It looks like it's nearly game over for the Intel Management Engine:
Positive Technologies, which in September said it has a way to attack the Intel Management Engine, has dropped more details on how its exploit works.
The firm has already promised to demonstrate [a] God-mode hack in December 2017, saying the bug "allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard".
For some details, we'll have to wait, but what's known is bad enough: Intel Management Engine (IME) talks to standard Joint Test Action Group (JTAG) debugging ports. As [does] USB, so Positive Technologies researchers put the two together and crafted a way to access IME from the USB port.
[...] The latest attack came to Vulture South's attention via a couple of Tweets:
Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG
— Maxim Goryachy (@h0t_max) November 8, 2017
Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___
— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017
The linked blog post [in Russian] explains that since Skylake, the PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces that used to need specialised equipment. The new capability is DCI, Direct Connect Interface.
Reddit discussion linked by LoRdTAW in a journal.
Previously: Intel Management Engine Partially Defeated
Disabling Intel ME 11 Via Undocumented Mode
How-To: Disabling the Intel Management Engine
Andrew Tanenbaum's Open Letter to Intel About MINIX 3
Related Stories
In some shiny good news to us of the tinfoil hat crew, Phoronix is reporting:
Many free software advocates have been concerned by Intel's binary-only Management Engine (ME) built into the motherboards on newer generations of Intel motherboards. The good news is there is now a working, third-party approach for disabling the ME and reducing the risk of its binary blobs.
Via an open-source, third-party tool called me_cleaner it's possible to partially deblob Intel's ME firmware images by removing any unnecessary partitions from the firmware, reducing its ability to interface with the system. The me_cleaner works not only with free software firmware images like Coreboot/Libreboot but can also work with factory-blobbed images. I was able to confirm with a Coreboot developer that this program can disable the ME on older boards or devices with BootGuard and disable Secure Boot. This is all done with a Python script.
Those unfamiliar with the implications on Intel's ME for those wanting a fully-open system can read about it on Libreboot.org.
Looks like I may not have to go ARM on my next desktop build after all.
Positive Technologies has posted an interesting article about disabling the Intel Management Engine 11 via an undocumented mode.
Our team of Positive Technologies researchers has delved deep into the internal architecture of Intel Management Engine (ME) 11, revealing a mechanism that can disable Intel ME after hardware is initialized and the main processor starts. In this article, we describe how we discovered this undocumented mode and how it is connected with the U.S. government's High Assurance Platform (HAP) program.
[...] Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) chip and a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer. The ability to execute third-party code on Intel ME would allow for a complete compromise of the platform.
[...] Unfortunately, analysis of Intel ME 11 was previously impossible because the executable modules are compressed by Huffman codes with unknown tables. Nonetheless, our research team (Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy) managed to recover these tables and created a utility for unpacking images. The utility is available on our GitHub page.
Hey, the government isn't the only one who wants "high assurance" for their computers. We trolls and average peons would like to think our systems are secure as well.
But it gets better.
We've covered that it was possible and in theory how to do so before but I think having a proper How-To written up will save even us nerd types some hair pulling. Here's what you'll need to start:
- an Intel-CPU-based target PC — that does not have Boot Guard enabled — on which you wish to disable the IME;
- the target PC may be running an OEM BIOS (such as AMI, Dell etc.), or coreboot;
- a Raspberry Pi 3 Model B single board computer ('RPi3'), for use as an external flash programmer;
- a spare >= 8GB microSD card (to hold the 64-bit Gentoo O/S image we will use for the RPi3);
- an appropriate IC clip for your target PC's flash chip, e.g.:
- a Pomona 5250 for SOIC-8 chips;
- a Pomona 5208 for unsocketed DIP-8 chips, or
- a Pomona 5252 for SOIC-16 chips;
- 8 female-female connector wires (to attach the appropriate clip to the RPi3's GPIO header);
- a maintenance manual for your target PC, where available, to assist in safe disassembly / reassembly; and
- whatever tools are stipulated in the above.
Given the above list, you'll obviously need to be comfortable identifying and connecting an IC clip to your flash chip. So, it's not a procedure for most grandmothers but neither is especially complex or difficult for the vast majority of desktop machines (laptop/other difficulty will vary widely). Also, the guide explicitly does not cover PLCC or WSON flash chips, so you're out of luck here if your board has such.
Happy hacking, folks.
Professor Andrew S. Tanenbaum from the Department of Computer Science at Vrije Universiteit Amsterdam wrote "An Open Letter to Intel" regarding Intel's use of MINIX 3 to run the Intel Management Engine (video) built into their processors:
Thanks for putting a version of MINIX 3 inside the ME-11 management engine chip used on almost all recent desktop and laptop computers in the world. I guess that makes MINIX the most widely used computer operating system in the world, even more than Windows, Linux, or MacOS. And I didn't even know until I read a press report about it. Also here and here and here and here and here (in Dutch), and a bunch of other places.
[...] Note added later: Some people have pointed out online that if MINIX had a GPL license, Intel might not have used it since then it would have had to publish the modifications to the code. Maybe yes, maybe no, but the modifications were no doubt technical issues involving which mode processes run in, etc. My understanding, however, is that the small size and modular microkernel structure were the primary attractions. Many people (including me) don't like the idea of an all-powerful management engine in there at all (since it is a possible security hole and a dangerous idea in the first place), but that is Intel's business decision and a separate issue from the code it runs. A company as big as Intel could obviously write its own OS if it had to. My point is that big companies with lots of resources and expertise sometimes use microkernels, especially in embedded systems. The L4 microkernel has been running inside smartphone chips for years.
Professor Tanenbaum did the initial design and development of MINIX, a microkernel used primarily for teaching. He has helped guide it through the years as a small community around it has grown. Lately it has adopted much of the NetBSD userspace. The IME is a full operating system system running inside x86 computers. It gets run before whatever system on the actual hard disk even starts booting.
(Score: 3, Insightful) by Ethanol-fueled on Friday November 10 2017, @02:18AM (1 child)
There were previous efforts to disable the ME engine, partially or in full enabled by Soylent News. [soylentnews.org]
You can never trust anybody, even the fine fellows at SN, but at least they keep you ahead of the curve.
(Score: 0, Offtopic) by Ethanol-fueled on Friday November 10 2017, @03:45AM
https://www.youtube.com/watch?v=gNvmo1fjvH8 [youtube.com]
(Score: 2) by c0lo on Friday November 10 2017, @02:45AM
Do do correct it (or do do put throw in a [sic])
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by DrkShadow on Friday November 10 2017, @02:46AM (3 children)
This is SO old news it was posted in January:
https://www.bleepingcomputer.com/news/hardware/intel-cpus-can-be-pwned-via-usb-port-and-debugging-interface/ [bleepingcomputer.com]
The JTAG interface is disabled on shipping systems. At least, it's supposed to be. Did they find a system where the manufacturer forgot to do this? or did they find a way to reenable it via external USB?
(Score: 4, Informative) by The Mighty Buzzard on Friday November 10 2017, @02:52AM
Not quite the same thing. Same attack vector, different target.
My rights don't end where your fear begins.
(Score: 2) by jmorris on Friday November 10 2017, @04:41AM (1 child)
This new attack seems to involve discovering a way to wiggle bits in UEFI to get debug turned back on and a couple other tricks beyond that. Most of this stuff is fixable with a firmware update, which Intel will probably ship as soon as this hits the FakeNews media scare machine, so will mostly be useful to let researchers build vulnernable machines they can use to get into the ME of a running machine and explore for more exploits.
(Score: 0) by Anonymous Coward on Friday November 10 2017, @01:59PM
jmorris, this isn't fakenews.
your attack of the media for doing the right thing, to force a corporation to act in the benefit of its 'customers', can hardly be interpreted as a gay agenda.
you're part of the problem if you can't see without your blinders on
(Score: -1, Offtopic) by Anonymous Coward on Friday November 10 2017, @03:09AM (1 child)
(Score: 0) by Anonymous Coward on Friday November 10 2017, @04:02AM
You are one thin-skinned geezer. I mean, everyone knows Linus is an asshole, but you come across even worse than him. Of course, your baby Minix, unlike Linux, didn't get nowhere, except as a broken backdoor for Intel's chips.
What a loser.
(Score: 2) by drussell on Friday November 10 2017, @03:44AM (3 children)
So when will people wise up to the fact that obfuscated garbage like this is less secure, not a magical panacea of cyber security and everything-under-the-sun management goodness?!
Oh, wait... "They're" already trying to claw back the allowance of decent encryption... I'd be willing to bet that in the current environment we wouldn't even have been allowed to use 128 bit DES back in the day, even in North America...
:facepalm:
Certainly Microsoft would have at least got smacked down for making it too "easy" tp encrypt things "securely" by including the 128-bit update with IE, where it would be far too easy to accidentally be exported to rogue nations when people tried to update their browser version....
Half of the people reading this probably weren't even alive when we had to deal with 56-bit vs 128-bit encryption in our OS and the fledgling "browser" market?
I ran Mosaic on a 286 on a serial Lantastic LAN, for fuck's sake.... GET OFF MY LAWN!!!
Grrrrrrrrrrr!!!
(Score: 5, Touché) by takyon on Friday November 10 2017, @04:16AM (1 child)
Sometime after they realize that every processor on the market has these backdoors.
So, never.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 3, Interesting) by Anonymous Coward on Friday November 10 2017, @12:46PM
I have had this EXACT discussion with people on Tor and I2P over the past 5ish years.
Few of them were concerned with this, even among the actual developers of the software.
'Is it safe to allow nodes running on virtual hosting in data centers'? Is it safe to run this software on Windows 10 (7,8,8.1 after telemetry). Is it safe to run this software on a cell phone where the baseband might have full access to main memory?
All of these privacy networks have been running on blind faith for the past 5-10 years. At this point in time it is only safe to assume the capability for enough nodes to be compromised to provide keys off quite a few relays, which means even if they don't have access to your communications they may have enough information to infer which nodes traffic is passing between, at which point finding say a server node for an 'illegal' darknet website, whether Silk Road (or modern equivalent) or a site protesting against government censorship and abuse.
And when those networks run out and the majority of nodes are compromised, and reporting session keys back, the whole peer to peer anonymity mesh breaks down, and there is neither the developers nor hardware left to recreate it.
We are close to that point today, and unless both secure hardware and developers with the wherewithal to create the necessary secure and anonymous software take up the torch from their forebears, we are heading for the sort of nightmarish dystopia we will have a hard time if ever escaping from.
Think about what you can do if privacy, data security, anonymity and freedom are more important to you than groupthink and physical safety and security, because the time is fast approaching where you will have to choose one or the other and you will be saddled with the consequences of that choice.
(Score: 2, Insightful) by Anonymous Coward on Friday November 10 2017, @07:02AM
>So when will people wise up to the fact that obfuscated garbage like this is less secure, not a magical panacea of cyber security and everything-under-the-sun management goodness?!
Nobody ever thought IME was a feature built for consumers.
It is a backdoor, or when breached it is a wonderful way of enforcing obsolescence.
(Score: 3, Insightful) by frojack on Friday November 10 2017, @09:04AM (4 children)
Gawd I'm sick of articles that quote tweets. Usually verbatim, usually twice, once in plain text, next in a little box like that makes it more official.
Entire news articles are based on nothing but tweets, from unknown and un-provable sources, even tv news programming will flop a tweet on the screen, then read it out loud to you, then oooh and ahhh over it as if there was substance there.
The entire industry of journalism has decided to phone it in. #Journalism: #Gameover.
No, you are mistaken. I've always had this sig.
(Score: 3, Disagree) by takyon on Friday November 10 2017, @09:10AM (2 children)
It's literally a primary source. They are embedding little primary sources in the articles.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 0) by Anonymous Coward on Friday November 10 2017, @02:03PM (1 child)
great, then they can perhaps put a little footnote next to a quite and then attribute such citations in the footer that only people that want to see the full 140/280 characters that they didn't already read because it was too textual.
its so bad that i've started mentally filtering out complete parts of articles that put in screen shots of the tweet after they had just referenced it and quoted it.
it's like what I do when reading the lord of the rings or something--all those poems and songs get mentally skipped and its like they are not even on the page. doing that makes lotr, and modern news, a lot more readable.
i guess they can't embed twitter trackers and benefit from the ad profile if they just reference it without linking it, even it if is mostly invalid because just displaying it doesnt mean most readers wanted to see the same message twice. if they are going track they can at least use a 1x1 pixel instead of repeating themselves.
(Score: 3, Informative) by tibman on Friday November 10 2017, @07:56PM
The text and image are both the same to you but they are very different to other people (like blind people and robots). If it was only text then they would be excluding the proof (source material). If it was only images then the page wouldn't be as searchable, indexable, and it would be junk for screen readers. Including both is okay middle ground. They could hide the images behind links or pop-ups but i think far fewer people would see the content. Maybe that's okay?
SN won't survive on lurkers alone. Write comments.
(Score: 3, Touché) by tangomargarine on Friday November 10 2017, @04:32PM
You're complaining about Twitter, then you end your post with hashtags? Is this supposed to be ironic?
"Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
(Score: 2, Interesting) by Anonymous Coward on Friday November 10 2017, @01:34PM (2 children)
Intel designed much of their crappy security with ME in mind. Turning it off might reduce the attack surface in theory. But it could also leave you exposed to a great many backdoors Intel left open for debugging purposes that ME was meant to close in production.
It's like killing off part of your immune system to avoid auto-immune diseases. There are times it's necessary. But most times it's stupid.
(Score: 0) by Anonymous Coward on Friday November 10 2017, @02:00PM (1 child)
That's quite the conjecture.
(Score: 3, Interesting) by RamiK on Friday November 10 2017, @08:32PM
Not as much as you'd think. We have these exact same problems with Intel's microcode updates. Whereby, by avoiding them, you're denying yourself from patches addressing serious functionality and security problems.
Similarly, since we don't know what's on-the-die when it comes to ME, we might be facing a situation where Intel keeps releasing flaws (in either functionality or security) PCH versions of ME and are instructing board manufacturers to update ME with patched version. Moreover, when we disable ME, we're actually politely asking it to enter stand-by mode. It's why Google's NERF focused on depriving ME from the blobs necessary to write the flash and access the networking and graphics.
compiling...
(Score: 4, Insightful) by DannyB on Friday November 10 2017, @03:24PM
Once it becomes generally known how to hack ME, I think it is not "game over" but it is "game on". The hackers and malware purveyors will have a field day. You can expect popular malware distribution channels (aka "advertisements") to be getting lots of new material (eg, "advertisements") to, um, "distribute".
The lower I set my standards the more accomplishments I have.
(Score: 4, Funny) by crafoo on Friday November 10 2017, @07:43PM
Gentleman and Ladies, this is it. This is the Golden Age of hacking. We are living in it. Massive connectivity. Universal embedded OS & processor-in-a-processor, complete with NIC access. Revel in it. Toast the super-geniuses at Intel and the NSA. Thank you, we couldn't have had this without them.