Stories
Slash Boxes
Comments

SoylentNews is people

posted by cmn32480 on Friday June 09 2017, @05:27PM   Printer-friendly
from the swallow-the-red-pill dept.

Malware uses Intel AMT feature to steal data, avoid firewalls

Microsoft's security team has come across a malware family that uses Intel's Active Management Technology (AMT) Serial-over-LAN (SOL) interface as a file transfer tool.

Because of the way the Intel AMT SOL technology works, SOL traffic bypasses the local computer's networking stack, so local firewalls or security products won't be able to detect or block the malware while it's exfiltrating data from infected hosts.

and . . .

Intel AMT SOL exposes hidden networking interface

This is because Intel AMT SOL is part of the Intel ME (Management Engine), a separate processor embedded with Intel CPUs, which runs its own operating system.

Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.

I always believed the Intel Management Engine was a bad idea and a huge target for sophisticated hackers. Your hardware. Pre-compromised from the factory. A processor baked into your microprocessor with full access to the hardware. It runs a secret binary blob -- and the primary microprocessor won't run without it.

This probably isn't the last time that this will be exploited. Probably not even be the first, given the difficulty to detect it. The wonderful thing is that your OS isn't aware of the compromise and is unable to interfere with it.


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 5, Insightful) by edIII on Friday June 09 2017, @06:37PM (6 children)

    by edIII (791) on Friday June 09 2017, @06:37PM (#523200)

    Ummmm, no. It is NOT desirable in any way, shape, or form.

    MANAGEMENT is they key fucking word here, yet AMT seems to be more about surreptitiously monitoring processes, memory, and being able to modify the OS without having the OS getting in the way of you. It's a HUGE fucking problem when a management hack exposes/installs apocalyptic security backdoors.

    What is desirable is a way to push inputs, receive outputs, and control power cycling. Last time I checked that could be done without AMT. Expensive? A single rackmount device with some cables attached the inputs and outputs is something we already do.

    CONSOLE PORT + USB + POWER MANAGEMENT.

    That's the most you really need, and if anything should be developed, it's a more modern console port. Which is something that explicitly doesn't bypass operating systems, bios, firewalls, etc.

    No. Intel AMT was the worst and stupidest thing ever devised by them , with security being an afterthought. Again. If we wanted a security co-processor, then we can develop that, it would be binary/blob free, and we could completely control it. Then we would need to firewall it, secure it, etc. Which starts to sound like TPM, and you can't trust that for shit either. Has that become binary/blob free? Yeah, doubtful.

    Separate the two "features" into different hardware for different purposes, because AMT is a fucking train wreck, and always has been. The tin-foil-hatters were ignored pre-Snowden, but how many more fucking times do we need to be proved right?

    You can't entrust that much access to a corporation like that, certainly not with proprietary bullshit. Not anymore. The world has changed. Forever.

    Adapt or perish. AMT helps you do the latter, not the former.

    --
    Technically, lunchtime is at any moment. It's just a wave function.
    Starting Score:    1  point
    Moderation   +3  
       Insightful=3, Total=3
    Extra 'Insightful' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   5  
  • (Score: 0, Interesting) by Anonymous Coward on Friday June 09 2017, @08:22PM (5 children)

    by Anonymous Coward on Friday June 09 2017, @08:22PM (#523241)

    You're off your meds again Ed. AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management. Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations. Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code. These features of orchestrated and centralized management ARE desirable to the large enough company. The only thing Intel might be accused of doing 'wrong' is bundling the technology into every product they offered. But that is a business decision of which we are not privy to the information that led up to it. Maybe they decided producing two lines of the same basic product but with this feature missing would have led to market confusion which would have been damaging to the overall brand power of the Intel name, decided not to worry about it too much right now, and (possibly mistakenly) decided leaving the technology in but unused was easier, cheaper, no one would notice, or what ever. What Intel does next will be the tell-all. If they don't at the very least release a method of effectively disabling the platform then we'll have a problem.

    Take the tin foil off please, it's really not helping the situation.

    • (Score: 0) by Anonymous Coward on Friday June 09 2017, @08:52PM (1 child)

      by Anonymous Coward on Friday June 09 2017, @08:52PM (#523254)

      Basically, Intel reduced the cost of offering AMT to enterprises by making Joe Terminal help pay for it. It also helped economies of scale, because now you can just build the same product for both Joe Terminal and Joe Cog.

      • (Score: 2) by julian on Friday June 09 2017, @10:36PM

        by julian (6003) Subscriber Badge on Friday June 09 2017, @10:36PM (#523310)

        That's fine, but give Joe an "off switch" wouldya? Or at least make it open and documented. Intel is a covetous, secretive, litigious, company hostile to open source/hardware and we are seeing the fruits of those character flaws play out with these exploits.

    • (Score: 2) by DannyB on Friday June 09 2017, @08:59PM

      by DannyB (5839) Subscriber Badge on Friday June 09 2017, @08:59PM (#523260) Journal

      AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management. Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations. Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code.

      I thinks you have drank the kool aid.

      What you describe sounds wonderful. And it is no doubt the selling point.

      What it was really designed for is far more sinister. And there is nothing wrong with proverbial tin foil hats if they are protecting you from something. I wonder if the NSA colluded, er collaborated with Intel in the design?

      --
      People today are educated enough to repeat what they are taught but not to question what they are taught.
    • (Score: 4, Insightful) by edIII on Friday June 09 2017, @09:20PM (1 child)

      by edIII (791) on Friday June 09 2017, @09:20PM (#523269)

      You're off your meds again Ed.

      Yeah, go fuck yourself.

      AMT and TPM were not designed for casual users like you. It was designed for enterprise level deployment and management.

      What the fuck do you think I'm fucking talking about? CONSOLE PORT + UBS + POWER MANAGEMENT. Yeah, that statement just screams casual home user, and I SPECIFICALLY mentioned a rackmount device, implying that all of the hardware in rack is being controlled by it.

      How do you not get data center activities from that context? You're a fucking dumbass.

      Where with the push of a button a fresh image of a tightly secured OS is downloaded, verified, and imaged complete with data migration to thousands of machines in multiple locations

      OOOOhhhh, so advanced and edgy.

      That can be accomplished without AMT. Intel created AMT to address the needs to techs trying to control a thousand servers efficiently. It's not like they were the only solution on market, the only technology on market, etc. Techs were already addressing the problem in different ways.

      Without AMT you can control USB devices connected to the machine to present whatever images you want, and you can image a machine over the network "complete with data migration" (which is meaningless--the whole thing is migrating data). Of course, there are plenty of other ways without the console port or ATM to image machines remotely.

      Without AMT you can use the console port to do whatever you need as if a tech was there typing on a keyboard and watching a display.

      Without AMT you can have rackmount power management. See what the load is on the circuit, turn off/on individual circuits, etc.

      Where a support rep can remotely troubleshoot and administer the host OS with a few key presses and a pass code. These features of orchestrated and centralized management ARE desirable to the large enough company.

      Uh huh. You can do the same thing with the CONSOLE PORT, or even remote management solutions that are rackmount too. You've never seen the display, keyboard, and USB hooked up to a rackmount controller before? AMT is just a different solution from a different vendor, not the final solution for remote management. At most, it's part of the ecosystem. Specifically, that part that is huffing paint.

      I guess you've never heard of Puppet or Chef either? Those people are just wasting their fucking time addressing the needs you outlined?

      The only thing Intel might be accused of doing 'wrong' is bundling the technology into every product they offered. But that is a business decision of which we are not privy to the information that led up to it. Maybe they decided producing two lines of the same basic product but with this feature missing would have led to market confusion which would have been damaging to the overall brand power of the Intel name, decided not to worry about it too much right now, and (possibly mistakenly) decided leaving the technology in but unused was easier, cheaper, no one would notice, or what ever. What Intel does next will be the tell-all. If they don't at the very least release a method of effectively disabling the platform then we'll have a problem.

      Yawn. Whatever. I don't give a fuck about the soap opera bullshit that led them to create AMT. All I care about as a technician are the glaring security catastophes waiting to happen, and how it is more or less a security failure. Allowing AMT to access more than it needs to access, to perform the functions you said are so fucking desirable (that could be accomplished in another way), is fucking insane. It's a poorly implemented management product that can reduce all security on the machine to wet paper towels. How else do you describe something that can literally access all information on the machine, see processes and memory, and operate with the power "off"?

      Take the tin foil off please, it's really not helping the situation.

      You realize that is no longer effective to denigrate me right? The tin-foil-hatters were proved correct. Period. Snowden. NSA Vault. Multiple leaks. We were right mother fucker, and we're still right :)

      But keep trying to impress me with enterprise tech needs, and all the cool things AMT can do can do in a datacenter. I'm just some dumbass with a computer from BestBuy in a basement.... yeah that's a real effective technical rebuttal to the glaring, and now proven, problems with AMT.

      You can ride that bitch into the gutter with other ignorant and arrogant techs like yourself, but some of us are determined to have free computing, and we will get it.

      --
      Technically, lunchtime is at any moment. It's just a wave function.
      • (Score: 2) by kaszz on Saturday June 10 2017, @07:14AM

        by kaszz (4211) on Saturday June 10 2017, @07:14AM (#523425) Journal

        I can see a cost advantage of having a KVM solution in the CPU. The problem is all the secrecy and lack of trust. The interface is not documented and the software is not declared with source. And if "KVM" processor is prevented from loading its code it will reset the main CPU every 30 minutes, which should not be a problem if the purpose were friendly.