back to article Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel's secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration. The biz has already promised to demonstrate a so-called God-mode hack this December, saying they've found a way …

Page:

  1. Louis Schreurs BEng

    First

    Let's go hack the x86 world.

    1. Dan 55 Silver badge
      Black Helicopters

      Re: First

      Start here:

      http://localhost:16992/

      http://another.ip.on.your.lan:16992/

      Yep, it's got a web server too. With bugs.

  2. Anonymous Coward
    Anonymous Coward

    Hello: 'Trusted Computing' Model 2.0?

    ....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

  3. Anonymous Coward
    Anonymous Coward

    Embedding an all-powerful backdoor remote management OS on the chips: what could go wrong?

    1. Mark 65

      In years past it would be tin-foil hat territory and it can be equally well assigned to incompetence, but it would seem to be awfully convenient for the various 3 letter agencies out there. More-so if it had been kept under wraps. Will this spell the end of such dual controls or will the World just quietly ignore it whilst updating their status?

  4. Anonymous South African Coward Silver badge

    Quick! Everybody switch over to AMD chop-chop!

    ...as if. Doh.

    1. phuzz Silver badge

      Too late, they have their own version.

      That said, AMD are only putting it in some chips, and aiming it at the enterprise market where it's actually wanted.

      1. whitepines Silver badge
        Facepalm

        Nope. It's in every single chip and increasingly vital to the boot process (well, technically, even now *no* AMD chips will boot without it, it's just that now DRAM setup and other functions are also being moved into the PSP. Can you say "exploits everywhere"?)

    2. Ken Hagan Gold badge

      Re: Everybody switch over to AMD

      I imagine that there *are* people (say, in Russia or China) who *are* now asking whether there is a trusted source of x86-compatible CPUs. And if not, whether there ought to be.

      If these people *aren't* asking that question, they aren't doing their job properly.

      1. elip

        Re: Everybody switch over to AMD

        Actually, Russian government asked this question several years back, passed protectionist legislation, and is now turning to its own CPU designers and fabricators for their systems.

        I can only imagine, China being China, it has already done this several years back.

    3. Mark 65

      The rise of ARM or are they headed that way too?

      1. jbuk1

        I don’t know about all arm platforms but certainly the rpi relies on closed source binary blob for the powervr gpu which is responsible for the actual boot process.

        Yes I did say the gpu.

  5. tony2heads
    Happy

    The year of..

    Minix on the desktop?

    1. Peter2 Silver badge

      Re: The year of..

      It would appear that Intel appreciated the Minix Microkernal design over the monolothic kernal design.

      I look forwards to seeing the next round of the infamous flame war with great dread.

      1. Mpeler
        Black Helicopters

        Re: The year of.. the magic word

        WOMIX won't work anymore, you have to throw the battery at the dwarf with the hatchet and then type in MINIX or XINIM.

        You are in a maze of twisty passages that all look alike.....

  6. Christian Berger

    Increasingly security is about not doing stupid things...

    ... and having a separate system designed to circumvent security boundaries which is enabled by default.

    Seriously, if you make any system more complex, it'll be less secure.

    1. Christian Berger

      damn posted to early, it should be

      ..having a separate system designed to circumvent security boundaries which is enabled by default is certainly a stupid thing.

      1. Ole Juul

        Re: damn posted to early, it should be

        I do use a separate computer for my privacy needs. It's built with an Intel Pentium 4 511 2.80GHz 533 and a 915GEV motherboard. Actually it's surprisingly fast for what is 12 year old technology. It makes me think that for most use cases, there's not much gain in running the latest CPUs.

        1. AJ MacLeod

          @Ole Juul

          And as a bonus, you don't need your central heating on while the P4 is running...

          1. Ole Juul

            Re: @Ole Juul

            That is indeed a bonus in an area where it's below freezing for more than half the year. A few hundred watts in computer usage gives me better value than the other electric heaters around here.

        2. Alan Brown Silver badge

          Re: damn posted to early, it should be

          You know the I915 chipset has this too, don't you?

  7. DougS Silver badge
    FAIL

    Minix? Seriously??

    Apple's secure enclave runs the L4 microkernel, which has been formally verified. Intel's supposedly-secure management engine runs a 30 year old OS used for teaching that has never had any sort of security evaluation.

    Yeah, that makes sense. I would have assumed it ran some sort of microkernel that's at least been designed for embedded use!

    1. This post has been deleted by its author

  8. Dan 55 Silver badge

    Read the open letter righr till the end

    The bit at the end is the important part. It says earlier versions of MINIX were designed for education, later versions for availability, and none were designed for "military grade security".

    Intel took a copy of an earlier version. The creator of MINIX hopes that Intel did security hardening on it in addition to the changes that Intel asked him to make to the source code.

    1. Charles 9 Silver badge

      Re: Read the open letter righr till the end

      Interesting they used this and didn't consider switching to say seL4 which is also a microkernel but also formally proven. Might it be because of DMA needs?

      1. elip

        Re: Read the open letter righr till the end

        What is the fascination with formally verified software all of a sudden? It means nothing in the real world. Many commercial TCP/IP stacks have been formally verified, almost all have suffered serious security issues (many found by Michal Zalewski). WPA2 was also formally verified, and we now see how that worked out in the real world. Lots of software also happens to fully pass their test suites, before we start exploiting it. ;-) Save your money, skip the formal verification, and focus on simplicity.

        1. Mark 65

          Re: Read the open letter righr till the end

          The fascination with formally verified software is likely that it is at least one step better than not verified in any way shape or form software. Sure the former could have flaws and the latter none but I know which way around I'd bet.

  9. Anonymous Coward
    Anonymous Coward

    Intel - the hardware retail arm of the NSA

    Trust is broken

    1. bombastic bob Silver badge
      Big Brother

      Re: Intel - the hardware retail arm of the NSA

      well, there's now a linux version that disables it [so they say].

      I expect that requiring physical access to the machine is enough, for the moment, but I'm still concerned about any on-board network adaptor being connected in ANY way to the outside world.

      Keep in mind, IPv6 exposes EVERYONE to the intarwebs, because (virtually) all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC. If your NIC can be cracked using an exposed port, in ANY way, because of the "management engine", we are all in one huge sorry state as far as security goes...

      I am not aware as to whether Intel's "management protocol" can withstand intarweb routing. Most likely it can withstand WIFI routing, and possibly a spoof of some layered protocol if you're using a VPN. Sniffing any kind of SSL would be extremely difficult, but not impossible, especially if your network is being monitored. The odds of this crack being successful WITHOUT physical machine access is PROBABLY small. HOWEVER, I wouldn't trust it anyway, so maybe I should stick with "the earlier architecture".

      1. Norman Nescio

        Claim: all IPv6 addresses are *PUBLIC*

        ...all IPv6 addresses are *PUBLIC* and therefore any unfirewalled listening ports are also PUBLIC

        Ahem. You might want to look into IPv6 link-local and IPv6 unique-local addresses (not the deprecated site-local as I originally wrote).

        Firewalling networks is also (as you imply) generally a good idea. IPv6 capable IoT devices directly connected to the Internet need to handle things differently, which is a whole other story.

        Note that all IPv4 addresses are public, that is, they are all known, it's just that some are defined by the rules as unroutable on the public Internet, and most ISPs enforce that by filtering. IPv6 local addresses are similarly defined as unroutable on the public Internet, but unlike IPv4 non-routable addresses, IPv6 local addresses have the capability of having good chance of being globally unique, unlike, say 192.168.1.1 or 169.254.1.1.

        1. Anonymous Coward
          Anonymous Coward

          Re: Claim: all IPv6 addresses are *PUBLIC*

          > Note that all IPv4 addresses are public ...

          Bombastic Bob is probably talking about home routers generally using NAT for IPv4, which didn't originally have an equivalent for IPv6. Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic.

          1. Charles 9 Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            You don't need NAT for IPv6. Heck, it's generally not needed given the address space. You just need the firewall, and I don't recall firewalls going away with IPv6, not even on home routers, unless you can prove otherwise.

            1. Justin Clift

              Re: Claim: all IPv6 addresses are *PUBLIC*

              > You just need the firewall, and I don't recall firewalls going away with IPv6, not even on home routers, unless you can prove otherwise.

              It would be great if it was that simple. :)

              Home routers are often used by people with no real knowledge of computers/IT. They have no understanding of TCP, let alone what the heck a "port" is. So getting them to (correctly) configure a firewall for their new something-they-just-plugged-into-the-network isn't really practical.

              Some home routers have a GUI which lets people select a protocol (eg HTTPS) for a device, and can build a basic firewall based on that. That definitely helps. But it's not a real solution to the problem, as many devices use non-standard ports, and the end user won't have a clue what to do.

              NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.

              1. Charles 9 Silver badge

                Re: Claim: all IPv6 addresses are *PUBLIC*

                Home router issues don't go away with IPv6. That's why uPnP exists for better or worse because the computer illiterate want to use their stuff, the Internet is not built around hand-holding, and the security/ease-of-use dichotomy prevents a happy medium. You simply can't fix Stupid, but Stupid outvotes you, so you can't tell them to stay off the Internet.

                1. Anonymous Coward
                  Anonymous Coward

                  Re: Claim: all IPv6 addresses are *PUBLIC*

                  I still don't understand why, when IPv6 is eventually the norm that I wouldn't still sit my LAN as IPv4 sat behind an outwardly facing IPv6 NATed router/modem? Just because IPv6 will be everywhere does not mean it needs to be used on a home LAN.

                  1. Charles 9 Silver badge

                    Re: Claim: all IPv6 addresses are *PUBLIC*

                    Simple. To talk to an IPv6 Internet, you need an IPv6 stack, period. There's just no physical way to cram 128 bits into 32 bits of space without something giving. Since you'll already have the IPV6 stack...

                    1. Anonymous Coward
                      Anonymous Coward

                      Re: Claim: all IPv6 addresses are *PUBLIC*

                      Simple. To talk to an IPv6 Internet, you need an IPv6 stack, period. There's just no physical way to cram 128 bits into 32 bits of space without something giving. Since you'll already have the IPV6 stack...

                      You have heard of tunneling IPv6 over IPv4, haven't you? ;)

                      Around these parts, we've already had to deal with blocking that as muppets discovered it and were using it to get around blocks, rules and regulations.

              2. waldo kitty
                Boffin

                Re: Claim: all IPv6 addresses are *PUBLIC*

                NAT in the IPv4 world was a "good enough" solution to that problem. Not because it expanded the address space, but instead because it (incidentally) hid users end devices from external things being able to reach them. That seems to be what Bombastic Bob is talking about.

                this! i wish i could give you more thumbs-ups but...

            2. Anonymous Coward
              Anonymous Coward

              Re: Claim: all IPv6 addresses are *PUBLIC*

              You don't need NAT for IPv6. Heck, it's generally not needed given the address space.

              It isn't a matter of needing NAT. It is a matter of being no one's business how many systems we have connected to our networks and using services on/over the Internet. NAT allows for multiple systems to use the connection of one system without exposing their private parts to the world+dog. IPv6, by design, leaves your privates exposed for any dog to come sniffing about.

          2. bombastic bob Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            "generally using NAT for IPv4"

            yes (and the rest, mostly yes).

            Sure, there's a spec for IPv6 NAT somewhere, but I'm not aware of it actually being used. I rely on a firewall blocking 'incoming' traffic from "teh intarwebs" on specific ports that are well known, like 139, 445, 6000, yotta yotta and those ports that Winders machines INSIST on listening on "*" to... [because the coders were TOO LAZY to bind it to localhost]

          3. Alan Brown Silver badge

            Re: Claim: all IPv6 addresses are *PUBLIC*

            "Most home routers offering IPv6 still seem to just expose the plain IPv6 address directly anyway. Not fantastic."

            As long as they apply the _same_ firewalling rules on IPv6 as on IPv4 (ie, all incoming blocked by default, etc) then there's no major issue.

            There are of home routers which mirror the IPv4 rules to IPv6 by default.

        2. bombastic bob Silver badge
          Meh

          Re: Claim: all IPv6 addresses are *PUBLIC*

          "You might want to look into IPv6 link-local and IPv6 unique-local addresses (not the deprecated site-local as I originally wrote)."

          thanks for the nit-pickiness. Of course, not THOSE. Duh.

      2. Anonymous Coward
        Anonymous Coward

        Re: Intel - the hardware retail arm of the NSA

        It always makes me laugh the amount of downvotes for questioning the default security implications of IPv6, it's like going into a group of knife jugglers and saying "it's a bit dangerous" and getting "of course it's not dangerous we are all professionals!!".

        IPv6 for the average user is less secure than 4 for the simple reason very few people had their PC on a public v4 IP or relied solely on the internal firewall, in fact must internet users couldn't tell you if they are running a correctly configured firewall or have ever allowed software to drill through that.

        I like a router with a firewall, blacklist, whitelist, maybe a bit of traffic shaping, logging etc and you bunch of knife jugglers can do as you please, blindfolded.

        Ooh I mentioned the downvote, we know what comes next! frankly I couldn't give a shit and have just about forgotten what I used to come to this site for...

        1. Jamie Jones Silver badge

          Re: Intel - the hardware retail arm of the NSA

          uPnp?

          If a home users setup is less secure by default under IPv6 than IPv4, the problem is with their router, not IPv6.

        2. JLV Silver badge

          Re: Intel - the hardware retail arm of the NSA

          what's a good consumer-grade router than comes, or can take, the better open source router OSs?*

          * skipping on DD-WRT - DD-WRT itself is really nice, but their website is utterly confusing as to what build might be expected not to be brick your particular router. I'll confess a lack of comfort at playing around blindly with something that controls your internet access - even if it's not permanently damaged, googling how to fix your corrupted router can be problematic.

          1. Anonymous Coward
            Anonymous Coward

            Re: Intel - the hardware retail arm of the NSA

            I wasn't sure either; so, I did a Google search on "openbsd 6.2 PF on routers" and there are many sources there. Google also has some suggestions with that search that might be more specific to your question.

  10. Phil O'Sophical Silver badge
    FAIL

    PCH – Intel's Platform Controller Hub, which manages chip-level communications – has offered USB access to JTAG interfaces

    Permanent, non-airgappable access to an internal chip-level hardware debug interface via an external port. What a monumentally stupid idea.

    1. Anonymous Coward
      Anonymous Coward

      Genius move by our Overlords

      Loads of great reasons for this little beauty to exist... some extinction level event the Overlords didn't want anyone to know about like an impending asteroid strike, discovery of a real alien invasion, to stop rogue AIs using CPUs like neurons to take over the world, or to rewrite history to their liking...

    2. Dan 55 Silver badge
      Facepalm

      I just read Wikipedia's entry on the ME.

      The thing can execute Java as well.

      1. Ken Hagan Gold badge

        At least Java was designed to be sandbox-able.

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020