Hacker News new | comments | show | ask | jobs | submit login
Publicly available information about Intel ME (cmu.edu)
78 points by server_bot 11 months ago | hide | past | web | favorite | 22 comments

I wonder if anyone has given thought to the possible dangers (some of) the engineers at Intel could be in. Intel has created, from my understanding, the ultimate backdoor.

This is something that governments worldwide, large criminal organizations and others would be interested in.

I can't believe I'm even typing something like this! It reads like something from a bad dystopian film. To even have something like Intel ME considered would have been mind-blowing enough. To have implemented it... there are no words.

Putting on a conspiracy theory hat - ME sounds like something that would be mandated of Intel in the interest of national security.

Funny thing, there is some undocumented suspected DoD mode for high certification that disables almost all of it, because it is unverified code.

The list, which is only 6 links and a small part of the blog post, is only a tiny, unrepresentative part of the ME research corpus.

The real title of the blog post is "The Bad Thing"; I'm glad that's not the HN title, but our current one is unrepresentative of the content. Perhaps, "Intel ME: The Bad Thing".

I have had pretty good luck running me_cleaner on various computers - the main difficulty is the hardware access to the SPI flash, but once you have that it's not too difficult, and low risk because you can always flash a backup of the original back on.

It is a bit unfortunate that all we can do is disable some modules or set the HAP bit without knowing exactly what has been neutralized, but it's certainly far better than the extremely limited control Intel provides the user over the ME.

It will be interesting to see if Intel tries to make this more difficult with future iterations (it will certainly be even more suspicious if they do).

TD-Linux deMEed my new T470p (HAP bit and removed many of the modules), went without a hitch.

It's no replacement for a system with a trustworthy firmware, but right now the available choices aren't good.

Misleading information about Intel ME (your ME probably can't access the network and probably doesn't contain a Web server) filtered through black-and-white thinking instead of risk analysis.

Also, this topic has been rehashed to death on HN already.

> your ME probably can't access the network and probably doesn't contain a Web server

> probably

Therein lies the issue. The real objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious.

It's 10PM. Do you know if your ME has been provisioned by evil malware?

I don't care about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.

My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.

> your ME probably can't access the network

Your ME can trivially pwn your OS and can therefore access the network. Moreover, I'd be shocked if the ME couldn't reflash your full firmware. How? By subverting early boot or by subverting SMM. This means that an ME code execution exploit can very likely become persistent. I bet it can also fairly bypass Boot Guard. Secure Boot doesn't help at all.

The upshot being that it's very likely that a malicious USB stick can persistently compromise any modern Intel box in a fairly generic way.

This is bad.

To turn the tinfoil hat the other way though... until recently it would have been trivial for a nation-state to intercept and add a hardware implant to a motherboard.

So on the one hand SecureBoot & ME are terrible, but on the other hand the pre-existing security regime was also terrible.

The ideal would of course be for Intel to be more open about the ME, but who knows if that will ever happen.

SecureBoot is fine actually as long as you can replace the root keys. (It is about add trustworthy as TPM hardware and Intel's SINIT blob, which does not say much.)

I agree that the article doesn't add anything, but accessing the network is a standard function of ME, via its AMT component. One of the leading features and selling points of ME is remote management independent of the OS (i.e., even if there is no functioning OS) - useful for support and for deploying OS, BIOS, and other updates.

Exactly my point: AMT is not included in every ME and your computer probably doesn't have AMT.

Does the 'base' ME not have a number of network functions aside from AMT, eg anti-theft, system defense (packet filter), serial over LAN? From what I have read, the ME has the dynamic application loader that can load applets. It would be difficult, but not impossible to re-flash an ME. Are we sure that not having AMT is 'enough?' I can imagine the power of the ME would prove very tempting to talented state-sponsored groups.

It does. Here's example output from me_cleaner.py, which removes non-essential modules and allows you to reflash with modified firmware:

  rbe          (Huffman     , 0x007cc0 - 0x00a380): NOT removed, essential
  kernel       (Huffman     , 0x00a380 - 0x019f40): NOT removed, essential
  syslib       (Huffman     , 0x019f40 - 0x02cf40): NOT removed, essential
  bup          (Huffman     , 0x02cf40 - 0x055d40): NOT removed, essential
  pm           (Huffman     , 0x055d40 - 0x059740): removed
  vfs          (Huffman     , 0x059740 - 0x066880): removed
  evtdisp      (Huffman     , 0x066880 - 0x069300): removed
  loadmgr      (Huffman     , 0x069300 - 0x06dec0): removed
  busdrv       (Huffman     , 0x06dec0 - 0x071700): removed
  gpio         (Huffman     , 0x071700 - 0x0738c0): removed
  prtc         (Huffman     , 0x0738c0 - 0x074c00): removed
  policy       (Huffman     , 0x074c00 - 0x07fa40): removed
  crypto       (Huffman     , 0x07fa40 - 0x09a680): removed
  heci         (LZMA/uncomp., 0x09a680 - 0x09e580): removed
  storage      (Huffman     , 0x09e580 - 0x0a4b00): removed
  pmdrv        (Huffman     , 0x0a4b00 - 0x0a6700): removed
  maestro      (Huffman     , 0x0a6700 - 0x0ab600): removed
  fpf          (Huffman     , 0x0ab600 - 0x0add40): removed
  hci          (LZMA/uncomp., 0x0add40 - 0x0ae600): removed
  fwupdate     (LZMA/uncomp., 0x0ae600 - 0x0b3140): removed
  ptt          (LZMA/uncomp., 0x0b3140 - 0x0c82c0): removed
  touch_fw     (LZMA/uncomp., 0x0c82c0 - 0x133000): removed
Unfortunately we know little about these modules other than their name and size.

In the semi-authoritative book on ME, Platform Embedded Security Technology Revealed by Xiaoyu Ruan of Intel, it says that only AMT can access the network (if I remember it correctly).

The book is three years old, so maybe that's changed. Or maybe the functions you describe are part of AMT. I'd be interested in knowing more.

> system defense (packet filter)

At least that doesn't sound like it needs to transmit.

> anti-theft

What anti-theft service does ME provide?

> What anti-theft service does ME provide?

"Some of the other modules include ... a system for location tracking and remote wiping of laptops for anti-theft purposes." [1] (link to Igor Skochinsky slides).

[1] https://www.eff.org/deeplinks/2017/05/intels-management-engi...

Intel ME is a processor that runs the MINIX operating system. It's the operating system that connects to the network. AMT is a module that is run in the operating system, that uses the network functionality. Although no one really knows for sure, as it's completely closed source and very little "technical" documentation is provided about it.

Every Thinkpad I've run me_cleaner on so far has had the full suite of ME modules loaded.

> AMT is not included in every ME and your computer probably doesn't have AMT.

As far as I know, AMT is on almost every ME implementation, but I'd love to learn more about it. When is it included? What is that based on?

Here's what I know:

1. Every system with the VPro branding includes AMT with remote access (I'm 90% sure of that). Considering the audience here at HN, most of their computers probably are VPro models.

2. Non-VPro models also include AMT, and possibly some have remote access. I recently was working with a non-VPro system that certainly had AMT, but had the Small Business Technology implementation, which purposefully omits remote access.

There's also Standard Manageability, which "appears only on Intel Desktop Boards that support Intel AMT but that do not have a vPro-compatible processor installed"; AFAICT it's a implementation of AMT, and I think it includes remote access. (There are not enough days in the week to sort out Intel's product line, and that was one thing I didn't need to know.)

Until the day you open the wrong Word doc. Or click on the wrong link in email. Or run the wrong game.

Open a resume. Browse from a coffee shop. Click on a link from your bank. Use your phone while on the subway. Play music that you paid for. Cross an international border.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact