Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 10 submissions in the queue.

EFF: Intel's Management Engine is a Security Hazard

posted by n1 on Monday May 15 2017, @07:04AM   Printer-friendly
from the phme dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

It's a crying shame the what the EFF says doesn't hold a whole lot of weight.

Source: The Electronic Frontier Foundation

Original Submission

 
This discussion has been archived. No new comments can be posted.
EFF: Intel's Management Engine is a Security Hazard | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 4, Informative) by kaszz on Monday May 15 2017, @08:53AM (2 children)

    by kaszz (4211) on Monday May 15 2017, @08:53AM (#509863) Journal

    AMD has their own version called TrustZone using a Cortex-A5 processor.
    Smartphones usually have a ARM processor, which also in many cases have a ARM management processor besides the main one.

    Alternatives:
    IBM's Power8 [informationweek.com] ATX motherboard [raptorengineering.com]
    OpenSPARC [wikipedia.org]
    Cyrix/Centaur/Winchip CPUs, Eden
    Elbrus [extremetech.com]
    Raspberry Pi 3?
    EOMA68 [elinux.org]

    Routing counter strategies:
    Block TCP ports 16992 - 16995 and only allow 80, 8080 & 443
    Turn off UPnP
    Distrust your proprietary router to do the right thing
    Lock down permitted MAC addresses
    Defense in depth..
    Have a look in the BIOS setup if AMT is enabled

    Supposedly there is a special ME firmware installed on computers sold to certain government entities..
    What the OpenBSD [nabble.com] people have to say (only update via MS-Windows, exploit).

    Starting Score:    1  point
    Moderation   +2  
       Insightful=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  
    Total Score:   4  

  • (Score: 2) by Jeremiah Cornelius on Monday May 15 2017, @04:20PM

    by Jeremiah Cornelius (2785) on Monday May 15 2017, @04:20PM (#510089) Journal

    I run an old Indigo Iris Elan and an original Mac Pro Bondi Blue tower.

    When I want speed? There's a couple of Raspberry Pi boards on what used to be drive sleds. These are dedicated browser sandboxes. They xremote to the desktops.

    --
    You're betting on the pantomime horse...

  • (Score: 0) by Anonymous Coward on Monday May 15 2017, @08:40PM

    by Anonymous Coward on Monday May 15 2017, @08:40PM (#510221)

    Dead.

    SPARC itself is terminated (Both Fujitsu and Oracle/Sun have dropped it. Fujitsu moved the engineering resources to ARM for their next supercomputer, and Oracle/Sun have fired their entire cpu engineering staff.)

    The Elbrus chips got migrated to something else, and I think switched to some new arch.

    The only one of the non-AMDWintel x86 chips still in production are the Via ones. The Cyrix IP had been licensed out by AMRISC I believe, and RDC was a primary seller of chips based on them (But their website appears dead, and the latest available parts don't appear to be for sale anywhere, unless you can maybe purchase them in Shenzen or something.)

    Pi3 is almost open, firmware-wise, but Broadcom is not an open company, and the chips support firmware signing even if the Pi3s have it disabled.

    EOMA68: Total Junk. Also more expensive than just producing a PCIMG compliant SBC. Much bigger, but actually allows a real peripheral bus instead of the multiple kludges the EOMA68 formfactor has, many of which are tied to the Allwinner A20 onboard it.

    Having said all this, as I mentioned in another thread: There is the PicoRV32 core, the iCE40 FPGA, and PCIMG backplane boards which could (given documentation on the PCIMG standard, which is royalty free outside of PCIe bus patents for version 1.3) provide a complete and mostly libre systems platform for future systems, albeit limited to a 32 bit processor and addressing for now (unless someone wants to add 64 bit addressing extensions to the RV32 and just use fused registers for addressing and related math.)

    If such a system gets produced, it could help drive demand for an ASIC implementation with far more transistors and higher clock rates, and from there a transistor optimized mask for whatever process technology users were willing to crowdfund engineering talent and manufacturing costs to produce successfully.