from the swallow-the-red-pill dept.
Malware uses Intel AMT feature to steal data, avoid firewalls
Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.
Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.
This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.
Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.
and . . .
Intel AMT SOL exposes hidden networking interface
This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.
Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.
I always believed the Intel Management Engine was a bad idea and a huge target for sophisticated hackers. Your hardware. Pre-compromised from the factory. A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob -- and the primary microprocessor won't run without it.
This probably isn't the last time that this will be exploited. Probably not even be the first, given the difficulty to detect it. The wonderful thing is that your OS isn't aware of the compromise and is unable to interfere with it.
(Score: 1, Insightful) by Anonymous Coward on Friday June 09, @05:30PM
Nobody cared. In fact, people who pointed it out were derided as tinfoil-hat nutcases.
Go check the forums; there's always some "Intel" engineer who mysteriously appears, and defends the system as both secure and desirable.
Reply to This
(Score: 1) by Booga1 on Friday June 09, @05:39PM (1 child)
SOL? Nice acronym...
Reply to This
(Score: 2) by BK on Friday June 09, @06:43PM
Was going to say just that. Never has a system had a more accurate accurate acronym.
4 out of 5 dentists choose Brand X. The other is just a denier.
Reply to This
Parent
(Score: 3, Insightful) by jmorris on Friday June 09, @05:41PM (2 children)
As the AC sez dismissively above, it IS a desirable feature. Since it generally replaces IPMI, which usually required a subboard and was expensive, and nobody would even think about racking up machines without it, it is a must have feature. That isn't the problem.
The first sentence isn't a problem, it is that second one that all the evil resides within. Like all blobs we should be insisting they be opened, the hardware interfaces documentd, that the keys that validate them be changable so open firmware can replace them. Who here would object to AMT if the thing were open and documented?
OK, so if you want to bitch, bitch about the actual probelm and push for an actual solution. And failing that insist on a "null blob" that triggers the primary OS load and then simply goes to sleep. For desktops that aren't corporate managed this would also solve the problem. If the big corps are too stupid to insist the darned thing not be a menace that is on them, they have the whip hand so they should use it.
Reply to This
(Score: 2) by DannyB on Friday June 09, @06:00PM
It sounds like you are suggesting the radical and subversive idea that if you own tons of rackable hardware that you should be able to fully control that hardware. Especially the keys used in the management of that hardware. Scandalous!
Reply to This
Parent
(Score: 2) by edIII on Friday June 09, @06:37PM
Ummmm, no. It is NOT desirable in any way, shape, or form.
MANAGEMENT is they key fucking word here, yet AMT seems to be more about surreptitiously monitoring processes, memory, and being able to modify the OS without having the OS getting in the way of you. It's a HUGE fucking problem when a management hack exposes/installs apocalyptic security backdoors.
What is desirable is a way to push inputs, receive outputs, and control power cycling. Last time I checked that could be done without AMT. Expensive? A single rackmount device with some cables attached the inputs and outputs is something we already do.
CONSOLE PORT + USB + POWER MANAGEMENT.
That's the most you really need, and if anything should be developed, it's a more modern console port. Which is something that explicitly doesn't bypass operating systems, bios, firewalls, etc.
No. Intel AMT was the worst and stupidest thing ever devised by them , with security being an afterthought. Again. If we wanted a security co-processor, then we can develop that, it would be binary/blob free, and we could completely control it. Then we would need to firewall it, secure it, etc. Which starts to sound like TPM, and you can't trust that for shit either. Has that become binary/blob free? Yeah, doubtful.
Separate the two "features" into different hardware for different purposes, because AMT is a fucking train wreck, and always has been. The tin-foil-hatters were ignored pre-Snowden, but how many more fucking times do we need to be proved right?
You can't entrust that much access to a corporation like that, certainly not with proprietary bullshit. Not anymore. The world has changed. Forever.
Adapt or perish. AMT helps you do the latter, not the former.
Reply to This
Parent
(Score: 2) by tangomargarine on Friday June 09, @06:18PM (2 children)
Why are the "This is because..." and "Intel ME runs even..." paragraphs quoted twice, word-for-word?
I'd like to see it try while plugged into a deactivated power strip.
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
Reply to This
(Score: 2) by DannyB on Friday June 09, @06:33PM (1 child)
Sorry about that. Great catch. Even the editors mist it.
Most people think if the computer is turned off, it must be completely safe. The green site used to have jokes about the only way for a computer to be safe was to unplug it. Some would assume that power off is safe enough.
Reply to This
Parent
(Score: 2) by kaszz on Friday June 09, @06:37PM
The problem is this ACPI/APM "power off" which leaves +5V DC 1A standby power. Which means that parts of the computer is still on..
Reply to This
Parent
(Score: 0) by Anonymous Coward on Friday June 09, @06:27PM (2 children)
"SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware"
Sounds like a misconfigured firewall.
You don't just blindly forward Ethernet packets if the encapsulation protocol isn't what's expected.
Reply to This
(Score: 2) by kaszz on Friday June 09, @06:29PM
IP packets containing TCP tend to get through. If Ethernet MACs are locked down and specific TCP ports are blocked. It would be harder however.
Reply to This
Parent
(Score: 2) by DannyB on Friday June 09, @06:30PM
Ahhhhh!!! Maybe that's what I'm doing wrong!
Reply to This
Parent