Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Monday June 20 2016, @10:12AM   Printer-friendly
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.

From Damien Zammit, we have this fun little tidbit:

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by WizardFusion on Monday June 20 2016, @10:32AM

    by WizardFusion (498) Subscriber Badge on Monday June 20 2016, @10:32AM (#362809) Journal

    Isn't this just the same a an IP iLO or DELL iDRAC.? Fair enough, these aren't directly on the CPU, but they offer the same functionality. These both run closed source firmware blobs too.

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 1) by pTamok on Monday June 20 2016, @10:54AM

    by pTamok (3042) on Monday June 20 2016, @10:54AM (#362817)

    When it is on the CPU die, there are fewer opportunities for hacking your way around it. It is not so easy to put a logic probe on the traces.

    What is at issue here is that the person who buys the PC is not given the option of only allowing firmware they THEY approve of to run. You are in fact prevented from loading your own firmware.

    As many point out, it is easily possible for a hardware switch to be built in that only allows firmware to be written if you have physical access to the PC. Both Intel and AMD have explicitly chosen NOT to implement this. By allowing the firmware to be written at any time, but requiring authentication against a key controlled only by them, it locks the person who bought the PC out from being able to run other firmware. If Intel or AMD have access to that PC via the Internet (or other means), they can write whatever firmware they like.

    This is built in to the die.

    Some may see some parallels with the printer driver issue that started RMS on his journey...http://www.oreilly.com/openbook/freedom/ch01.html

    • (Score: 2) by theluggage on Monday June 20 2016, @03:14PM

      by theluggage (1797) on Monday June 20 2016, @03:14PM (#362918)

      What is at issue here is that the person who buys the PC is not given the option of only allowing firmware they THEY approve of to run.

      If Intel wanted to include a secret feature that let the NSA in to your computer, they'd put a secret feature in. Yeah the "lights out management" system (an idea which has been around for years) might be a good place to hide it, but there's 101 other proprietary firmware blobs to choose from.

      • (Score: 2) by sjames on Tuesday June 21 2016, @09:10AM

        by sjames (2882) on Tuesday June 21 2016, @09:10AM (#363214) Journal

        Most of those blobs are more restricted now than they used to be. At one time, a processor on a PCI card had the run of the system. Now, it is more or less firewalled to access only the memory the OS grants them access to.

    • (Score: 1, Funny) by Anonymous Coward on Monday June 20 2016, @06:42PM

      by Anonymous Coward on Monday June 20 2016, @06:42PM (#362999)

      Yeah, but can't I just jab a screwdriver in there and pop the chip out? I'm going to try it on my work computer - let you know how it goes tomorrow.

  • (Score: 2, Informative) by gnampff on Monday June 20 2016, @11:09AM

    by gnampff (5658) on Monday June 20 2016, @11:09AM (#362823)

    There is one big difference between them.
    I can buy boards from other vendors than Dell or HP to not have that feature. I can choose not to install an additional card delivering this feature.
    But I _cannot_ choose to buy an Intel CPU without that feature. And AMD has something comparable so more or less all x86 is infected with it.
    And to make things worse lots of software is not usable on other architectures.
    So for the short to medium term those of us that cannot live without the power and/or compatibility of x86 are pretty much fucked.

    There is one thing left for the security conscious though. We can watch this thing closely with Wireshark and block it with pedantic firewall rules.

    • (Score: 4, Interesting) by The Mighty Buzzard on Monday June 20 2016, @11:37AM

      We can watch this thing closely with Wireshark and block it with pedantic firewall rules.

      Yeah but you gotta do that with a separate firewall box. Its traffic doesn't go through the networking stack of your OS, so you can't block it there; has to be an upstream firewall. Guess that's one good use for outdated machines.

      --
      My rights don't end where your fear begins.
      • (Score: 2) by RamiK on Monday June 20 2016, @03:17PM

        by RamiK (1813) on Monday June 20 2016, @03:17PM (#362920)

        Don't trust a firewall. Without the source of the firmware, you can't tell which protocols or packets to block. Either use a peripheral NIC to avoid the on-board one completely, or setup a VPN server and block everything else in the firewall.

        Personally I like using the under 10$ USB3 gigabit dongles. Most have good linux support and the new ones even come with extra USB3 ports so you're not losing a port. Haven't noticed any overhead either.

        --
        compiling...
      • (Score: 2) by dingus on Tuesday June 21 2016, @09:27AM

        by dingus (5224) on Tuesday June 21 2016, @09:27AM (#363217)

        The hard part would be getting access to the enterprise software that controls these things, so you can get it to send out some packets. Then you can intercept them via the controller machine and analyze them.

  • (Score: 0) by Anonymous Coward on Monday June 20 2016, @01:13PM

    by Anonymous Coward on Monday June 20 2016, @01:13PM (#362870)

    This is in the chipset, not the CPU itself. Very similar to iLO/IMM/DRAC/etc.

    It does seem to be a lot of hyperventilating over features which have been integrated for a decade in some form or another, with a good portion of the features listed available since around ICH8 or 9 (2007ish?).

    While it's excellent to be aware of an attack surface and explore ways to guard them, many of us already are, and you'll get nothing but eye rolling with this kind of media drama.

  • (Score: 2) by sjames on Tuesday June 21 2016, @09:05AM

    by sjames (2882) on Tuesday June 21 2016, @09:05AM (#363212) Journal

    The old school BMCs have much less ability to violate your system. At one time, they had a serial interface, a virtual USB hub, a virtiual reset and power button, and an independent network interface. If someone hacked it, they could get a serial interface or even a KVM like access to the console but they would still have to log in and have no more privilege that was assigned to the user they logged in as. They couldn't examine or modify RAM or in any way override OS controls on access.

    The newer devices can read and write to main memory bypassing the CPU's page tables and can snoop on a physical keyboard.