Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday June 09 2017, @05:27PM   Printer-friendly
from the swallow-the-red-pill dept.

Malware uses Intel AMT feature to steal data, avoid firewalls

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

and . . .

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

I always believed the Intel Management Engine was a bad idea and a huge target for sophisticated hackers. Your hardware. Pre-compromised from the factory. A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob -- and the primary microprocessor won't run without it.

This probably isn't the last time that this will be exploited. Probably not even be the first, given the difficulty to detect it. The wonderful thing is that your OS isn't aware of the compromise and is unable to interfere with it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Insightful) by Anonymous Coward on Friday June 09 2017, @05:30PM (9 children)

    by Anonymous Coward on Friday June 09 2017, @05:30PM (#523164)

    Nobody cared. In fact, people who pointed it out were derided as tinfoil-hat nutcases.

    Go check the forums; there's always some "Intel" engineer who mysteriously appears, and defends the system as both secure and desirable.

    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:06PM (5 children)

      by Anonymous Coward on Friday June 09 2017, @08:06PM (#523237)

      Virtually every x86 Server since the mid to late 1990's has a Baseboard Management Controller (BMC) that is a separate processor that runs when the system is off, runs a binary blob, can bypass all firewalls on the host operating system, is network connected, and controls and is hooked into all parts of the system (including BIOS flash, TPMs, chipsets, CPUs, Memory, etc). The computing apocalypse has not yet happened, so I think we are pretty safe.

      • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:40PM (3 children)

        by Anonymous Coward on Friday June 09 2017, @08:40PM (#523249)

        There are some big differences. First, BMC is more limited than AMT in terms of what it can actually do, as most sensitive interfaces are read-only (still bad but not as bad). Second, most BMC implementations require dedicated interface, rather than sharing one with the OS on top. Third, the spec requires a private address for BMC, while AMT will happily answer to any packet it receives. The fourth big difference off the top of my head is that AMT can utilize all hardware on the machine, not just those built into the motherboard and connected to it with the proper bus.

        • (Score: 2, Funny) by Anonymous Coward on Friday June 09 2017, @08:49PM (2 children)

          by Anonymous Coward on Friday June 09 2017, @08:49PM (#523253)

          Seriously. AMT is both secure and desirable. Trust me; I'm an Intel engineer.

          • (Score: 2) by Azuma Hazuki on Friday June 09 2017, @09:17PM

            by Azuma Hazuki (5086) on Friday June 09 2017, @09:17PM (#523267) Journal

            Oh yeah? What's 2.0 / 1.0? If you give me something without about eleventy hojillion random numbers after the decimal point you liiiiiiiiiie :D

            --
            I am "that girl" your mother warned you about...
          • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @02:32AM

            by Anonymous Coward on Saturday June 10 2017, @02:32AM (#523358)

            ayyy lemao babi

      • (Score: 3, Insightful) by Anonymous Coward on Friday June 09 2017, @10:03PM

        by Anonymous Coward on Friday June 09 2017, @10:03PM (#523300)

        There should be no proprietary blobs. All of it should be 100% free software, and anything else is intolerable and abusive.

    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:28PM (2 children)

      by Anonymous Coward on Friday June 09 2017, @08:28PM (#523246)

      links or it didn't happen

      • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:54PM

        by Anonymous Coward on Friday June 09 2017, @08:54PM (#523256)

        Here. [soylentnews.org]

      • (Score: 2) by driverless on Saturday June 10 2017, @04:05AM

        by driverless (4770) on Saturday June 10 2017, @04:05AM (#523377)

        How's this lot [fish2.com] for a start? That's not just AMT, that's the entire class of management-engine type gunk all in one. Here's a start on attacking the things [rapid7.com]. The security community has been warning about this stuff for years.

  • (Score: 2, Funny) by Booga1 on Friday June 09 2017, @05:39PM (1 child)

    by Booga1 (6333) on Friday June 09 2017, @05:39PM (#523170)

    SOL? Nice acronym...

    • (Score: 2) by BK on Friday June 09 2017, @06:43PM

      by BK (4868) on Friday June 09 2017, @06:43PM (#523203)

      Was going to say just that. Never has a system had a more accurate accurate acronym.

      --
      ...but you HAVE heard of me.
  • (Score: 4, Insightful) by jmorris on Friday June 09 2017, @05:41PM (9 children)

    by jmorris (4844) on Friday June 09 2017, @05:41PM (#523171)

    As the AC sez dismissively above, it IS a desirable feature. Since it generally replaces IPMI, which usually required a subboard and was expensive, and nobody would even think about racking up machines without it, it is a must have feature. That isn't the problem.

    A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob

    The first sentence isn't a problem, it is that second one that all the evil resides within. Like all blobs we should be insisting they be opened, the hardware interfaces documentd, that the keys that validate them be changable so open firmware can replace them. Who here would object to AMT if the thing were open and documented?

    OK, so if you want to bitch, bitch about the actual probelm and push for an actual solution. And failing that insist on a "null blob" that triggers the primary OS load and then simply goes to sleep. For desktops that aren't corporate managed this would also solve the problem. If the big corps are too stupid to insist the darned thing not be a menace that is on them, they have the whip hand so they should use it.

    • (Score: 2) by DannyB on Friday June 09 2017, @06:00PM

      by DannyB (5839) Subscriber Badge on Friday June 09 2017, @06:00PM (#523179) Journal

      It sounds like you are suggesting the radical and subversive idea that if you own tons of rackable hardware that you should be able to fully control that hardware. Especially the keys used in the management of that hardware. Scandalous!

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 5, Insightful) by edIII on Friday June 09 2017, @06:37PM (6 children)

      by edIII (791) on Friday June 09 2017, @06:37PM (#523200)

      Ummmm, no. It is NOT desirable in any way, shape, or form.

      MANAGEMENT is they key fucking word here, yet AMT seems to be more about surreptitiously monitoring processes, memory, and being able to modify the OS without having the OS getting in the way of you. It's a HUGE fucking problem when a management hack exposes/installs apocalyptic security backdoors.

      What is desirable is a way to push inputs, receive outputs, and control power cycling. Last time I checked that could be done without AMT. Expensive? A single rackmount device with some cables attached the inputs and outputs is something we already do.

      CONSOLE PORT + USB + POWER MANAGEMENT.

      That's the most you really need, and if anything should be developed, it's a more modern console port. Which is something that explicitly doesn't bypass operating systems, bios, firewalls, etc.

      No. Intel AMT was the worst and stupidest thing ever devised by them , with security being an afterthought. Again. If we wanted a security co-processor, then we can develop that, it would be binary/blob free, and we could completely control it. Then we would need to firewall it, secure it, etc. Which starts to sound like TPM, and you can't trust that for shit either. Has that become binary/blob free? Yeah, doubtful.

      Separate the two "features" into different hardware for different purposes, because AMT is a fucking train wreck, and always has been. The tin-foil-hatters were ignored pre-Snowden, but how many more fucking times do we need to be proved right?

      You can't entrust that much access to a corporation like that, certainly not with proprietary bullshit. Not anymore. The world has changed. Forever.

      Adapt or perish. AMT helps you do the latter, not the former.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 0, Interesting) by Anonymous Coward on Friday June 09 2017, @08:22PM (5 children)

        by Anonymous Coward on Friday June 09 2017, @08:22PM (#523241)

        You're off your meds again Ed. AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management. Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations. Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code. These features of orchestrated and centralized management ARE desirable to the large enough company. The only thing Intel might be accused of doing 'wrong' is bundling the technology into every product they offered. But that is a business decision of which we are not privy to the information that led up to it. Maybe they decided producing two lines of the same basic product but with this feature missing would have led to market confusion which would have been damaging to the overall brand power of the Intel name, decided not to worry about it too much right now, and (possibly mistakenly) decided leaving the technology in but unused was easier, cheaper, no one would notice, or what ever. What Intel does next will be the tell-all. If they don't at the very least release a method of effectively disabling the platform then we'll have a problem.

        Take the tin foil off please, it's really not helping the situation.

        • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:52PM (1 child)

          by Anonymous Coward on Friday June 09 2017, @08:52PM (#523254)

          Basically, Intel reduced the cost of offering AMT to enterprises by making Joe Terminal help pay for it. It also helped economies of scale, because now you can just build the same product for both Joe Terminal and Joe Cog.

          • (Score: 2) by julian on Friday June 09 2017, @10:36PM

            by julian (6003) Subscriber Badge on Friday June 09 2017, @10:36PM (#523310)

            That's fine, but give Joe an "off switch" wouldya? Or at least make it open and documented. Intel is a covetous, secretive, litigious, company hostile to open source/hardware and we are seeing the fruits of those character flaws play out with these exploits.

        • (Score: 2) by DannyB on Friday June 09 2017, @08:59PM

          by DannyB (5839) Subscriber Badge on Friday June 09 2017, @08:59PM (#523260) Journal

          AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management. Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations. Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code.

          I thinks you have drank the kool aid.

          What you describe sounds wonderful. And it is no doubt the selling point.

          What it was really designed for is far more sinister. And there is nothing wrong with proverbial tin foil hats if they are protecting you from something. I wonder if the NSA colluded, er collaborated with Intel in the design?

          --
          People today are educated enough to repeat what they are taught but not to question what they are taught.
        • (Score: 4, Insightful) by edIII on Friday June 09 2017, @09:20PM (1 child)

          by edIII (791) on Friday June 09 2017, @09:20PM (#523269)

          You're off your meds again Ed.

          Yeah, go fuck yourself.

          AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management.

          What the fuck do you think I'm fucking talking about? CONSOLE PORT + UBS + POWER MANAGEMENT. Yeah, that statement just screams casual home user, and I SPECIFICALLY mentioned a rackmount device, implying that all of the hardware in rack is being controlled by it.

          How do you not get data center activities from that context? You're a fucking dumbass.

          Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations

          OOOOhhhh, so advanced and edgy.

          That can be accomplished without AMT. Intel created AMT to address the needs to techs trying to control a thousand servers efficiently. It's not like they were the only solution on market, the only technology on market, etc. Techs were already addressing the problem in different ways.

          Without AMT you can control USB devices connected to the machine to present whatever images you want, and you can image a machine over the network "complete with data migration" (which is meaningless--the whole thing is migrating data). Of course, there are plenty of other ways without the console port or ATM to image machines remotely.

          Without AMT you can use the console port to do whatever you need as if a tech was there typing on a keyboard and watching a display.

          Without AMT you can have rackmount power management. See what the load is on the circuit, turn off/on individual circuits, etc.

          Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code. These features of orchestrated and centralized management ARE desirable to the large enough company.

          Uh huh. You can do the same thing with the CONSOLE PORT, or even remote management solutions that are rackmount too. You've never seen the display, keyboard, and USB hooked up to a rackmount controller before? AMT is just a different solution from a different vendor, not the final solution for remote management. At most, it's part of the ecosystem. Specifically, that part that is huffing paint.

          I guess you've never heard of Puppet or Chef either? Those people are just wasting their fucking time addressing the needs you outlined?

          The only thing Intel might be accused of doing 'wrong' is bundling the technology into every product they offered. But that is a business decision of which we are not privy to the information that led up to it. Maybe they decided producing two lines of the same basic product but with this feature missing would have led to market confusion which would have been damaging to the overall brand power of the Intel name, decided not to worry about it too much right now, and (possibly mistakenly) decided leaving the technology in but unused was easier, cheaper, no one would notice, or what ever. What Intel does next will be the tell-all. If they don't at the very least release a method of effectively disabling the platform then we'll have a problem.

          Yawn. Whatever. I don't give a fuck about the soap opera bullshit that led them to create AMT. All I care about as a technician are the glaring security catastophes waiting to happen, and how it is more or less a security failure. Allowing AMT to access more than it needs to access, to perform the functions you said are so fucking desirable (that could be accomplished in another way), is fucking insane. It's a poorly implemented management product that can reduce all security on the machine to wet paper towels. How else do you describe something that can literally access all information on the machine, see processes and memory, and operate with the power "off"?

          Take the tin foil off please, it's really not helping the situation.

          You realize that is no longer effective to denigrate me right? The tin-foil-hatters were proved correct. Period. Snowden. NSA Vault. Multiple leaks. We were right mother fucker, and we're still right :)

          But keep trying to impress me with enterprise tech needs, and all the cool things AMT can do can do in a datacenter. I'm just some dumbass with a computer from BestBuy in a basement.... yeah that's a real effective technical rebuttal to the glaring, and now proven, problems with AMT.

          You can ride that bitch into the gutter with other ignorant and arrogant techs like yourself, but some of us are determined to have free computing, and we will get it.

          --
          Technically, lunchtime is at any moment. It's just a wave function.
          • (Score: 2) by kaszz on Saturday June 10 2017, @07:14AM

            by kaszz (4211) on Saturday June 10 2017, @07:14AM (#523425) Journal

            I can see a cost advantage of having a KVM solution in the CPU. The problem is all the secrecy and lack of trust. The interface is not documented and the software is not declared with source. And if "KVM" processor is prevented from loading its code it will reset the main CPU every 30 minutes, which should not be a problem if the purpose were friendly.

    • (Score: 2) by sjames on Saturday June 10 2017, @12:36AM

      by sjames (2882) on Saturday June 10 2017, @12:36AM (#523338) Journal

      In recent years, IPMI has become something built in to the motherboard because it's too inexpensive to justify a second SKU or the sub-board connections.

      The thinner connection the BMC has to the rest of the system is a feature! It limits the shenanigans should someone get control of it.

  • (Score: 2) by tangomargarine on Friday June 09 2017, @06:18PM (13 children)

    by tangomargarine (667) on Friday June 09 2017, @06:18PM (#523187)

    Why are the "This is because..." and "Intel ME runs even..." paragraphs quoted twice, word-for-word?

    Intel ME runs even when the main processor is powered off

    I'd like to see it try while plugged into a deactivated power strip.

    --
    "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
    • (Score: 2) by DannyB on Friday June 09 2017, @06:33PM (12 children)

      by DannyB (5839) Subscriber Badge on Friday June 09 2017, @06:33PM (#523197) Journal

      Sorry about that. Great catch. Even the editors mist it.

      Most people think if the computer is turned off, it must be completely safe. The green site used to have jokes about the only way for a computer to be safe was to unplug it. Some would assume that power off is safe enough.

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
      • (Score: 3, Informative) by kaszz on Friday June 09 2017, @06:37PM (3 children)

        by kaszz (4211) on Friday June 09 2017, @06:37PM (#523201) Journal

        The problem is this ACPI/APM "power off" which leaves +5V DC 1A standby power. Which means that parts of the computer is still on..

        • (Score: 2) by tangomargarine on Friday June 09 2017, @07:16PM (2 children)

          by tangomargarine (667) on Friday June 09 2017, @07:16PM (#523222)

          Where is that power coming from, the cell battery? Or there's some backup battery wired into the AMT chip?

          --
          "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
          • (Score: 2) by tangomargarine on Friday June 09 2017, @07:20PM

            by tangomargarine (667) on Friday June 09 2017, @07:20PM (#523224)

            Oh, you weren't replying to me. Whoops.

            --
            "Is that really true?" "I just spent the last hour telling you to think for yourself! Didn't you hear anything I said?"
          • (Score: 2) by kaszz on Friday June 09 2017, @08:29PM

            by kaszz (4211) on Friday June 09 2017, @08:29PM (#523247) Journal

            Here's the answer anyway:
            The power supply (ATX) have a main power conversion part that is switched on or off depending on the visible power button and LED. Then there's a separate power conversion with 5 watt capacity that is always on until it's physically unplugged. Some have a real switch on the back of the supply itself that does the same.

      • (Score: 3, Interesting) by nobu_the_bard on Friday June 09 2017, @07:15PM (6 children)

        by nobu_the_bard (6373) on Friday June 09 2017, @07:15PM (#523220)

        I discussed in college many years ago that the only way to be completely sure your computer was safe was to power it off, disconnect the cables, encase it in a lead shield, drop the shielded box into a vault with about 12-36 inch thick walls of cement buried roughly 100 feet into the ground in total darkness, then kill everyone who knew it was there. The thickness of the walls was debated a bit and I don't think we ever reached a consensus.

        Of course, now that I'm older and wiser, I know that you'd also have to ensure it was buried someplace that was unlikely to be sited for new construction in the next 20 years to ensure it says buried a reasonably long time. Found an entire buried train (fuel tanker cars with leaking tanks!) at a site one time. Learned a lot about burying things, do's and don'ts.

        • (Score: 0) by Anonymous Coward on Friday June 09 2017, @07:40PM (1 child)

          by Anonymous Coward on Friday June 09 2017, @07:40PM (#523230)

          How did that train situation work? Was it a rail yard/factory with tracks running at/to difference elevations? Or was it simply somebody too cheap to pay the costs associated with transporting it offsite for disposal who chose instead to bury it, either below ground with established tracks, dumped below ground and covered, or aboveground and mounded over before other material was built around it?

          • (Score: 2) by nobu_the_bard on Friday June 09 2017, @09:43PM

            by nobu_the_bard (6373) on Friday June 09 2017, @09:43PM (#523287)

            Oh. It was at an old mill building that we were converting into a warehouse. The building is like 50+ years old, I'm not sure the exact age, it abuts an even older but slightly smaller one owned by another company. I live and work in the rust belt. The mill used to have a lot of trains going through; there's still live train tracks to the neighboring mills nearby. The previous owner was ... pretty shady. They did something with concrete and gravel. They had already made modifications to the building for modern trucks to pull in for loading which we needed.

            There were no paper records of the train that anyone could find; it was not a proper engine, some kind of short-range moving vehicle was buried with it (I don't know much about trains). It had two fuel tanks that had been buried along with it, about 10 feet underground parallel to where the tracks had been before we ripped them out. It was now the employee parking lot. Apparently someone had rigged the tanks up to serve as fuel pumps for trucks or trains, or that is what I think they tried to do. They just chopped off the pipes in the ground and covered them when they moved out. We found shoddy piping connected to the tanks pointing at the surface. I never learned why they thought this was a good idea, or if it ever worked.

            Environmental people we hired to check the site before we moved in, for insurance, missed it. Leaking fuel was detected by government inspectors and we hired a second company that located the fuel tankers. They were about 1/3 full still and an estimate of 1/3 of the volume of the tanks had leaked into the surrounding ground (I don't remember the exact amounts). Then we sued the first because we got in serious trouble for the environmental stuff, but the lawyers and money guys figured that bit out, I am the IT guy so wasn't directly involved.

        • (Score: 2) by edIII on Friday June 09 2017, @08:04PM (3 children)

          by edIII (791) on Friday June 09 2017, @08:04PM (#523235)

          Nah, it's simpler. Just make a Faraday Cage. Then you put in a Rottweiler, like I had as a kid :)

          You cannot bypass a Rott, no matter what you've seen in the movies. Not getting around mine, and he was trained as a guard dog. Somebody once thought they could turn him with some treats, or a steak. Ending up getting a real nice steak from the store to try it. I laughed my ass off when he hung over the fence with my boy jumping up trying to kill him, and dropped the steak. One bite, two bites, three bites, without even hitting the floor, and back to kill mode with no hesitation. I miss my boy. I would imagine Siegfried and Roy's computers were safe in the same way. A bunch of tigers roaming free through the house, and that was assuming you could Ocean Eleven' your way through casino security.

          If I ever needed to secure information, I would bury hundreds of flash drives over a large area like a squirrel with steganographically encoded information forcing people to endlessly sift through random [youtube.com] crap [youtube.com].

          --
          Technically, lunchtime is at any moment. It's just a wave function.
          • (Score: 2) by maxwell demon on Friday June 09 2017, @09:27PM

            by maxwell demon (1608) on Friday June 09 2017, @09:27PM (#523272) Journal

            You cannot bypass a Rott, no matter what you've seen in the movies.

            I'm pretty sure you can.

            I laughed my ass off when he hung over the fence with my boy jumping up trying to kill him, and dropped the steak. One bite, two bites, three bites, without even hitting the floor, and back to kill mode with no hesitation.

            And now imagine there had been some sedative put in that steak. What would have happened?

            --
            The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 2) by hendrikboom on Friday June 09 2017, @11:06PM (1 child)

            by hendrikboom (1125) Subscriber Badge on Friday June 09 2017, @11:06PM (#523316) Homepage Journal

            I'm pretty certain a loaded pistol could make a Rotweiler very bypassable.

            • (Score: 2) by edIII on Friday June 09 2017, @11:40PM

              by edIII (791) on Friday June 09 2017, @11:40PM (#523329)

              Well, I was halfway joking. In all seriousness, you better have more than one bullet, and you better catch the dog off guard. A really sincere pissed off Rott that is trained as a guard dog is a serious thing. He took guarding the property a lot more serious than we wanted him to, but we had no doubt that it would take a gun and several bullets to come on property with malice.

              The new Giant Rotts (it's a real thing) are even bigger than my boy, and he was huge. I'm about 6'1" (closer to 6'2"), and he would stand on his hind legs and look down at my face.
              Even with a gun, I would be nervous. We're not talking about shooting from some place safe, like over a fence. You need to open a door and walk in first, hoping you don't get a face full of Rott.

              --
              Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2) by edIII on Friday June 09 2017, @07:46PM

        by edIII (791) on Friday June 09 2017, @07:46PM (#523233)

        I'm not sure I would recommend misting SN. It may affect the shelf life :)

        --
        Technically, lunchtime is at any moment. It's just a wave function.
  • (Score: 0) by Anonymous Coward on Friday June 09 2017, @06:27PM (5 children)

    by Anonymous Coward on Friday June 09 2017, @06:27PM (#523191)

    "SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware"

    Sounds like a misconfigured firewall.
    You don't just blindly forward Ethernet packets if the encapsulation protocol isn't what's expected.

    • (Score: 2) by kaszz on Friday June 09 2017, @06:29PM

      by kaszz (4211) on Friday June 09 2017, @06:29PM (#523195) Journal

      IP packets containing TCP tend to get through. If Ethernet MACs are locked down and specific TCP ports are blocked. It would be harder however.

    • (Score: 2) by DannyB on Friday June 09 2017, @06:30PM

      by DannyB (5839) Subscriber Badge on Friday June 09 2017, @06:30PM (#523196) Journal

      You don't just blindly forward Ethernet packets if the encapsulation protocol isn't what's expected.

      Ahhhhh!!! Maybe that's what I'm doing wrong!

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 5, Informative) by bob_super on Friday June 09 2017, @07:14PM (2 children)

      by bob_super (1357) on Friday June 09 2017, @07:14PM (#523218)

      Gotta RTFA sometimes (or read the Ars version). A firewall running on the same processor will simply not see those packets, as they get diverted to SOL.

      Missing from TFS is the fact that this is all disabled by default. You need another malware, or a questionable configuration to enable it first, before you're vulnerable.

      • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:57PM (1 child)

        by Anonymous Coward on Friday June 09 2017, @08:57PM (#523259)

        Need another malware....
        Does this imply Windows?
        Is Linux safe, or is this Intel "feature" is its own thing and your OS choice does not even matter?
        Does AMD have some equivalent of this malevolent bakeware?
        What recourse do we have against Intel ... a worldwide class action lawsuit?

        • (Score: 2) by MrGuy on Friday June 09 2017, @09:32PM

          by MrGuy (1007) on Friday June 09 2017, @09:32PM (#523278)

          Does this imply Windows?

          Nope.

          Is Linux safe, or is this Intel "feature" is its own thing and your OS choice does not even matter

          The latter. This runs upstream of/in parallel with your installed OS.

          Does AMD have some equivalent of this malevolent bakeware?

          Yep. [amd.com] It's called TrustZone.

          What recourse do we have against Intel ... a worldwide class action lawsuit?

          Good luck with that.

  • (Score: 2, Interesting) by Anonymous Coward on Friday June 09 2017, @07:16PM (8 children)

    by Anonymous Coward on Friday June 09 2017, @07:16PM (#523223)

    OK, so on a standalone box you can supposedly disable AMT completely in UEFI bios settings. Anyone know if that actually kills the bugger?

    • (Score: 2) by kaszz on Friday June 09 2017, @08:33PM (2 children)

      by kaszz (4211) on Friday June 09 2017, @08:33PM (#523248) Journal

      Supposedly yes.
      Another alternative is to zero out the relevant binary modules present in the BIOS memory using the correct checksums. Otherwise it will reset every 30 minutes, if the AMT doesn't get the correct code loaded to mitigate the watchdog alarm.

      • (Score: 0) by Anonymous Coward on Friday June 09 2017, @10:01PM (1 child)

        by Anonymous Coward on Friday June 09 2017, @10:01PM (#523299)

        Hmmm...been running for 6+ hours with no resets or shutdowns, bios still shows "disabled". Still would like to confirm whether or not bios is lying or the config widget actually works before I go mucking about in bios files. But good info, thanks.

        • (Score: 2) by kaszz on Saturday June 10 2017, @07:19AM

          by kaszz (4211) on Saturday June 10 2017, @07:19AM (#523426) Journal

          The 30 minute reset only occurs if you force the issue by zeroing the sections that contains the essential code for the AMT sub-processor. Because that will prevent it to work at all.

    • (Score: 2) by etherscythe on Friday June 09 2017, @09:13PM (3 children)

      by etherscythe (937) on Friday June 09 2017, @09:13PM (#523264) Journal

      You find a gun. Safety's on. Do you still pull the trigger to find out if it's loaded?

      --
      "Fake News: anything reported outside of my own personally chosen echo chamber"
      • (Score: 0) by Anonymous Coward on Friday June 09 2017, @09:56PM

        by Anonymous Coward on Friday June 09 2017, @09:56PM (#523293)

        If it's pointed safely down-range or at a smarmy little faggot, yes.

      • (Score: 2) by fliptop on Friday June 09 2017, @10:07PM

        by fliptop (1666) on Friday June 09 2017, @10:07PM (#523301) Journal

        You find a gun. Safety's on. Do you still pull the trigger to find out if it's loaded?

        No silly, you do that to see if the safety works.

        --
        Our Constitution was made only for a moral and religious people. It is wholly inadequate to the government of any other.
      • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @07:05AM

        by Anonymous Coward on Saturday June 10 2017, @07:05AM (#523424)

        Because like guns computers are simple time proven mechanical contraptions anybody can build at home...

    • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @04:33PM

      by Anonymous Coward on Saturday June 10 2017, @04:33PM (#523509)

      There's an ethernet chip on the motherboard, and the UEFI BIOS has a driver for it. So: use the BIOS to disable the online ethernet port, and buy a separate ethernet card that doesn't use the same chip. So how would AMT talk to the separate card? Where's the hole in this plan?

  • (Score: 2) by hendrikboom on Friday June 09 2017, @11:03PM (1 child)

    by hendrikboom (1125) Subscriber Badge on Friday June 09 2017, @11:03PM (#523315) Homepage Journal

    I'm considering buying a second-hand server for home use.

    How can I tell if any part of the management engine is activated?
    Can I do this *before* I buy it? And how should I deactivate it?

    What ports do I have to block in case it isn't and can't be? Those ports will of course have to be blocked with a separate firewall that does not use Intel hardware.

    -- hendrik

    • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @10:00PM

      by Anonymous Coward on Saturday June 10 2017, @10:00PM (#523608)

      I can tell you it is possible to find modded bioses. People have disabled undesirable features and of course have introduced ones more to their liking.

      I have done this on much of my personal inventory of older computers, and some of the new ones.

      If you don't want the ME engine, you are going to be hard pressed to find something that is any good with a motherboard that has features you want. You may find something cheap, but you'd likely need to add more components to it that otherwise could be integrated (sas controllers, sata controllers, integrated video [servers benefit from cheap integrated video, even if its just to power a hypervisor console, it's better to have it integrated than to have to find a gpu for it), etc.

      it's not impossible, but finding good older server hardware might be challenging due to the ages involved. It could be that older desktops like LGA 775 socketed motherboards (and LGA 771 servers) are a good bet, along with AMDs of the same era.

      LGA 775s can be hardware modified to accept LGA 771 xeon chips, which are very nice for the cost/performance ratio. I'd recommend checking that out if you are not against using an x-acto knife on your computer.

      You can't use an x-acto knife to disable the management engine, unfortunately, but you can upgrade old hardware to have the potential to good enough to hold its own against modern small business oriented servers, via hardware modification sometimes.

  • (Score: 0) by Anonymous Coward on Saturday June 10 2017, @01:05AM (1 child)

    by Anonymous Coward on Saturday June 10 2017, @01:05AM (#523342)

    Purism has been making major strides in completely disabling this. See https://puri.sm/. [puri.sm]

    • (Score: 2) by kaszz on Saturday June 10 2017, @07:35AM

      by kaszz (4211) on Saturday June 10 2017, @07:35AM (#523428) Journal

      CPU: Intel i7-6500U (Skylake) @ 3.10 GHz
      RAM: 16 GB DDR4
      Storage: SATA3 2.5" 7.0 mm
      Graphics: Intel HD Graphics 520
      Screen: 13.3" 1920×1080p Matte IPS @ 60 Hz

      Price: 1400 US$

  • (Score: 0) by Anonymous Coward on Saturday July 01 2017, @10:27AM

    by Anonymous Coward on Saturday July 01 2017, @10:27AM (#533876)

    This is like the textbook definition of a backdoor.

    Because it's hardware, it's ok?

(1)