Settings

Theme

Intel platforms from 2008 onwards have a remotely exploitable security hole

semiaccurate.com

506 points by theSoenke 9 years ago · 189 comments

Reader
AdmiralAsshat 9 years ago

The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.

We knew this would happen. We knew that the Management Engine was a backdoor, and we knew it was only a matter of time before someone would figure out how to exploit it. This is exactly the reason why Libreboot exists (https://libreboot.org/faq.html#intel). And now, far from being the tinfoil hat distro that is often portrayed, it will become a bare necessity.

  • SEJeff 9 years ago

    This is also what the management engine cleaner project is for:

    https://github.com/corna/me_cleaner

  • frik 9 years ago

    Let's hope one of the other CPU manufacturers (e.g. AMD) starts supporting LibreBoot and allows to officially disable the ME-equivalent hardware feature, so that Intel get's forced by market-pressur to follow.

    Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got forced to release a new CPU the had in their basement for years - suddently it's possible for them to release i7 notebook CPUs with more then two cores!! Even back in 2010 it would have been viable to produce 4 core notebook CPUs - but the went away because the had no competition.

    • dewyatt 9 years ago

      That was the top request in their March AMA:

      https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_crea...

      I wouldn't hold my breath, though.

      • i336_ 9 years ago

        The sad thing with that is that

        - releasing the source doesn't tell you what's on the chip.

        - PSP is kind of "Ring ∞", so there would be no good outcome from providing general-purpose access to it. So, the keys will never be released.

        - it's thusly not possible to map the signed (encrypted) firmware to the source.

        - even if the source had a clearly documented "master off" in it, you can never know if the firmware's copy reads "master-except-if-A-and-B-say-C off" :(

    • semi-extrinsic 9 years ago

      What are you on about? I had a 4-core i7 in my laptop back in 2013, an i7-3920XM IIRC:

      https://ark.intel.com/products/64887/Intel-Core-i7-3920XM-Pr...

    • kbenson 9 years ago

      > suddently it's possible for them to release i7 notebook CPUs with more then two cores

      I'm not sure what you mean by this. My Dell XPS 15 has a i7-6700HQ which is quad core, and it's not like I just bought the thing.

    • inetknght 9 years ago

      > release i7 notebook CPUs with more then two cores

      U-series i7s have two cores. HQ-series i7s have four cores. Both are mobile CPUs. Remember though that more cores generally means more power consumption which generally means less wallclock time on battery power.

      • Roritharr 9 years ago

        Intel's U-8XXX CPUs are rumored to offer 4 cores with a variable TDP from 18-45W this autumn.

        It's my tinfoil hat theory why MS waits for an earnest update on their highend Surfacebook. A high-end quad-core Surfacebook with a 10-series GPU and 32GB LPDDR with real Thunderbolt 3 Ports would make for a 13" dreammachine...

    • yread 9 years ago

      first mobile quad cores were sandy bridge released january 2011

  • cryptarch 9 years ago

    I'm having fun, I finally have an excuse to dust off my Libreboot X200 (refurbished and modded Thinkpad with Libreboot firmware).

    However, I strongly disrecommend buying from Leah Rowe unless you enjoy waiting months for payment confirmation and delivery. The worst webshop experience I've ever had.

    I recommend you build/flash your own, contract it out or look for a different vendor.

  • BrainInAJar 9 years ago

    If the verilog to the chip isn't open, you can't trust it. Stallman is dangerously wrong on this point.

    • mschuster91 9 years ago

      Somewhere you have to externalize trust. What use is the open HDL code for a chip if you cannot be sure someone down in the manufacturing chain hasn't... modified it?

      Certainly this kind of attack is not your average script kiddy but nation-level instead, but I wouldn't put it past the NSA to pull this off.

      • BrainInAJar 9 years ago

        Correct, you do need to externalize trust somewhere, but the Richard Stallman level of "chips are ok but firmware is not" is not the correct place for it.

      • SkyMarshal 9 years ago

        If only we could checksum the commercial hardware and compare it to a reference implementation checksum.

Sephr 9 years ago

> For obvious reasons we couldn’t publish what we found

It's not obvious to me why anyone not under an NSL or NDA would sit on this vulnerability for 5 years and wait until it's actively being exploited in the wild before public disclosure.

It's extremely negligent to global security for SemiAccurate to not immediately publicly disclose the vulnerability 5 years ago after Intel refused to fix it. Of course this is ignoring the root of the problem, which is that the US government has deeply compromised Intel since the very first security management interfaces were added to Intel chips in the early 90s.

The real solution to the root issue is legislation that forces security disclose timelines of 90 days or less for government-found vulnerabilities, and prevents the stockpiling of vulnerability exploit kits.

  • Animats 9 years ago

    That seems strange. Since it's a security hole you can exploit on your very own Intel computer, there's no issue about "hacking" into someone else's system. Researching this is legally safe. There should have been a Defcon talk and a CERT advisory years ago.

  • gtirloni 9 years ago

    It gets more confusing because Intel is crediting Maksim Malyutin from Embedi: https://security-center.intel.com/advisory.aspx?intelid=INTE...

    Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.

    • jacquesm 9 years ago

      I interpret that as SA got wind something like this was going down, guessed some of the details and possibly forced Intel to disclose but they didn't actually find anything themselves nor do they have the details. Which explains why Intel credits someone else and they overplayed their hand by claiming that either ME or VPro are breached when it really is AMT. (Bad enough...)

  • dantiberian 9 years ago

    This was my thought too as I read it. If they didn't feel they could handle the disclosure, Google Project Zero could have been a good recipient to report to Intel.

  • wmf 9 years ago

    One wonders if they knew of this particular vulnerability 5 years ago or they just knew that there must be vulnerabilities lurking in the ME somewhere.

tomku 9 years ago

Is there a better source for this than SemiAccurate? The article doesn't really have much beyond self-aggrandizement and "we can't tell you any details, but you're screwed". For something that could be anything from "Charlie Demerjian heard a rumor about a ME patch and wanted some pageviews" to the actual security apocalypse, I'd like credible sources.

  • milcron 9 years ago
    • mirimir 9 years ago

      From the Intel advisory:

      > There is an escalation of privilege vulnerability in Intel® Active Management Technology (AMT), Intel® Standard Manageability (ISM), and Intel® Small Business Technology versions firmware versions 6.x, 7.x, 8.x 9.x, 10.x, 11.0, 11.5, and 11.6 that can allow an unprivileged attacker to gain control of the manageability features provided by these products. This vulnerability does not exist on Intel-based consumer PCs.

      If in doubt, you can check your CPUs here:

      https://ark.intel.com/#@Processors

    • tomku 9 years ago

      I'm glad that credible sources are now available. It's unfortunate that it took so long to confirm, but congrats to SemiAccurate on a massive scoop.

      Edit: On the previously-mentioned scale, this sounds like a solid 8 or 9 out of 10.

  • na85 9 years ago

    Credibility issues of the author/website aside, I actually hope this is true, and I hope it's catastrophic for Intel.

    Maybe then we'll finally see hardware companies taking security seriously.

    • finnn 9 years ago

      I'm worried that it's true and it's not catastrophic for Intel. Aka show to the world that you can get away with BS like this.

      • freehunter 9 years ago

        The fact that people can stay behind platforms, companies, and technologies that are proven to be so inherently insecure that they can never be trusted just boggles my mind.

        Adobe Flash has a new zero-day every week, but we were saddled with it for years past when it should have been retired because some people didn't want HTML5 to have feature-parity with Flash.

        Java has a new zero-day every week but we're stuck with it because enterprises are afraid of trying something new.

        Windows was wide open to attacks for years, but they got away with it by saying "yeah but Apple is so expensive" and people still parrot that. They said "yeah but Linux is stolen technology/doesn't work right" and people still parrot that.

        Android has a new malware/exploit warning every week, the majority of the phones never see security updates, and are running outdated software the minute they're shipped to stores but people say "yeah but Apple is so expensive/locked down" or "Windows Phone doesn't have any apps".

        I have friends who lost their credit card numbers at Home Depot but refuse to shop at Lowes because they don't like the NASCAR driver that Lowes sponsors.

        People get so caught up in brand loyalty that they're willing to defend "their" company like it's a family member. Even among the tech community, security means nothing. We still use Android phones to get root access, we still use Windows to save some money on our laptops, we still program in PHP because it pays the bills.

        Nothing will ever be catastrophic enough. Anyone can get away with it just by creating an "us vs them" mentality with their customers.

        • mike_hearn 9 years ago

          Java has a new zero-day every week

          No it doesn't. The last one was in 2015. Before that I think there was a two year gap to the prior one. Zero days in Java are actually very rare these days.

          That doesn't mean bugs are rare - like any large piece of software Java gets regular security patches, but those are flaws found by the developers themselves rather than attackers, so they aren't zero days.

          • freehunter 9 years ago

            I think it's implied that "a new X every week" is always going to be hyperbole. I'm intentionally overstating the point so someone just like you could hop in and prove it better than I ever could.

            Remember in 2012 when Apple stopped shipping Java with their browser because it was so insecure?

            • dmichulke 9 years ago

              Upgrading Java 5 minutes, 0 $

              Upgrading your CPU 2hs, 300$

              Having no secure CPU to upgrade to: priceless

        • phkahler 9 years ago

          >> People get so caught up in brand loyalty that they're willing to defend "their" company like it's a family member.

          Long ago I read something about that. The psych came down to the (false) idea that changing brand would confirm that you were wrong. The example was that even if Ford made better cars back in the day so you're a diehard Ford owner, if they quality demonstrably falls behind and Chevy is demonstrably awesome today you still won't change! And that's a case where your prior decision was actually right. So people have these weird internal notions that 1) companies value doesn't change over time, 2) their value doesn't change in light of new evidence, and 3) My own value is somehow tied to making a "correct" decision in spite of cognitive errors #1 and #2.

          People are stubborn, and that's being kind about it.

        • tormeh 9 years ago

          >Java has a new zero-day every week but we're stuck with it

          Well, Java applets did die. What more do you want? The Java sandbox is only used by extremely legacy software at this point, so it doesn't matter if it has holes in it. Actually, the more holes the better, so we can get rid of the last holdouts.

          • umanwizard 9 years ago

            Java is the most widely-used programming language in the world. Applets are an insignificantly tiny drop in the bucket of what Java is used for.

          • alasdair_ 9 years ago

            Java is consistently listed in the top three (and often #1) languages in current use.

    • thraway2016 9 years ago

      IME is likely not a case of Intel "not taking security seriously". It's almost certainly a case of doing what FiveEyes demanded of them.

      • na85 9 years ago

        You're probably right.

        I still hope it's true, and that it's catastrophic for Intel. No change can happen otherwise.

        If Intel aren't fighting against 5eyes then they aren't taking security seriously.

      • nyolfen 9 years ago

        this was my first thought as well, but surely there would have been some hint of it in snowden docs or the recent wikileaks cia malware docs?

    • mediocrejoker 9 years ago

      I'm not familiar with the author. Can you elaborate on the credibility issues?

      • wmf 9 years ago

        Charlie Demerjian is a massive hater. That doesn't mean he's wrong, but everything he writes about Intel or Nvidia has a negative slant.

  • Natanael_L 9 years ago

    There's eventually going to be one when it is officially published by Intel, but that seems to be months away right now.

    • tomku 9 years ago

      No, that's not how sources work. You don't get to use your assumption that the article is accurate to assert that it will eventually be proven accurate by other sources. That's circular reasoning.

      • walterbell 9 years ago

        If the article's claims are true, all sources (e.g. OEMs with access to a fix) should be under NDA, https://twitter.com/cdemerjian/status/859096565033693185

        • tomku 9 years ago

          ...and if the article's claims aren't true, there wouldn't be any sources to confirm the claims at all. The evidence we've been presented with so far (no sources) is consistent with both possibilities. When you make a claim as big as SemiAccurate did, it's on you to provide sources to back it up. If you can't present any kind of proof, you don't have a story, you have a rumor.

          • walterbell 9 years ago

            The article claimed:

            > That is the end of June for non-Intelspeak people, they will officially issue this guidance then along with OEM disclosures.

            We'll know in two months whether the above claim is true or false.

            • tomku 9 years ago

              My prediction: At the end of June, Intel announces a fix for a minor non-RCE bug in the LAN code of Intel ME. SemiAccurate proudly and inaccurately announces that it confirms their previous reporting and adds it to the list of things to mention every time they write an article about Intel. There is no follow-up Hacker News thread with 100+ comments, so most of the people who posted here continue thinking that there was a major RCE in Intel ME that we just haven't heard about because it was covered up.

              Edit: Already proven wrong! We're headed for interesting times.

          • tchaffee 9 years ago

            Then it's a rumor. One you probably want to keep your eye on. Which was the whole point of the article anyway.

        • CodeWriter23 9 years ago

          Devil's Advocate here, so you are assuming there is a perfectly secure software implementation in this world, and only Intel has it for their Management Engine? I get your point, SemiAccurate may or may not have an exploit, but I think it goes without saying there is a security hole somewhere in the ME, it just is not publicly known at this point.

  • codedokode 9 years ago

    If Intel released a firmware update, then anyone can compare this update to a previous version and see what has changed.

    • tomku 9 years ago

      That's harder in practice than you make it sound. Firmware updates for Intel ME are handled through OEMs, it's not a file that Intel publishes that an interested person can go to their website and download. The article claims that such a patch has been released to OEMs but is being kept under wraps, which might make it hard to determine when it actually ships in a downstream update. Even if you have a file that you know contains the binary blob of updated firmware, reverse-engineering it to determine what it does differently compared to the previous version is very much non-trivial.

      • Zuider 9 years ago

        CPU firmware patches have also been released through Microsoft update, and Windows computers may well be patched on the fly in this way. I suppose it would be possible to download the update individually and examine its contents, but, as you point out, it would be extremely difficult to work out what it was doing.

  • davidgerard 9 years ago

    Is there a better source for this comment than "I don't like Charlie Demerjian"?

  • Jan_jw 9 years ago
    • tomku 9 years ago

      That is not a source that confirms SemiAccurate's claims, it's a nearly decade-old paper (~2008-2009) describing an attack against a completely different security feature. The "System Management Mode" described and attacked in the paper is unrelated to Intel ME.

    • milcron 9 years ago

      What is the publication date of this?

jackhack 9 years ago

>>every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.

>>there is literally no Intel box made in the last 9+ years that isn’t at risk

>>SemiAccurate has been begging Intel to fix this issue for literally years

Am I the only one who is so cynical to think it must have been deliberate? Intel dragging their feet for YEARS -- what could justify such a delay? The paranoid side of me asks "Were they waiting to patch this hole, until they found a different one that could be utilized?" Which begs the next quesion: Where is the NSA in all of this? It's the sort of thing that would be mighty handy to a group wishing to snoop on everyone and everything?

Last question: Why would anyone trust the encrypted management engine after this? (Why would anyone trust it before?)

>> What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices.

What, indeed? Is this the method used to interfere with Iran's nuclear program centrifuges?

  • HelloNurse 9 years ago

    Extending the attack surface in the name of alleged convenience seems more a plan to enable hacking than a reasonable design and marketing approach for microprocessors. IoT fanboys with an urge to make home appliances remotely exploitable might be in good faith, but Intel is smarter than them.

  • regularfry 9 years ago

    Believe incompetence before malice, and I'd stick economic incentives somewhere in the middle.

    The discussion probably went something like:

    Person 1: "Should we issue a recall and disable a feature which bought us a several billion dollar customer?"

    Person 2: ...

    • sixothree 9 years ago

      In this day and age the choice between malice and incompetence seems to fall more on the malice side.

  • unexistance 9 years ago

    reminds me of CIA's Simple Sabotage Field Manual[0]

    https://www.cia.gov/news-information/featured-story-archive/...

krylon 9 years ago

As a sysadmin at a Windows shop, I don't know what to make of this. Has Intel commented on this, yet? Any OEM?

Joanna Rutkowska, who is a renowned security researcher, warned of something like this happening sooner or later[1], so I don't think I can afford to just ignore this.

But without something more specific to act on, there is nothing I can do, except wait firmware updates to be released by various vendors. If that happens.

And what if Intel does make a statement that essentially says, "This is all total BS"? I wouldn't know whether to believe them or not.

The only scenario where I could have any degree of certainty would be if Intel came out and said, "Yeah there's an exploitable security hole in ME, here's a patch to disable it".

[1] http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

_wmd 9 years ago

Zero details and zero cross references, zero mentions on Google and zero mentions in any security list I'm on. Charlie blowing nonsensical steam yet again?

  • resoluteteeth 9 years ago

    The article implies that they have been privately trying to get Intel to fix it, so there is no reason it would have been mentioned publicly anywhere.

    Now a patch is coming out but Intel is still trying to keep it quiet, so he's trying to warn people disable AMT and be ready to apply patches ASAP.

    Presumably he didn't even want to disclose the existence of the vulnerability publicly until there was some sort of fix, and he still won't want to disclose details before the fix is released.

    Of course, you can doubt the veracity of this story, but I'm just pointing out that there would be no reason to expect details, cross references, or mentions on Google or security lists yet if it is true.

    • tomku 9 years ago

      If Charlie was a security researcher and SemiAccurate was a well-regarded security firm, I would not expect details or cross-references or mentions on security lists. Charlie is not a security researcher, he's a journalist, and SemiAccurate is the tech equivalent of a supermarket tabloid. He is not a credible primary source for anything security-related, particularly given SemiAccurate's reputation for publishing rumors as facts.

      None of that means he's necessarily wrong, just that you should be very careful about believing his claims without supporting evidence. A lot of people here on HN have thought that a remote ME exploit was only a matter of time, so an article claiming to validate that belief will not get as much skepticism as it should.

    • ajdlinux 9 years ago

      It does seem suspicious to me that this hugely critical flaw deep in the firmware stack has been discovered by the writing staff of a tech news website rather than an infosec research team...

      • tyingq 9 years ago

        The article sort of reads like he has thought (not known) there was an issue for a long time.

        Then, he saw that Intel released a patch related to the management engine, and took that as confirmation? Maybe he has access to the release notes via a source at an OEM?

        • Natanael_L 9 years ago

          He got the affected version numbers exactly right, but according to Intel he got the affected hardware wrong (consumer hardware unaffected).

          That tells me he got the information from an unmentioned source. If he had the details himself he would be able to confirm what hardware it is present on by testing it.

          The explanation for that error code be that the source have been vague about it or not tested it on a lot of hardware, or isn't even a firsthand source, or that the journalist misunderstood it.

          https://security-center.intel.com/advisory.aspx?intelid=INTE...

          • tyingq 9 years ago

            Ah. To be fair, that intel.com link is confusing, because it sends you off to see if you have "Intel® vPro", which is certainly on consumer hardware, like various i5 and i7 systems. Which does not jive with the earlier line "This vulnerability does not exist on Intel-based consumer PCs". It sort of depends on your definition of consumer hardware.

            Overall, though, it does seem to validate the sequence was something like "he had a suspicion" then "intel released an update".

    • throwaway91111 9 years ago

      Is there any way to avoid the patch and reverse engineer it to "root" ME and cripple it?

      I'd guess this would be a lot of interest for "hacker" news; i want to sign my own damn firmware.

  • some1else 9 years ago

    Yes. It is his uncontrollable urge for getting thousands of corporate IT admins to disable the Management Engine, at it again.

  • yxhuvud 9 years ago
bnmathm 9 years ago

FTA, Intel confirms? https://security-center.intel.com/advisory.aspx?intelid=INTE...

electic 9 years ago

I think it is high time for companies who make hardware be financially fined for lapses like this. In this particular case, the manufacturer was warned and did nothing for years.

This is negligence especially considering these chips control critical devices that can cause damage or even loss of life if they are successfully exploited.

Can you imagine if car maker didn't fix a hardware defect they knew for years. Oh wait...

tomc1985 9 years ago

What is the motivation behind Management Engine?

From the perspective of an everyday user these things came out of nowhere to evolve into this para-computer running along side me that I cannot see and have no control of. It is on literally ALL hardware

Why is it that any attempts to disable it knock your whole computer out?

And this is the world of technology that we want? I'm so sick of technology companies appearing to work for their customers but secretly working against them.

  • jnwatson 9 years ago

    The functionality ME attempts to provide is lights out a.k.a. out-of-band management (like IPMI) to the desktop.

    If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every PC on a floor, he could, through ME, remotely reboot (force power reset if necessary) or power on every machine, have the machines boot to a (remote) OS install disk, run the install, and reboot.

    ME allows one to do almost anything remotely to a PC, regardless of what the main processor is doing. That is both useful and frightening.

    • tomc1985 9 years ago

      Fine, but putting it on all hardware?

      How many corporate IT environments buy off-the-shelf motherboards and CPUs from the same channels as consumers? OEMs get an entirely different set of parts and enterprise sales works in completely different channels. If there is such a clean separation between corporate and consumer markets then why is this hardware on everything, and why does it need to pull power on the machine if it's disabled?

      • DrPizza 9 years ago

        It isn't on all hardware. Intel has two ME firmwares, a small one for consumer systems, and a big one for corporate/enterprise systems. The small one does not (or at least, should not; is not supposed to) include the remote management features.

        In other words, the separation that you describe exists.

        Systems with the full firmware sport things such as the vPro branding, and only certain combinations of CPU and chipset support it.

        • tomc1985 9 years ago

          AFAIK the consumer version still kills the system if it's disabled?

        • tyingq 9 years ago

          I'd be careful with assumptions on what "consumer hardware" means. There are desktops, NUC units, etc, that shipped with i5 and i7 chips that had vPro.

          • DrPizza 9 years ago

            Even with the CPU, you also need the right chipset and the right firmware to actually light this stuff up. While especially in the laptop sector there are consumer devices that include this, it's far from universal.

    • phkahler 9 years ago

      Can't all that be done from the main OS? Repartition, modify the boot stuff, reboot from an image in a new partition, etc... Why did they need to add another processor with closed source and all the potential security issues?

      • jnwatson 9 years ago

        You can't change the boot media or turn on a turned-off machine via the OS. The whole point is to get underneath it, so you can even do initial OS install with it.

        • deathanatos 9 years ago

          It might not be trivial, but you can do this w/o the ME. My understanding is that most ethernet cards support a "Wake-on-LAN" feature to turn off machines on, and from there you can trigger the machine to reboot and then netboot (by writing to its boot config to instruct whatever boots it that it should take that action).

          Even if you assert that the ME is absolutely necessary for such a use-case, I don't have that use case, it isn't work the risk for me, and I should be able to disable the ME because I, as the owner of the machine, want to. (Or really, otherwise interact with it and use it for creative use-cases.)

  • codedokode 9 years ago

    I think the problem is not that this technology exists but rather that the operation of this engine is not transparent, the user cannot examine or disable the software in this engine, cannot write his own software.

    • Slackwise 9 years ago

      IME should exist on an external TPM chip so it's only for those that want it, like enterprises.

      I really don't understand why the would just shove it into every chipset out there. I understand it needs to get its claws all over the system, but the core should be external and optional.

  • thunder-ltu 9 years ago

    "There is anything to worry about if you have nothing to hide" /s

joatmon-snoo 9 years ago

/r/netsec link: https://www.reddit.com/r/netsec/comments/68lqzq/remote_secur...

devy 9 years ago 

   Security is a cost center and most OEMs run on margins too thin 
   to bother with security patches even if they cared. Most simply don’t care.
I think that sums up pretty well why downstream vendors are treating security casually. So the billion dollar question is, how do we fix this, as a tech community?
  • thraway2016 9 years ago

    This is an unpopular position, but approaches like BrickerBot are likely to be effective.

  • dom0 9 years ago

    OEMs are not involved at all with ME afaik, it's exculusively controlled by Intel.

    • wmf 9 years ago

      OEMs have to ship ME firmware updates; Intel has no way to get them to you directly.

      • cynix 9 years ago

        Can't they install an update remotely via this vulnerability? :p

        • etherealG 9 years ago

          No joke, this would be the best thing for everyone. Especially if we find a way to do it ourselves rather than wait for a vendor to.

          I've been thinking for years about writing a virus that patches the vulnerability it used to spread as it goes.

  • 5ilv3r 9 years ago

    Open architectures are a solution, even if there is no single common solution. Diversity is something we have been missing since windows became popular, and although security through obscurity is not a strategy, diversity certainly serves well at limiting the scope of damage possible for a single attack.

  • na85 9 years ago

    I'm not sure the tech community is able to fix this, short of the brickerbot mentioned by another poster. Frankly, I think this situation will only resolve if and only if there are dire financial consequences to OEMs that pay lip service to security.

lurker456 9 years ago

Great news that this finally came to light.

After learning about remote management capabilities I've always suspected it had holes. Large attack surface, any exploit would have a high value, and closed source.

Perhaps one day we'll be able to buy CPU's without this "feature". I'm betting AMD and ARM are in the same boat.

  • LeifCarrotson 9 years ago

    > After learning about remote management capabilities I've always suspected it had holes. Large attack surface, any exploit would have a high value, and closed source.

    Even after reading this, I'm still not convinced it does have holes. It's so high value (pervasive, incredibly powerful, and old) that if it were possible a bad actor would have used it. The spectrum of possibilities is small:

        1. The hole does not exist, but SemiAccurate thinks it does.
    2. It exists, but only SA has discovered it.
    3. SA discovered it along with a few bad actors, who are using it surreptitiously and haven't been caught.
    4. It's being used all over the place, it's a widely acknowledged security disaster.
    We're not in state 4. The article suggests we're in 2 or 3. 2 seems unlikely - SA does not have special abilities that transcend those of other security research firms. 3 seems especially unlikely: with this much power available, and with the hole being patchable, could they resist using it? Which leaves option 1.
    • tomku 9 years ago

      SemiAccurate isn't a security research firm, it's a tech news blog. There's basically no chance that they've discovered anything. If there's an exploit, they would've had to have heard about it from either a source inside Intel or an actual security researcher of some kind.

    • fulafel 9 years ago

      There are many high profile targets where "if it were possible a bad actor would have used it" has been proven false. See recent publicity about vulnerabilities in printers, antivirus products, etc.

    • lurker456 9 years ago

      why would 3 be unlikely ? The snowden leaks indicate that 3 letter agencies will use high value 0-days sparingly, to ensure they remain 0-days.

      Also, there is a 5th (more likely) possibility: SA didn't find anything, but undiscovered holes do exist.

    • Natanael_L 9 years ago

      https://security-center.intel.com/advisory.aspx?intelid=INTE...

      5. Somebody else discovered it and told SA. No idea why them rather than telling anybody else.

  • tomc1985 9 years ago

    They are. AMD TrustZone runs an ARM core alongside your computer. I've also heard a lot of ARM SoC platforms have something similar.

kartan 9 years ago

"It is this last point that has been causing some political unrest in the US, and the rest of the Western world. As you undoubtedly know, China is very nearly the sole producer of all electronic goods. It would be very, very easy for the Chinese government to slip a hardware backdoor into the firmware of every iPad, smartphone, PC, and wireless router." 2012 https://www.extremetech.com/computing/133773-rakshasa-the-ha...

Made in China, designed in the USA. Everyone wants their own backdoor.

discreditable 9 years ago

Patching is going to be a nightmare considering that many OEMs drop support for a motherboard after 3 years. There will be unpatched systems floating around for a very, very long time.

imode 9 years ago

I've got a Lenovo T530 and a Lenovo T450s. I wonder if they've released a firmware update yet...?

I can't say I'm surprised, but I am surprised at the fact that finally, after all these years, someone finally got down to patching some vulnerabilities in this area.

props to whomever forced Intel's hand.

  • ymse 9 years ago

    One nice feature of (some) Thinkpads is that the AMT and ME can be "permanently disabled" through the BIOS, presumably by blowing a fuse or similar. Check if yours has this capability.

    Otherwise check for updates at http://pcsupport.lenovo.com.

    • pasbesoin 9 years ago

      Hopefully, someone can speak further to whether this is a real mitigation and what "permanently" and "disabled" really mean, in this specific context.

      I'm don't mean to sound oppositional. I appreciate this being mentioned.

      I'm just not willing to trust it without knowing in detail that and how it works.

PhantomGremlin 9 years ago

Can anyone add any details? The article is very very vague. Doesn't this work thru the Ethernet port in the chipset silicon?

So if you're running a desktop that has a physical Ethernet card in it, and the Intel Ethernet isn't connected, are you OK?

And if you're running on a laptop that uses Intel's Ethernet, (and most of them do?) then are you vulnerable?

shdon 9 years ago

Worrying about the ME and my dislike of secure boot is what has kept me from upgrading beyond the Core 2 Duo with BIOS. It's starting to feel slow now, but I still don't feel I can upgrade unless there is at least a way to disable the ME. So far, there don't seem to be any reliable methods of doing so.

snackai 9 years ago

Even without any newly discovered backdoor. The Intel ME was always a fuing security issue. A BACKDOOR. It is completely naive to think the NSA can't use the ME to get access to anything, but hey it needs another Snowden for people to listen again.

akeck 9 years ago

Intel ME always reminding me of the saying, "Absolute power corrupts absolutely."

mtgx 9 years ago

Relevant discussion:

https://news.ycombinator.com/item?id=11913379

thrilleratplay 9 years ago

For those who cannot switch to Libreboot, https://github.com/corna/me_cleaner may be a solution to this issue.

pmoriarty 9 years ago

What is the management engine, and how does one access it remotely?

  • woodrowbarlow 9 years ago

    it's a closed-source binary blob on intel chipsets with unfettered access to the CPU. it is also (often) directly connected to the RJ45 port.

    here's a good overview of the risk: http://hackaday.com/2016/11/28/neutralizing-intels-managemen...

    • pmoriarty 9 years ago

      So if you don't use the RJ45 port on the motherboard but instead use an RJ45 port on an expansion card instead you're safe?

      • mschuster91 9 years ago

        Partially. Expansion cards use PCI-E which has DMA capability, so a bug/backdoor in their firmware can very well be used to attack a system.

        But I believe newer systems with MMUs acting as "firewalls" for DMA are safe from this vector.

        • woodrowbarlow 9 years ago

          there's also the concern of physical attacks, via the motherboard's RJ45 or USB.

          • mschuster91 9 years ago

            At least USB doesn't have device-initiated DMA, but USB descriptor parsing bugs have in the past led to exploits (I remember the PlayStation jailbreak).

          • pmoriarty 9 years ago

            A good argument to epoxy those ports shut, if you're really worried about that.

drudru11 9 years ago

Does this affect an Apple MacBook?

  • muricula 9 years ago

    Assuming that what the author says is true and there is a local exploit for non-enterprise versions of the Intel ME, then yes.

  • astrodust 9 years ago

    If it does, can EFI patch it out?

pinewurst 9 years ago

It'll be interesting to see how Intel deals with it.

Looking at the recent Atom failures (with vendors told in no uncertain terms to present publicly as generic "timing component" failure), will they even admit it's an ME thing?

metalliqaz 9 years ago

The way this article is written leads me to believe that it is not entirely accurate.

cryptarch 9 years ago

Now this less-mainstream theory about the precarious state of our communication systems has confirmed to a greater degree, would anyone here know of similar risks that few seem to be aware of right now?

I'm not sure if this would be considered OT, but considering the nature and scope of these vulnerabilities I don't consider it reasonable to exclude the possibility of intent and malice.

For this reason I'd like to ask: what do you consider to be "the next, most likely to surface, conspiracy of this flavor"?

The flavor being: "the struggle for control of any and all data and computational resources".

irl_ 9 years ago

I have a Sun workstation that seems to be no longer supported by Oracle (Sun Ultra 24 with a Q9300). I guess I'll just be vulnerable forever.

I don't really know what AMT does, but this has me thinking, if AMT is provisioned while a machine is used inside a company and then that machine shows up on eBay still provisioned, is it going to be phoning home and still be remotely manageable? How many of these machines have what are essentially persistent rootkits managed by large corporations that have had large fleets of laptops/desktops deployed that are then sold on?

zyordz 9 years ago

I'm a total n00b to how this stuff works, but I can't seem to find any information for this sort of stuff online. I have an Intel CPU with a Gigabyte Motherboard and BIOS. If I'm running Linux without a GUI (headless) is this something that I have to worry about? If so, how do I turn it off? I don't see any options for the Intel AMT or ME in my BIOS settings.

EDIT: I have a Core i3-4130T. Looks like it doesn't have vPro so I'm hoping I'm safe?

SomeStupidPoint 9 years ago

My ignorance is showing, but what product lines are impacted?

Obviously things like Xeons and Core iXs, but what about things like Atom processors in tablets?

  • yjftsjthsd-h 9 years ago

    The post appears to claim that literally everything is affected, albeit probably only locally exploitable. I think that's what it means at least.

    • SomeStupidPoint 9 years ago

      It claims that things with IME are (which I'm not sure if Atom has), and lists a series of architectures of which Atom isn't part. (Its architectures have different names.)

      It's ambiguous if the Atom line (and which portions) might be impacted, and I would prefer someone comment directly on if Atom has ME and if so, if it was using the dangerous version (and when).

  • pja 9 years ago

    I think anything with an i5 or i7 in the name has the ME onchip. My spare Thinkpad certainly does & it’s four or five years old at this point in time. I turned the ME off in the bios the moment I acquired it, but I doubt Lenovo will be issuing any bios updates for it.

  • Natanael_L 9 years ago

    Intel says Enterprise grade hardware is affected, not consumer grade.

api 9 years ago

Vulnerable as in how vulnerable? Do you need to be physically connected to local Ethernet for this? WiFi?

If it's WiFi that's damn scary.

j_s 9 years ago

Warning: Baseless, Idle Speculation

With the lead time on the silent patch before Shadow Brokers published all the Microsoft exploits, I wonder if Shadow Brokers will be publishing this one soon. No chance of an Intel ME patch going out without being noticed though!

A Shadow Brokers release would be a real mess.

some1else 9 years ago

Are remote management functions of portable consumer electronics (i.e.: remotely wiping your iPad) also supported by similar hardware chips from other vendors?

  • bradyd 9 years ago

    There is a laptop theft recovery/tracking software called LoJack for Laptops (AKA CompuTrace). Some laptop manufactures have added BIOS support for this service (Dell, HP, Lenovo, etc). According to the Wikipedia article [1] this BIOS service copies a downloader into the System32 folder on Windows, which then downloads the full service. It doesn't appear that the BIOS service itself is remotely exploitable, however it can be used for persistent root-kits [2].

    [1] https://en.wikipedia.org/wiki/LoJack_for_Laptops [2] https://en.wikipedia.org/wiki/LoJack_for_Laptops#Vulnerabili...

  • dboreham 9 years ago

    What does this mean?

    IPad remote wipe is a function of IOS and the encrypted filesystem it uses on the device, not the CPU.

elorant 9 years ago

I've disabled ME on my PC because at some point LMS (Local Management Service) started consuming too much resources for no apparent reason.

mattcoles 9 years ago

Site is throwing NET::ERR_CERT_AUTHORITY_INVALID on latest Chrome Canary, is anyone else seeing that?

lightedman 9 years ago

So they (SemiAccurate) knew about this for years, and STILL haven't bothered with disclosure to force Intel's hand earlier?

Thank you, SemiAccurate, for sitting on a vulnerability for years when you could've reported on it long ago and not had us left with this garbage of a security hole to deal with.

mtgx 9 years ago

A back door is a back door is a back door.

Let's hope Intel and all the other chipmakers will learn this lesson (unless it's done on purpose, in which case they won't care about any lessons learned - they'll do it anyway).

shmerl 9 years ago

Is there an analog of this issue on AMD chips?

eberkund 9 years ago

I've always wondering why nobody seems to notice the fact that this site is literally called "Semi Accurate". I mean sure, everyone makes mistake and even the most credible news sources are not entirely accurate all the time. But what am I to think when your organization is literally named after being only half truthful?

  • davidgerard 9 years ago

    It's a semiconductor news site.

    • eberkund 9 years ago

      Semiconductor Accurate? Doesn't really sound right grammatically, also the arrows missing the target in their logo lead me to believe half accurate was how they intended the name to be interpreted.

      • wmf 9 years ago

        The name is a joke. The whole purpose of SemiAccurate is to report leaks and rumors and one can never expect such reporting to be fully accurate.

Keyboard Shortcuts

j
Next item
k
Previous item
o / Enter
Open selected item
?
Show this help
Esc
Close modal / clear selection