs POWER processors are comparable to high-end Xeons and the specifications are entirely open.
I'd love to see a new "Talos" effort in light of recent events: https://www.crowdsupply.com/raptor-computing-systems/talos-s...
[Remove Intel ME](https://github.com/corna/me_cleaner) to the largest extent possible. I don't know of equivalent tools for AMD, though, which also has similar systems in place.
If it's processing power you need, I guess the ASUS KGPE-D16 with Libreboot would to the trick.
As a laptop - X200, X200T, T400, T400s, T500, etc.
You can find a list of vendors here: https://libreboot.org/suppliers.html
In fact, SGX is probably the only way to get some semblance of a defense against compromised ME and SMM code. There's even a number of open source projects that use it (e.g. [0]). To be even more dramatic, not every acronym Intel comes up with is Pure Evil.
[0]: https://github.com/ayeks/TresorSGX
If it does only get locked to a few code authors, that would be a tremendous shame.
*then came uefi.
hoop-jumping never a problem with the i.t. market. more complexity is fine so long as managed by someone else. only the sales pitch needs to be simple.
why is it unfathomable that users could only trust themselves and other users? continual push toward more complexity helps keep users from ever believing this is achievable.
Sure, it'd let you be a bit sloppier with randomware, not needing public key crypto to make it all work. Not really a huge deal.
If something like SGX become publicly available then a lot of proprietary software and content manufacturers going to use it for DRM purposes. So efficiently it's will be everywhere.
Now imagine that every company can put sleeping backdoor in their software that can't be found by reverse engineering. Then they can activate it on demand for purposes of industrial espionage. Or they can simply ship own version of backdoor to ever customer and then pretend it's was some "bug" when someone detected it's activity.
Yeah it's could be detected when it's start to be active, but it's doesn't have to. It's could be idle on PC for years undetected just waiting for remote command, trigger or special payload just for you.
PS: Also fact that secure enclave itself can't access system API mean nothing because half of software already have interpreters in it as well as frameworks for every possible activity bad or good.
"Intel AMT SOL technology" - a most ironic acronym for this situation...
So they exposed millions of consumer and business computers in order to satisfy a niche enterprise usecase? Why is this not something that has to be manually turned on?
Intel ME has always sounded like a glaring security risk. Another operating system running in the background that can run it's own network stack? This is 100% being exploited by intel agencies.
The former, probably not.
The latter probably have something similar --- and they're even less publicly documented than Intel ME/AMT or AMD's equivalent.
AMT and AMD's equivalent (don't remember the name) has been a holy grail for security researchers and malware authors alike for many years. People have been begging Intel for a very long time to make business-tier chips without remote access capabilities.
For personal computing, at least we have enthusiast chips. For example, my i7 K model lacks the technology.
EDIT: AMD's remote tech is called Platform Security Processor (PSP). Thank you, jacquesm!
Yes. But somehow, any time anyone brings up wanting a device without one, people start poo-pooing the idea. "Just don't use it." "That's paranoid." "Just another CVE, yawn."
In a ton of discussions over the years, I have yet to hear a single plausible, benign reason for why the ME's 30 minute timer must be impossible to disable by the owner of the chip.
It's not really new that Intel and AMD do binning to get more yield.
According to ARK [0], vPRO is absent. I have done various other system queries and nothing has turned up.
Anything else you want me to query? And where do you get this information that ME is present in all chips? Having a motherboard that supports ME is irrelevant, if the chip has no ME.
[0] https://ark.intel.com/products/88195/Intel-Core-i7-6700K-Pro...
sudo intelmetool -s
Im pretty sure Intel BootGuard is ME based
My working theory however is that since my chip lacks vPRO / AMT and I have not been able to find any indication it exists on the chip even in a dormant state, there may be more than one prefab used for binning.
However they could be using the same prefab for all.
Thus, "AFAIK".
Same questions apply to you. This is something I would like to be proved wrong on, as I don't want a false since of security.
PSP: Platform Security Processor
