SoylentNews is people
SoylentNews
Arthur T Knackerbracket has found the following story taken from The Register:
For the past nine years, millions of Intel desktop and server chips have harbored a security flaw that can exploited to remotely control and infect vulnerable systems with spyware.
Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products."
That means hackers exploiting the flaw can log into a vulnerable computer's hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, and with local access.
These management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the running operating system, applications and any antivirus.
It can only be fully fixed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.
Intel's vulnerable AMT service [is] part of the vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn't provisioned, a logged-in user can still potentially exploit it.
Intel reckons this vulnerability basically affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary consumers, which typically don't. You can follow this document to check if your system has AMT switched on.
Basically, if you're using a machine with vPro features enabled, you are at risk.
According to Intel today, this critical security vulernability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP.
[...] For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel's AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.
Finding such a bug is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password 'hackme', in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers.
Also see the story at semiaccurate.
-- submitted from IRC
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 02 2017, @01:52AM (14 children)
So, I'm not so worried about this on my home machine.
There are much easier vectors to attack me with.
But I am curious, can this be used to crack DRM like netflix uses so as to extract the original bitstream?
Seems like having system access that does not go through the cpu itself is kind of like snooping on software running in a VM, except its real hardware so the software can't even detect you are snooping on it.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday May 02 2017, @02:11AM (11 children)
If it's enabled on your home machines, no, there are not easier vectors to attack you from. This one is a free-throw with infinite do-overs.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:23AM (10 children)
Chill with the hyperbole dufus.
Getting a foothold on my home network would require cracking one of my PCs first because, like most nearly everybody, my home network is not open to the internet.
If somebody has cracked the PC then they don't need to attack the remote management functionality.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 02 2017, @02:28AM
If the PC serving as your router/firewall has one of these modern hardware backdoors via the remote management functionality, then attackers still have a wide-open door straight into your home network.
(Score: 4, Informative) by The Mighty Buzzard on Tuesday May 02 2017, @02:39AM (8 children)
Oh please. NAT is not a firewall. NAT traversal for exploitation was easy decades ago.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:58AM (7 children)
Yes, which is why systems behind NAT are constantly getting owned.
Keep on pulling that supercilious shit out of your mighty butt.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @03:30AM (6 children)
Wow. You really know fuck-all and yet spew with great enthusiasm. NAT hasn't stopped anything but script-kiddies in twenty years.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @06:51AM (1 child)
NAT and Firewall are innately links for many people, since most peoples routers run linux, and the linux network stack has the firewall and NAT support inextricably linked. I am not sure about other parties solutions, but that could certainly make many think NAT and firewalls are the same thing.
Having said that, for a NAT to keep you secure you cannot have port-punched any holes with insecure apps that have network facing security exploits, and you additionally need outbound filtering to keep exploits on a system inside the nat from being able to 'phone home' out of it, thus rendering NAT obscuration of the devices addresses moot.
(Score: 1) by Scrutinizer on Tuesday May 02 2017, @07:26AM
A bigger problem are Man-In-The-Middle attacks, which per information provided by Ed Snowden, were used by the NSA to attack Tor users [schneier.com]. If the NSA is able to use these sorts of attacks against mesh-like darknets, you can bet your britches that similar MITM attacks are common on the surface web.
(Score: 1) by shrewdsheep on Tuesday May 02 2017, @08:44AM (3 children)
I am honestly wondering how you would go about it. I am setting up an idle machine behind a NAT, giving you the root password (with root login enabled). I would not tell you the local network configuration. How would you get in?
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @10:28AM (2 children)
Start reading here [samy.pl] then let google lead you onwards [google.com]. I had to learn all this by listening and asking questions on IRC then figuring it out for myself back in the day. I was not always the fine, upstanding, security conscious admin that I am nowadays.
My rights don't end where your fear begins.
(Score: 1) by shrewdsheep on Tuesday May 02 2017, @11:00AM (1 child)
Thank you for the links. They do confirm to me though that NAT *does* provide an additional level of security. I do recommend NAT as an additional level of security and I believe that we will see NATed networks in the IPv6 age for good reasons. The most amazing piece of NAT-hacking to me is https://samy.pl/pwnat/ [samy.pl] BTW.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @11:53AM
It does, just not an especially effective one against a knowledgeable attacker. Relying on it instead of an actual firewall is foolish in the extreme but it doesn't do any harm and does leave you at least protected from casual scans.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:37AM
Why couldn't you just attach to Netflix/Browser's process as a debugger? Wouldn't that be more straight-forward?
Though I suppose your suggestion might be necessary if widevine gets pulled from Linux.
(Score: 2) by kaszz on Wednesday May 03 2017, @12:05AM
The management engine system code is located in a SPI memory chip not accessible by the operating system where it's likely is encrypted and is for sure signed [github.io]. So to get anywhere you would have to break at least one of these mechanisms to either test the code by decryption in a simulator or run your own code in the management engine.
Debugging the browser or modules will not help as the critical processing steps is likely to happen inside the protected management engine.