Slash Boxes

SoylentNews is people

posted by martyb on Monday June 20 2016, @10:12AM   Printer-friendly
from the One-ring-to-bring-them-all-and-in-the-darkness-bind-them... dept.

From Damien Zammit, we have this fun little tidbit:

Recent Intel x86 processors implement a secret, powerful control mechanism that runs on a separate chip that no one is allowed to audit or examine. When these are eventually compromised, they'll expose all affected systems to nearly un-killable, undetectable rootkit attacks. I've made it my mission to open up this system and make free, open replacements, before it's too late.

The Intel Management Engine (ME) is a subsystem composed of a special 32-bit ARC microprocessor that's physically located inside the chipset. It is an extra general purpose computer running a firmware blob that is sold as a management system for big enterprise deployments.

When you purchase your system with a mainboard and Intel x86 CPU, you are also buying this hardware add-on: an extra computer that controls the main CPU. This extra computer runs completely out-of-band with the main x86 CPU meaning that it can function totally independently even when your main CPU is in a low power state like S3 (suspend).

On some chipsets, the firmware running on the ME implements a system called Intel's Active Management Technology (AMT). This is entirely transparent to the operating system, which means that this extra computer can do its job regardless of which operating system is installed and running on the main CPU.

The purpose of AMT is to provide a way to manage computers remotely (this is similar to an older system called "Intelligent Platform Management Interface" or IPMI, but more powerful). To achieve this task, the ME is capable of accessing any memory region without the main x86 CPU knowing about the existence of these accesses. It also runs a TCP/IP server on your network interface and packets entering and leaving your machine on certain ports bypass any firewall running on your system.

Yeah, and I'm sure they pinky-swear never to allow the NSA access to any computer via it. I'll be using AMD from now on, slower or not, thanks.

Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by DannyB on Monday June 20 2016, @03:14PM

    by DannyB (5839) Subscriber Badge on Monday June 20 2016, @03:14PM (#362917) Journal
    Please consider. The people who pulled this on us are not stupid.

    Do you suppose they might have very well considered how to exfiltrate data to the mother ship, and also to receive new instructions from the overlords? Do you really think your firewall will stop them?

    Maybe you can communicate very slowly by manipulating unusual features of ordinary TCP/IP packets that flow in and out through your firewall? TCP/IP seems to allow for 'extensions' as I recall. And has various option bits.

    Incoming TCP/IP packet sequence numbers within a single connection could be manipulated. There are probably other ways to talk to these hidden computers within your processor without your firewall being aware of it. Especially if the one communicating with this hidden processor has vast resources and the ability to control your network connection from just outside your firewall, like maybe at your ISP.

    If they can manipulate your very microprocessor like this, how do you know that they don't already have control of your firewall? Or at least, most people's firewall.

    Here's another plan. Suppose this hidden processor notices that you connect to Soylent every day. So at times when you're not using your computer, it also initiates what looks like an ordinary HTTPS connection to Soylent, let's say, while you're asleep. Your custom made, carefully controlled firewall, probably has Soylent whitelisted. So it passes this connection normally. But suppose there is something recognizable about the connection, indicating it should be intercepted before it ever reaches Soylent? Now this hidden processor can secretly communicate with the mother ship at night.

    But my HTTPS connection to Soylent is over SSL you protest!

    We've already heard about horrible compromises of the Certificate Authority systems for MitM attacks in recent years. DigiNotar. TrustWave. Root signing certificates being issued to supposed 'firewall' companies so that their firewall could intercept and successfully MitM all SSL traffic at the border?

    Well, now the microprocessor is compromised! In every SSL server! Could it recognize that you're running a particular implementation of SSL? (How many are there?) Recognize it by a unique sequence of x86 instructions it executes? Steal the private signing key for the domain certificate. Exfiltrate it to the mother ship. Now all traffic to that server can be MitM'ed without anyone being the wiser. No more need to compromise the CA system.

    If you had control of a secret microprocessor within everyone's processor, what could you do? Let your imagination run wild? And the fact that this all runs secret firmware should tell you plenty.
    Islamic Fatwas = BAD; MAGA Fatwas for FBI and Judges = GOOD ?
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3