Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Wednesday December 06 2017, @06:49PM   Printer-friendly
from the what-people-want dept.

Submitted via IRC for TheMightyBuzzard

Linux computer vendor System76 announced this week that it will roll out a firmware update to disable Intel Management Engine on laptops sold in the past few years. Purism will also disable Intel Management Engine on computers it sells moving forward. Those two computer companies are pretty small players in the multi-billion dollar PC industry. …

... Intel's Management Engine is a hardware and software system designed to provide some remote management features. But it's come under criticism from privacy advocates, security researchers, and the free and open source software community.

That's because Intel Management Engine is basically a mystery. It's software that runs independently of a computer's operating system, which means that even if you wipe the OS, the Management Engine is still there. And there's no good way to know what it's doing.

The risks aren't just theoretical – Intel recently acknowledged a security vulnerability affecting nearly every PC that shipped with a 6th, 7th, or 8th-gen Intel Core processor. While the company is working with PC makers to roll out updates to patch that vulnerability, it wouldn't even exist if Intel hadn't bundled a feature many users don't need and won't use with its latest chips.

System76 are making a similar move:

System76 is one a handful of companies that sells computers that run Linux software out of the box. But like most PCs that have shipped with Intel’s Core processors in the past few years, System76 laptops include Intel’s Management Engine firmware. Intel recently confirmed a major security vulnerability affecting those chips and it’s working with …

Source: https://liliputing.com/2017/12/dell-also-sells-laptops-intel-management-engine-disabled.html

Source: https://liliputing.com/2017/11/system76-will-disable-intel-management-engine-linux-laptops.html


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by The Mighty Buzzard on Wednesday December 06 2017, @07:34PM (17 children)

    by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@soylentnews.org> on Wednesday December 06 2017, @07:34PM (#606321) Homepage Journal

    You're misinformed. The software being disabled can't be rewritten from within the operating system, barring bugs. Disabling every bit of it that takes outside input goes a long, long way towards making it impossible to alter it again without physical access to the machine and special hardware.

    --
    My favorite Trump protest sign: All in all you're just another prick with no wall
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Justin Case on Wednesday December 06 2017, @07:43PM (14 children)

    by Justin Case (4239) Subscriber Badge on Wednesday December 06 2017, @07:43PM (#606328) Journal

    Interesting. Please inform me. (I've been trying to get facts about IME for years, but mostly I hear hand-wavy stuff.)

    How is the firmware update applied? With special hardware and physical access?

    barring bugs

    I find your faith disturbing. :)

    • (Score: 2) by Runaway1956 on Wednesday December 06 2017, @07:55PM (9 children)

      by Runaway1956 (2926) Subscriber Badge on Wednesday December 06 2017, @07:55PM (#606346) Journal

      Let me take what at least amounts to a semi-educated guess as to how it is disabled. They're flashing the BIOS. That is generally how all firmwares have been updated. You have to boot to something - Windows or DrDos or something - and initiate a flash sequence. It would be rather hard to disguise a flash. I'm sure it can be done, but at some point, a savvy user should realize that something unusual is happening. Until informed otherwise, I'll presume that few if any of us are going to click through a malware bios installation. But, the unwashed masses? Yeah, I can see that happening. (Yeah, I realize that new computers don't use the same kind of BIOS that I still use, but basically, same-o-same-o, right?)

      --
      On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
      • (Score: 1, Informative) by Anonymous Coward on Wednesday December 06 2017, @08:31PM (5 children)

        by Anonymous Coward on Wednesday December 06 2017, @08:31PM (#606372)

        Windows or DrDos or something

        Sigh. It was DR-DOS, not Dr DOS. DR: Digital Research. No medical degrees were involved.

        • (Score: 2) by Runaway1956 on Wednesday December 06 2017, @09:02PM (4 children)

          by Runaway1956 (2926) Subscriber Badge on Wednesday December 06 2017, @09:02PM (#606399) Journal

          Hey, I didn't STUDY the boot screens. I like DrDos - it looks cool. And, it's close enough that you knew what I meant.

          --
          On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
          • (Score: 0) by Anonymous Coward on Wednesday December 06 2017, @09:56PM (3 children)

            by Anonymous Coward on Wednesday December 06 2017, @09:56PM (#606430)

            Hey, I didn't STUDY the boot screens. I like DrDos

            I liked it, too, enough to buy it to use instead of Microsoft's then-inferior DOS. (Seriously. A fair number of MS-DOS "innovations" were direct feature-copying from DR-DOS.) I'm pretty sure the box, manual and diskette labels all clearly read "Digital Research". No boot-screen studying needed.

            Now you've got me wondering about the boot screens... DR-DOS 7.03 reads "Caldera DR-DOS", but that dates from after Novell and then Caldera owned it. I'll have to dig out my DR-DOS 5 and 6 disks to see what it read back when it was still owned by Digital Research.

            • (Score: 0) by Anonymous Coward on Thursday December 07 2017, @01:18AM (2 children)

              by Anonymous Coward on Thursday December 07 2017, @01:18AM (#606513)

              I'll follow you down that rabbit hole. I've got a set of DR DOS 6.0 disks here (note: no hyphen) that are clearly labelled Digital Research. When you boot it up, the copyright notice shown is for DR DOS Release 6.0 and it's copyright Digital Research, Inc.

              • (Score: 2) by Runaway1956 on Thursday December 07 2017, @02:32AM (1 child)

                by Runaway1956 (2926) Subscriber Badge on Thursday December 07 2017, @02:32AM (#606572) Journal

                Thank you. I didn't remember the hyphen noted by AC. I did misremember the Dr vs DR. Most DOS's ran their names together, such as TRSDOS and MSDOS, but it seemed to me that DR DOS had a space.

                Looking back, I can't remember how many DOS's there were, or how many of them were just licensed versions of DR DOS, or any other version.

                --
                On the plus side, I am completely immune to flash-bang grenades. - Helen Keller
                • (Score: 0) by Anonymous Coward on Thursday December 07 2017, @04:07AM

                  by Anonymous Coward on Thursday December 07 2017, @04:07AM (#606632)

                  You're not alone. I had a couple of friends at the time who would refer to it in speech as Doctor DOS. They were subject to numerous eye-rolls. I remember someone else referring to Microsoft's product as Ms. DOS ("Miz DOS") when Doctor DOS was mentioned.

      • (Score: 5, Informative) by sjames on Wednesday December 06 2017, @10:06PM (2 children)

        by sjames (2882) on Wednesday December 06 2017, @10:06PM (#606436) Journal

        Actually, re-flashing can easily be done silently in the background. It's just that vendors are much too lazy to update their flasher to anything newer than DOS.

        All that is actually necessary is the right pattern of reads and writes to the flash chip. In Windows, that requires kernel level access, so a hacked driver will be involved, but if you can get admin level access, you're in, and even after the system is "cleaned up", you're still in.

        • (Score: 2) by FatPhil on Thursday December 07 2017, @03:16PM (1 child)

          by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Thursday December 07 2017, @03:16PM (#606812) Homepage
          The IME should be able to block the writes to the flash (it should act as a gatekeeper for all peripheral accesses, which is why it can happily talk on the ethernet without the processor knowing about it). Best of all, it will lie to the OS about such writes, making it think they've worked. If you're paranoid enough to read what you've written back, you'll realise nothing will have changed. At least, that's how the ARM equivalent works, Intel may have designed something less functional than ARM.
          --
          Life is a precious commodity. A wise investor would get rid of it when it has the highest value.
          • (Score: 2) by sjames on Thursday December 07 2017, @07:20PM

            by sjames (2882) on Thursday December 07 2017, @07:20PM (#606951) Journal

            So the "disabled" ME will prevent the firmware update?

            You would definitely notice if the writes are shot down since the flash chip's state engine won't respond appropriately when you read status.

    • (Score: 3, Informative) by The Mighty Buzzard on Wednesday December 06 2017, @09:54PM (3 children)

      by The Mighty Buzzard (18) Subscriber Badge <themightybuzzard@soylentnews.org> on Wednesday December 06 2017, @09:54PM (#606428) Homepage Journal

      It can be done through a USB device (not through the OS, the USB device is essentially a JTAG programmer exploiting a bug in the existing firmware) or via physically clipping on to the chip to program it.

      Not faith, really. Disable the bits that are being disabled and it's stuck with some very narrow attack surfaces that it's genuinely possible there actually are no exploitable bugs in.

      --
      My favorite Trump protest sign: All in all you're just another prick with no wall
      • (Score: 2) by sjames on Thursday December 07 2017, @01:23AM (2 children)

        by sjames (2882) on Thursday December 07 2017, @01:23AM (#606519) Journal

        That is, as far as we know, needed to modify the firmware without having the signing key. If you have the signing key, you can just flash the BIOS to load the signed image on boot. Presumably, you can load the already signed official firmware with the known security flaws without having the signing key.

        For all we know, the signing key has already leaked. Considering how tight lipped Intel has been, I doubt they'd tell us about such a leak even if they knew.

        Meanwhile, didn't Intel claim the chipset couldn't boot with the ME disabled at one time?

        • (Score: 2) by The Mighty Buzzard on Thursday December 07 2017, @01:59AM (1 child)

          They're not entirely disabling it or it wouldn't boot at all. They're likely combining both approaches used so far. Setting the CIA's "fuck you, Intel" bit and disabling or removing all the modules that would activate after the ones to allow the system to simply boot are run.

          --
          My favorite Trump protest sign: All in all you're just another prick with no wall
          • (Score: 2) by sjames on Thursday December 07 2017, @03:08AM

            by sjames (2882) on Thursday December 07 2017, @03:08AM (#606594) Journal

            That sounds like a somewhat fragile disabling. I wouldn't bet on it being that hard to turn back on.

  • (Score: 2) by sjames on Wednesday December 06 2017, @09:59PM (1 child)

    by sjames (2882) on Wednesday December 06 2017, @09:59PM (#606433) Journal

    barring bugs

    That ship has sailed.

    • (Score: 2) by The Mighty Buzzard on Thursday December 07 2017, @02:04AM

      They'd have to be much more fundamental bugs than currently are known if you've disabled the ability of the second processor to interact with the outside world. Still possible but it's more akin to finding and exploiting a kernel driver flaw than a Wordpress bug.

      --
      My favorite Trump protest sign: All in all you're just another prick with no wall