Stories
Slash Boxes
Comments

SoylentNews is people

EFF: Intel's Management Engine is a Security Hazard

posted by n1 on Monday May 15 2017, @07:04AM   Printer-friendly
from the phme dept.

MrPlow writes:

Submitted via IRC for TheMightyBuzzard

Since 2008, most of Intel's chipsets have contained a tiny homunculus computer called the "Management Engine" (ME). The ME is a largely undocumented master controller for your CPU: it works with system firmware during boot and has direct access to system memory, the screen, keyboard, and network. All of the code inside the ME is secret, signed, and tightly controlled by Intel. Last week, vulnerabilities in the Active Management (AMT) module in some Management Engines have caused lots of machines with Intel CPUs to be disastrously vulnerable to remote and local attackers. While AMT can be disabled, there is presently no way to disable or limit the Management Engine in general. Intel urgently needs to provide one.

[...] EFF believes that Intel needs to provide a minimum level of transparency and user control of the Management Engines inside our computers, in order to prevent this cybersecurity disaster from recurring. Unless that happens, we are concerned that it may not be appropriate to use Intel CPUs in many kinds of critical infrastructure systems.

It's a crying shame the what the EFF says doesn't hold a whole lot of weight.

Source: The Electronic Frontier Foundation

Original Submission

 
This discussion has been archived. No new comments can be posted.
EFF: Intel's Management Engine is a Security Hazard | Log In/Create an Account | Top | 50 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Monday May 15 2017, @08:03PM

    by Anonymous Coward on Monday May 15 2017, @08:03PM (#510204)

    A few earlier chipsets had an lm32 in the SBxx0 southbridge offering the features of the PSP. Don't remember if those were signed or unsigned.

    ALL current chips that were produced after sockets G34, C32, AM3+, and I believe the original FM2 have ARM TrustZone based PSPs baked into them, with manufacturer only signed firmware.

    Clipper/Palladium/etc is real and has been rolled out into all processors since 2008 or so (When did trustzone first roll out? Earlier if TZ was earlier.)

    Having said that: There is a PicoRV32 project that has a a RISC-V core in under 2100 6LUTs, and should be sythesizable in under 4k 4LUTs (IE an iCE40 FPGA). It won't replace an x86/arm for mobile or high performance desktop purposes, but it could be the first step in freeing our systems and ensuring possession plus ownership gives control of the hardware and firmware, even if doing so requires wiping a signing key (this should have always been a write protect jumper feature, just like with flash prior to SPI. Hint: Go read the datasheets on many SPI flash chips (like used in modern computers) many of them implement write protect in software and require software ENABLE of the Write Protect pin on initialization in order for write protection to be active... Kind of defeats the point, doesn't it?