Stories
Slash Boxes
Comments

SoylentNews is people

EFF: Intel's Management Engine is a Security Hazard

posted by n1 on Monday May 15 2017, @07:04AM   Printer-friendly
from the phme dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

It's a crying shame the what the EFF says doesn't hold a whole lot of weight.

Source: The Electronic Frontier Foundation

Original Submission

 
This discussion has been archived. No new comments can be posted.
EFF: Intel's Management Engine is a Security Hazard | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 3, Interesting) by TheRaven on Monday May 15 2017, @07:46AM (14 children)

    by TheRaven (270) on Monday May 15 2017, @07:46AM (#509829) Journal
    The alternative is not to turn on the LOM facilities of whatever you buy. They're off by default on most systems. If you do need to enable them, only do so for machines plugged into a managed switch and severely restrict access to the management addresses.

    We had a similar wake-up call from a Dell (I think) remote management system that shipped with an ancient (and known insecure) version of OpenSSH. We discovered this when Facebook contacted us to ask why we were attacking them - apparently someone had compromised the management system and was using it to attack Facebook. This is perhaps more of a problem than the Intel hack, because the owner of the compromised system has far less of an incentive to fix it if it's being used to attack computers off their network.

    --
    sudo mod me up
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   3  

  • (Score: 3, Informative) by kaszz on Monday May 15 2017, @08:13AM (8 children)

    by kaszz (4211) on Monday May 15 2017, @08:13AM (#509835) Journal

    The point is that with Intel Management Engine you don't have the option to turn off the LOM facilities.

    • (Score: 2) by TheRaven on Monday May 15 2017, @09:05AM (3 children)

      by TheRaven (270) on Monday May 15 2017, @09:05AM (#509873) Journal
      Are you sure? All of the systems we've looked at can at least turn off its ability to talk to the network (and this is off by default). Technically the code is still there, but if it never runs then it's not meaningfully different from being not there.
      --
      sudo mod me up

      • (Score: 2) by kaszz on Monday May 15 2017, @09:16AM (2 children)

        by kaszz (4211) on Monday May 15 2017, @09:16AM (#509878) Journal

        Not from what I have read. But then how can one be sure anyway?

        • (Score: 1) by fustakrakich on Monday May 15 2017, @12:24PM (1 child)

          by fustakrakich (6150) on Monday May 15 2017, @12:24PM (#509965) Journal

          Um, network sniffer between the machine and the outside world?

          --
          La politica e i criminali sono la stessa cosa..

          • (Score: 3, Insightful) by kaszz on Monday May 15 2017, @05:00PM

            by kaszz (4211) on Monday May 15 2017, @05:00PM (#510114) Journal

            Then you got to be sure what to look for among the gazillion of bits passing over the network. And that the sniffer platform don't fool you either.

            Then there's the RF backdoor. Connect to your neighbor and establish a system prompt.

    • (Score: 1, Informative) by Anonymous Coward on Monday May 15 2017, @10:32AM (3 children)

      by Anonymous Coward on Monday May 15 2017, @10:32AM (#509927)

      You can minimize the attack surface by using a pci(-e) network card instead of the untrusted on-board NIC.

      • (Score: 1, Insightful) by Anonymous Coward on Monday May 15 2017, @02:10PM (1 child)

        by Anonymous Coward on Monday May 15 2017, @02:10PM (#510019)

        On a laptop?

      • (Score: 3, Insightful) by kaszz on Monday May 15 2017, @04:54PM

        by kaszz (4211) on Monday May 15 2017, @04:54PM (#510108) Journal

        And you think that little spy engine of Intel won't find your wired network card? ;)

  • (Score: 1, Touché) by Anonymous Coward on Monday May 15 2017, @08:14AM

    by Anonymous Coward on Monday May 15 2017, @08:14AM (#509837)

    Facebook contacted us to ask why we were attacking them

    I don't need a reason!

    Hells bells, no matter what you're doing, some pissant somewhere wants you to stop. Fuck the world!

  • (Score: 2) by butthurt on Monday May 15 2017, @08:15AM (1 child)

    by butthurt (6141) on Monday May 15 2017, @08:15AM (#509838) Journal

    Checkpoint, Fujitsu and Sun had separate physical ports for lights-out management. Is that typical?

    https://downloads.checkpoint.com/fileserver/SOURCE/direct/ID/12676/FILE/CP_4800_12000_LOM_AdminGuide.pdf [checkpoint.com]
    http://www.fujitsu.com/downloads/SPARCE/manuals/sparc-t1-t2e/alom1.3-en-01.pdf [fujitsu.com]
    https://en.wikipedia.org/wiki/LOM_port [wikipedia.org]

    • (Score: 4, Informative) by TheRaven on Monday May 15 2017, @09:03AM

      by TheRaven (270) on Monday May 15 2017, @09:03AM (#509869) Journal
      Most x86 server-class systems do too, because you most likely want them on entirely separate physical networks.
      --
      sudo mod me up

  • (Score: 0) by Anonymous Coward on Monday May 15 2017, @11:32AM (1 child)

    by Anonymous Coward on Monday May 15 2017, @11:32AM (#509942)

    We discovered this when Facebook contacted us to ask why we were attacking them - apparently someone had compromised the management system and was using it to attack Facebook.

    So you told them, it wasn't you attacking them but Dell enabling the compromise of your machine and allowing a 3rd party to use your network to attack them?

    Serious point being, could Intel's insurers take the hit from a bug in the ME that was exploited on the scale of the recent ransomware attack?

    • (Score: 2) by TheRaven on Monday May 15 2017, @01:37PM

      by TheRaven (270) on Monday May 15 2017, @01:37PM (#510000) Journal

      So you told them, it wasn't you attacking them but Dell enabling the compromise of your machine and allowing a 3rd party to use your network to attack them?

      [Disclaimer: I wasn't involved in the incident directly, so this is all from what people who were have told me:] They were actually very helpful in pinpointing the source and once the attacks were stopped didn't take it any further. I doubt that they had a case against Dell.

      Serious point being, could Intel's insurers take the hit from a bug in the ME that was exploited on the scale of the recent ransomware attack?

      There isn't any precedent for liability for associating liability with off-the-shelf software and it's not really a precedent that I'd be happy seeing set.

      --
      sudo mod me up