Arthur T Knackerbracket has found the following story taken from The Register:
For the past nine years, millions of Intel desktop and server chips have harbored a security flaw that can exploited to remotely control and infect vulnerable systems with spyware.
Specifically, the bug is in Intel's Active Management Technology (AMT), Standard Manageability (ISM) and Small Business Technology (SBT) firmware versions 6 to 11.6. According to Chipzilla, the security hole allows "an unprivileged attacker to gain control of the manageability features provided by these products."
That means hackers exploiting the flaw can log into a vulnerable computer's hardware – right under the nose of the operating system – and silently snoop on users, read and make changes to files, install virtually undetectable malware, and so on. This is potentially possible across the network because AMT has direct access to the network hardware, and with local access.
These management features have been available in various Intel chipsets for nearly a decade, starting with the Nehalem Core i7 in 2008, all the way up to Kaby Lake Core parts in 2017. Crucially, the vulnerability lies at the very heart of a machine's silicon, out of sight of the running operating system, applications and any antivirus.
It can only be fully fixed with a firmware-level update, and it is present in millions of chips. It is effectively a backdoor into computers all over the world.
Intel's vulnerable AMT service [is] part of the vPro suite of processor features. If vPro is present and enabled on a system, and AMT is provisioned, unauthenticated miscreants on your network can access the at-risk computer and hijack it. If AMT isn't provisioned, a logged-in user can still potentially exploit it.
Intel reckons this vulnerability basically affects business and server boxes, because they tend to have vPro and AMT present and enabled, and not systems aimed at ordinary consumers, which typically don't. You can follow this document to check if your system has AMT switched on.
Basically, if you're using a machine with vPro features enabled, you are at risk.
According to Intel today, this critical security vulernability, labeled CVE-2017-5689, was reported in March by Maksim Malyutin at Embedi. To get the patch to close the hole, you'll have to pester your machine's manufacturer for a firmware update, or try the mitigations here. These updates are hoped to arrive within the next few weeks, and should be installed ASAP.
[...] For years now, engineers and infosec types have been warning that, since all code has bugs, at least one remotely exploitable programming blunder must be present in Intel's AMT software, and the ME running it, and thus there must be a way to fully opt out of it: to buy a chipset with it not present at all, rather than just disabled or disconnected by a hardware fuse.
Finding such a bug is like finding a hardwired, unremovable and remotely accessible administrator account, with the username and password 'hackme', in Microsoft Windows or Red Hat Enterprise Linux. Except this Intel flaw is in the chipset, running out of reach of your mortal hands, and now we wait for the cure to arrive from the computer manufacturers.
Also see the story at semiaccurate.
-- submitted from IRC
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @12:55AM (5 children)
Intel spyware vs. 3rd-party spyware, spyware all the same.
Fuck Intel.
(Score: -1, Flamebait) by Ethanol-fueled on Tuesday May 02 2017, @01:24AM
What it all boils down to is that Intel are Jews. Of course they're gonna play ball, now that Wikileaks has their data and were nice enough to give them the heads-up on the next leak.
(Score: 3, Insightful) by arslan on Tuesday May 02 2017, @07:22AM
The NSA, and probably any sufficiently advance espionage outfit, must have had a field day with this in the last 10 years...
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @07:32PM (1 child)
exactly, these fucks should have never made a closed source remote management "feature". we should really get behind risc instead of funding these whores of the Supranational Surveillance State.
(Score: 2) by kaszz on Wednesday May 03 2017, @02:25AM
Why would RISC solve anything? different architecture, same jurisdiction..
(Score: 2) by Bot on Tuesday May 02 2017, @09:44PM
Indeed, but who would have guessed a company named INTEL would spy on its clients...
Account abandoned.
(Score: 3, Funny) by bob_super on Tuesday May 02 2017, @01:09AM (1 child)
Can someone located a bit closer tell us which Agency(ies) that sudden swear word came out of? Can't tell if it was stronger on the US East coast or in the old world.
"Maksim Malyutin at Embedi" may either get a job, an accident, or both, for ruining someone's day.
(Score: 2) by kaszz on Tuesday May 02 2017, @11:50PM
He will perhaps get a Michael Hastings?
Better keep that car system software secure and chop any antenna..
(Score: 5, Insightful) by The Mighty Buzzard on Tuesday May 02 2017, @01:25AM (4 children)
The award for exceptional disregard of common sense over the past ten years goes to: Intel
The award for most man-hours lost due to a vendor fuck-up goes to: Intel
The award for best rendition of "Lalalalala" while holding their fingers in their ears when told something would happen: Intel
I. Fucking. Told. You. So.
My rights don't end where your fear begins.
(Score: 5, Touché) by archfeld on Tuesday May 02 2017, @02:20AM
I thought the first award would go to Microsoft, for either their mobile phone division or their UI/OS design division.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 02 2017, @03:27AM (1 child)
The funny bit is how hard Intel tried to make vPro/AMT secure by default.
- You couldn't modify it from the OS (this was a security feature, so an infected Win machine couldn't disable it)
- Part of the functionality is a hardware firewall. You can have the NIC deny packets matching a pattern. I think this was designed back when you could tell a machine was infected by a flood of packets matching some regex, trying to infect via netbios or some rpc call. I never saw a working setup of this.
- You had to change the password from 'admin' before it would turn on. For enterprise mode where PKI is used, AMT would DHCP for 48 hours and then stop, but there was a way to trigger it once you set up your infrastructure to where it would find your central server. Never got that far either.
(Score: 2) by kaszz on Tuesday May 02 2017, @11:54PM
The problem is that Intel thought they were infallible.. doh ;-)
Then the code storage is so secure that updates are hard to distribute because a) signed b) inaccessible by normal means c) distribution requires manufacturer to sign the Intel blob.
So doh! :p
(Score: 1, Funny) by Anonymous Coward on Tuesday May 02 2017, @08:18AM
The award for ...
Intel lauds their 2017 Security Awards winning software.
(Score: 2) by takyon on Tuesday May 02 2017, @01:51AM (5 children)
Whatever patch Intel does will not remove the ARC chip or the Management Engine.
So where are AMD's remoteware free chips? Coming in 5 years?
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Informative) by Scrutinizer on Tuesday May 02 2017, @02:13AM (4 children)
Sadly, AMD seems to be following Intel's lead. According to the folks at libreboot, post-2013 AMD processors have similar closed-source backdoor technology [libreboot.org].
(Score: 3, Interesting) by takyon on Tuesday May 02 2017, @02:50AM (3 children)
https://www.reddit.com/r/Amd/comments/5x4hxu/we_are_amd_creators_of_athlon_radeon_and_other/def5h1b/ [reddit.com]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2, Interesting) by Anonymous Coward on Tuesday May 02 2017, @03:19AM (2 children)
...about that.
Hint: AMD is not going to eliminate or unlock the PSP because it is a core part of TPM 2.0 and their 'secure channel' to the GPU for running HDCP encrypted streams for the *AA Media Associations. They made a nice ploy of considering it, but when was the last time AMD was a trailblazer of going against the grain and providing something that users actually want?
About the only thing they still have going for them is ECC support (but only in the AM4/Server processors now) with further restrictions being added every year.
The hope for the future now is in someone pushing a new non-x86 arch with a proper expansion bus attached (and if not natively PCIe, with a PCIe bridge chip giving access to modern peripheral cards and x86/uefi emulation to initialize them.)
(Score: 2) by butthurt on Tuesday May 02 2017, @03:57AM (1 child)
> [...] when was the last time AMD was a trailblazer of going against the grain and providing something that users actually want?
There was that thing they did circa 2000, the 64-bit instructions for x86.
The term IA-64 refers to the Itanium processor, and should not be confused with x86-64, as it is a completely different instruction set.
-- https://en.wikipedia.org/wiki/Amd64 [wikipedia.org]
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 02 2017, @04:16AM
Same with the Athlon XP line that blew Intel off its laurels. AMD has been a boon for computing as a whole, by being a threatening competitor in an otherwise monopolistic field. It's tragic that AMD has not been as well-rewarded financially as hoped, and that AMD is following Intel's trend of making closed-off hardware that the purchaser cannot actually own.
(Score: 1, Interesting) by Anonymous Coward on Tuesday May 02 2017, @01:52AM (14 children)
So, I'm not so worried about this on my home machine.
There are much easier vectors to attack me with.
But I am curious, can this be used to crack DRM like netflix uses so as to extract the original bitstream?
Seems like having system access that does not go through the cpu itself is kind of like snooping on software running in a VM, except its real hardware so the software can't even detect you are snooping on it.
(Score: 3, Insightful) by The Mighty Buzzard on Tuesday May 02 2017, @02:11AM (11 children)
If it's enabled on your home machines, no, there are not easier vectors to attack you from. This one is a free-throw with infinite do-overs.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:23AM (10 children)
Chill with the hyperbole dufus.
Getting a foothold on my home network would require cracking one of my PCs first because, like most nearly everybody, my home network is not open to the internet.
If somebody has cracked the PC then they don't need to attack the remote management functionality.
(Score: 1, Insightful) by Anonymous Coward on Tuesday May 02 2017, @02:28AM
If the PC serving as your router/firewall has one of these modern hardware backdoors via the remote management functionality, then attackers still have a wide-open door straight into your home network.
(Score: 4, Informative) by The Mighty Buzzard on Tuesday May 02 2017, @02:39AM (8 children)
Oh please. NAT is not a firewall. NAT traversal for exploitation was easy decades ago.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:58AM (7 children)
Yes, which is why systems behind NAT are constantly getting owned.
Keep on pulling that supercilious shit out of your mighty butt.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @03:30AM (6 children)
Wow. You really know fuck-all and yet spew with great enthusiasm. NAT hasn't stopped anything but script-kiddies in twenty years.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @06:51AM (1 child)
NAT and Firewall are innately links for many people, since most peoples routers run linux, and the linux network stack has the firewall and NAT support inextricably linked. I am not sure about other parties solutions, but that could certainly make many think NAT and firewalls are the same thing.
Having said that, for a NAT to keep you secure you cannot have port-punched any holes with insecure apps that have network facing security exploits, and you additionally need outbound filtering to keep exploits on a system inside the nat from being able to 'phone home' out of it, thus rendering NAT obscuration of the devices addresses moot.
(Score: 1) by Scrutinizer on Tuesday May 02 2017, @07:26AM
A bigger problem are Man-In-The-Middle attacks, which per information provided by Ed Snowden, were used by the NSA to attack Tor users [schneier.com]. If the NSA is able to use these sorts of attacks against mesh-like darknets, you can bet your britches that similar MITM attacks are common on the surface web.
(Score: 1) by shrewdsheep on Tuesday May 02 2017, @08:44AM (3 children)
I am honestly wondering how you would go about it. I am setting up an idle machine behind a NAT, giving you the root password (with root login enabled). I would not tell you the local network configuration. How would you get in?
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @10:28AM (2 children)
Start reading here [samy.pl] then let google lead you onwards [google.com]. I had to learn all this by listening and asking questions on IRC then figuring it out for myself back in the day. I was not always the fine, upstanding, security conscious admin that I am nowadays.
My rights don't end where your fear begins.
(Score: 1) by shrewdsheep on Tuesday May 02 2017, @11:00AM (1 child)
Thank you for the links. They do confirm to me though that NAT *does* provide an additional level of security. I do recommend NAT as an additional level of security and I believe that we will see NATed networks in the IPv6 age for good reasons. The most amazing piece of NAT-hacking to me is https://samy.pl/pwnat/ [samy.pl] BTW.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @11:53AM
It does, just not an especially effective one against a knowledgeable attacker. Relying on it instead of an actual firewall is foolish in the extreme but it doesn't do any harm and does leave you at least protected from casual scans.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:37AM
Why couldn't you just attach to Netflix/Browser's process as a debugger? Wouldn't that be more straight-forward?
Though I suppose your suggestion might be necessary if widevine gets pulled from Linux.
(Score: 2) by kaszz on Wednesday May 03 2017, @12:05AM
The management engine system code is located in a SPI memory chip not accessible by the operating system where it's likely is encrypted and is for sure signed [github.io]. So to get anywhere you would have to break at least one of these mechanisms to either test the code by decryption in a simulator or run your own code in the management engine.
Debugging the browser or modules will not help as the critical processing steps is likely to happen inside the protected management engine.
(Score: 3, Funny) by archfeld on Tuesday May 02 2017, @01:59AM
Spyware installed by the system owner, e.g corporate desktops is not spyware but a management tool.
For the NSA : Explosives, guns, assassination, conspiracy, primers, detonators, initiators, main charge, nuclear charge
(Score: 5, Interesting) by Scrutinizer on Tuesday May 02 2017, @02:07AM (8 children)
Intel has it's busted Active Management Technology, [libreboot.org] yet AMD has similarly-flawed Platform Security Processor [libreboot.org].
The proper solution, though not sexy or enticing like the speedy-but-flawed Intel/AMD offerings, seems to be much more akin to what Rhombus Tech [rhombus-tech.net] is working to build: new computer designs using the most open hardware available as a means to build a market that will ultimately cater to the security-conscious, among others. The big sacrifice in the present is in speed and features, and some markets (e.g. high-end gamers) might never be served by this in the foreseeable future. It still seems to be the most promising near-term approach for avoiding these sorts of flawed-by-design processors.
(Score: 4, Interesting) by The Mighty Buzzard on Tuesday May 02 2017, @02:13AM (4 children)
I highly recommend the AMD Phenom II x6 1090t or 1100t. They're still exceedingly capable even at seven years old.
My rights don't end where your fear begins.
(Score: 1) by Scrutinizer on Tuesday May 02 2017, @02:24AM
True - my current "big rig" still uses an AMD processor of that generation, and though it's getting redlined more often these days, it can still build up enough steam to handle the flashy new games that have caught my interest.
The larger concern is with the trend towards ever more slipshod parts and supply lines for the older, safer tech soon disappearing.
(Score: 2) by butthurt on Tuesday May 02 2017, @04:09AM (2 children)
What's a good supplier? I see some used ones for sale on Ebay and Amazon.com. I see them for sale as part of a system, via Pricewatch.
(Score: 2) by The Mighty Buzzard on Tuesday May 02 2017, @05:06AM (1 child)
Dunno if you can find one for any scale now. Up until last year or so you could still find new-in-the-box ones on Amazon but I guess I hadn't looked it a while.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @07:07AM
I have one as well. And for people in the US, keep your eyes out for your local computer resellers. I saw FX9370s selling for 970 or the CS52(??) C32/G34 chipset that have IOMMU support only have v1, which AMD doesn't support for OpenCL on the AMDGPU driver hardware (RX and maybe other GCN era stuff) or heterogenous system memory management (Which is why those chips only recieved support on Intel X79+ motherboards, same as the Intel Xeon Phi cards... 64 bit BAR+IOMMU was only available on those chipsets.)
As such there are essentially no 'current feature level' hardware that can actually take advantage of high performance videocards, and provide an otherwise libre and secure operating platform.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @03:42AM (2 children)
Allwinner are not so open, they ignore GPL constantly. Most viable Single Board Computers using those chips can run modern Linux thanks to sunxi project people, not the company. And the video driver has a closed version only because the reverse engineering effort was kicked down by FOSS community (or should I say FOSS companies?), read and weep https://libv.livejournal.com/27461.html [livejournal.com] (same blog, RadeonHD killing https://libv.livejournal.com/27799.html [livejournal.com] FOSS companies are "lovely").
You can buy from many other suppliers, BTW. Allwinner or similar ARM based SBC.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:10AM (1 child)
Agreed, Allwinner isn't a great choice for an open hardware manufacturer. However, as I recall, they were/are the current best choice for creating a market for open computing devices, which can then in turn be used to pressure manufacturers to make fully-open chips.
Obviously, those who don't agree are free to not buy anything Allwinner makes...
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:54AM
I guess we could link to sunxi, the community porting Allwinner things to mainline kernel and other great contributions, specially the page with the HW it supports, for those interested: https://linux-sunxi.org/Buying_guide [linux-sunxi.org]
(Score: 2) by linkdude64 on Tuesday May 02 2017, @03:37AM (1 child)
"No we won't show you the source. Trust us you dumbfucks."
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @01:13PM
Also most machines will never get this firmware update. Either it will not be provided by manufacturer or if it is how many home users can actually update the firmware on their computer?
(Score: 2, Informative) by Anonymous Coward on Tuesday May 02 2017, @04:02AM (2 children)
http://mjg59.dreamwidth.org/48429.html [dreamwidth.org] says the CPU, the chipset, the network card (for remote access, I guess) and firmware must have AMT to have the bug (local only, or remote too). One example is CPU with it (listed in Intel ARK site) but mobo chipset doesn't. NVM, big clusterfuck and "we-told-you-so".
In Linux, run lspci and look for HECI o MEI to check if it could be an issue. EG lspci -v | egrep "HECI|MEI"
(Score: 0) by Anonymous Coward on Wednesday May 03 2017, @05:46AM (1 child)
Obviously if you are running Linux, Intel's Windows-only patch (if it really is a patch), does not apply.
So with the command shown, what are we to look for? Is there a fix or workaround? Solutions please. A lot of the posts are just chickens running about headless.
(Score: 0) by Anonymous Coward on Wednesday May 03 2017, @04:31PM
Quoting the linked article "Under Linux, if lspci doesn't show a communication controller with "MEI" or "HECI" in the description, AMT isn't running and you're safe. If it does show an MEI controller, that still doesn't mean you're vulnerable - AMT may still not be provisioned. If you reboot you should see a brief firmware splash mentioning the ME. Hitting ctrl+p at this point should get you into a menu which should let you disable AMT."
So no output means you're safe. Output means inconclusive.
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @02:18PM (4 children)
Intel AMT, which is part of Intel's vPro brand, is not present in all Intel processors. Lower-end Celeron processors (such as in Chromebooks) do not have it (for example, see here: http://ark.intel.com/products/82103/Intel-Celeron-Processor-N2840-1M-Cache-up-to-2_58-GHz [intel.com]).
So, just buy cheap, slow hardware, and you're fine!
(Score: 2) by takyon on Tuesday May 02 2017, @03:56PM (2 children)
Well, shit. Everyone's talking about how computers are massively overpowered while software is cripplingly bloated. Just get the low powered stuff. Grab a $99 Chromebook and replace the OS with Linux.
What about these? https://soylentnews.org/article.pl?sid=17/01/12/2239230 [soylentnews.org]
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:36PM
I have a Chromebook I've wiped and installed Ubuntu onto. It works just fine for me (with a high-capacity SD card to supplement the small hard drive).
(Score: 2) by bob_super on Tuesday May 02 2017, @06:48PM
To read SN, you barely need a 486 (DX, let's be nice) and a whopping 8M of RAM, right?
(Score: 0) by Anonymous Coward on Tuesday May 02 2017, @04:43PM
If you are feeling mega adventurous you could disable it but it ain't easy.
(Score: 2) by kaszz on Tuesday May 02 2017, @11:47PM
This is an opportunity not to be wasted. If there's a bug that will show how hackers can get into your machine(s). Certainly it can also be used to show you how to fully control your own machine too and finally fully rule the System Management Mode (SMM) also called ring -2. The alternative is to be a nice good customer that will happily take any firmware update that the benevolent manufacturer happens to make available and it will just shut you out of your own machine. Where only hackers and alphabet soups will have access to all the real features of the hardware. It would only be a stopgap solution until the next "oops" comes around at a inconvenient time. The official version is that AMT needs activation or at least can be shut of. But the unofficial version is likely to work just fine without any activation on part from the user.
Certainly the existence of a bug would not be published unless there actually is a way to compromise a machine. The lack of details in the CVE-2017-5689 bug report hints that the information itself may be enough to get results.
So an attacker sends packets to port 16992 of a vulnerable machine and the botched firmware that the management engine runs will without authentication respond with access to all the hardware. This should imply that a firewall running on a physically separate computer can prevent some access. Adding MAC lockdown should improve the situation because the management engine uses its own. Even better, the offending firmware can be modified [github.io] and have the offending code wiped out [github.com]. It works at least on Thinkpad x220 laptop. Be aware however that indiscriminately wiping out the signed code for the management engine to stop it from running at all will make your machine shut down after 30 minutes. So these tools are required to do it right.
Tip: On HP Xeon you can try CTRL-p menu after much of the booting has taken place to get to a AMT/ME screen where AMT can be turned off after entering a password, like "admin".
Now we expect the bug disclosure on AMD Platform Security Processor (PSP), Secure Execution Environment. And .. ARM TrustZone..