It looks like it's nearly game over for the Intel Management Engine:
Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.
The firm has already promised to demonstrate [a] God-mode hack in December 2017, saying the bug "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard".
For some details, we'll have to wait, but what's known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As [does] USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.
[...] The latest attack came to Vulture South's attention via a couple of Tweets:
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG
— Maxim Goryachy (@h0t_max) November 8, 2017
Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___
— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017
The linked blog post [in Russian] explains that since Skylake, the PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.
Reddit discussion linked by LoRdTAW in a journal.
Previously: Intel Management Engine Partially Defeated
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Andrew Tanenbaum's Open Letter to Intel About MINIX 3
(Score: 2) by DrkShadow on Friday November 10 2017, @02:46AM (3 children)
This is SO old news it was posted in January:
https://www.bleepingcomputer.com/news/hardware/intel-cpus-can-be-pwned-via-usb-port-and-debugging-interface/ [bleepingcomputer.com]
The JTAG interface is disabled on shipping systems. At least, it's supposed to be. Did they find a system where the manufacturer forgot to do this? or did they find a way to reenable it via external USB?
(Score: 4, Informative) by The Mighty Buzzard on Friday November 10 2017, @02:52AM
Not quite the same thing. Same attack vector, different target.
My rights don't end where your fear begins.
(Score: 2) by jmorris on Friday November 10 2017, @04:41AM (1 child)
This new attack seems to involve discovering a way to wiggle bits in UEFI to get debug turned back on and a couple other tricks beyond that. Most of this stuff is fixable with a firmware update, which Intel will probably ship as soon as this hits the FakeNews media scare machine, so will mostly be useful to let researchers build vulnernable machines they can use to get into the ME of a running machine and explore for more exploits.
(Score: 0) by Anonymous Coward on Friday November 10 2017, @01:59PM
jmorris, this isn't fakenews.
your attack of the media for doing the right thing, to force a corporation to act in the benefit of its 'customers', can hardly be interpreted as a gay agenda.
you're part of the problem if you can't see without your blinders on