back to article Intel Management Engine JTAG flaw proof-of-concept published

The security researchers who found a way to compromise Intel's Management Engine last year have just released proof-of-concept exploit code for the now-patched vulnerability. Mark Ermolov and Maxim Goryachy at Positive Technologies have published a detailed walkthrough for accessing an Intel's Management Engine (IME) feature …

  1. Richard 12 Silver badge

    No, it's easy to exploit.

    USB host-to-host cables can be bought on Amazon for a few quid, or can be made using nothing more technical than two normal USB cables and a pair of scissors.

    The software is easily acquired should one desire it.

    Yes, you need physical access, but once you have that it's a privilege escalation right up to Ring Minus One - permanent, ongoing and irrevocable access to everything in the machine - simply by plugging your Raspberry Pi into an open USB port.

    That's why it matters.

    The reason it's no longer very serious is that a patch is available.

    1. Christian Berger Silver badge

      Re: No, it's easy to exploit.

      "The reason it's no longer very serious is that a patch is available."

      Wait, there is a patch available turning off debugging via USB?

    2. phuzz Silver badge

      Re: No, it's easy to exploit.

      If someone has physical access to your computer then there's half a dozen ways they can access it, this just happens to one of the more tricky ones.

      1. Christian Berger Silver badge

        Re: No, it's easy to exploit.

        Well the point is you can put tamper evident seals on all the screws, putting a tamper evident seal on the USB-ports is much harder as you might have to use them.

    3. BinkyTheMagicPaperclip Silver badge

      Re: No, it's easy to exploit.

      No, it isn't. All the motherboards I've seen with USB debugging support have a USB port soldered vertically to the motherboard (it's a port, not a header). If you want to do USB debugging you need to open up the case.

      I have in the past exposed a USB debug port to the case USB ports, as I was short of USB ports from the motherboard headers, but I needed to solder it myself as it didn't seem like the cables were otherwise available.

      1. Christian Berger Silver badge

        Re: No, it's easy to exploit.

        "If you want to do USB debugging you need to open up the case."

        Well for stationary computers, you can easily have physical security, the problem is with laptops.

  2. Allan George Dyer Silver badge

    Now I'm going to have tell the henchmen to search the air-conditioning ducts for Tom Cruise... AGAIN!

  3. This post has been deleted by its author

  4. Starace
    Alert

    Shocking

    I'm shocked - shocked! - that physical access to a debug port lets me do stuff that might be privileged.

    1. Jon 37

      Re: Shocking

      The issue here is it's supposed to be a USB port, not a debug port. The software has the *option* of doing debugging-over-USB-port, which - when enabled - would make it a debug port. But that shouldn't be enabled in production! And if it's turned off, it shouldn't be possible for an attacker to turn it back on.

      1. Dwarf Silver badge

        Re: Shocking

        There are plenty of systems shipped with a fully functional JTAG port, since its an integral part of the chip

        Often the drive to reduce cost is the thing that removes the components on the PCB for it. Security doesn't factor into the discussion, since someone who wants an active JTAG will just solder in the missing components and make up the required cable - as can be seen by the variety of recovery or modification procedures for many of the home grade devices - routers, PC's, consoles, etc.

        In many way, providing a hidden interface is a combination of security by obscurity; providing a support method to perform initial programming; a method to recover corrupted kit and to provide in the field upgrades.

        This is no different to the routers that hide their serial console in one of the RJ45 connectors by placing extra traces on the PCB under the connector, so a suitably modified RJ45 gives both Ethernet and console access - ideal for manufacturing simplicity

        The only way they would have found this is by examination of the PCB, so its the same old "with physical access, security is lost" mantra.

  5. HieronymusBloggs Silver badge

    Hmm...

    "The PoC incorporates the work of Dmitry Sklyarov"

    Familiar name. Same guy?

    https://en.wikipedia.org/wiki/United_States_v._Elcom_Ltd.

    1. Tom Paine Silver badge

      Re: Hmm...

      The very same.

      The PoC code doesn't represent a significant security threat to Intel systems, given that there's a patch and the requirements for exploitation include physical access via USB

      If the JTAG lines are present in the standard externally accessible ports, it's a problem. Plenty of smartarse dweebs out there in corporateland with user level accounts would love to get local admin on their desktops, especially if someone started sellling boxes to do it for 20 quid.

      And then there are evil cleaner attacks...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019