back to article Intel finds critical holes in secret Management Engine hidden in tons of desktop, server chipsets

Intel today admitted its Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) are vulnerable to multiple worrying security flaws, based on the findings of external security experts. The firmware-level bugs allow logged-in administrators, and malicious or hijacked high-privilege processes, …

  1. Anonymous Coward
    Anonymous Coward

    "Today's news will no doubt"...

    ....."Fuel demands for Intel to ship components free of its Management Engine – or provide a way to fully disable it – so people can use their PCs without worrying about security bugs in secluded computers.".....

    How will 'Trusted Computing' Model 2.0 vested interests take this news???

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html

    ==========

    ....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

    1. Yet Another Anonymous coward Silver badge

      Re: "Today's news will no doubt"...

      " ...an act of extreme irresponsibility,"

      Or just obeying orders.

      1. Sir Runcible Spoon Silver badge

        Re: "Today's news will no doubt"...

        Hopefully someone (reputable) will develop a hack that exploits this chip to prevent others from doing so.

    2. Nick Ryan Silver badge

      Re: "Today's news will no doubt"...

      Who'd have thought? A system, that was so ineptly coded that all one needed to bypass "security" was to give it an empty password, had lots and lots of other critical issues.

      /sarcasm

  2. Adrian 4 Silver badge

    So how do we know this isn't NSA trickery to get their backdoor updated ?

    1. bazza Silver badge

      Who knows. Perhaps NSA saw what Intel was up to and simply decided to let them get on with it, knowing that they'd fsck it up badly to NSA's advantage.

      Why bother coercing / cajoling Intel into slipping in a hidden backdoor when you know they'll build in aircraft hangar sized doors through sheer incompetence... So long as Intel stick to this idea of an ME, there's code there that will likely have flaws.

      Raptor Engineering are up to something interesting with OpenPower. Basically with the Power9 CPU from IBM being "open source", they're in a movement to do a completely open source computer (all the way down to the silicon design, board schematics, firmware, and of course the OS + software stack on top). It's all there for one's inspection.

      No magic closed source firmware / ME there.

      1. Anonymous Coward
        Anonymous Coward

        Basically with the Power9 CPU from IBM being "open source", they're in a movement to do a completely open source computer (all the way down to the silicon design, board schematics, firmware, and of course the OS + software stack on top). It's all there for one's inspection.

        SPARC is also open source.

        1. Loud Speaker

          Sparc may be Open Source, but Sun/Oracle's SC (System Controller - essentially the same as Intel's ME) is not. However, it is not "on-chip", but a separate plug-in so you can unplug the whole board if you want peace of mind. I have not tried it, and can't promise your machine will still boot without an SC. <p>

          Older Sun kit did lights out by serial line - which you connected to your own terminal server - completely avoiding the need for a tin hat. <p>

          Personally, I think the relevant APIs should be documented and Arduinos from third parties used as SC/ME devices with Open Source code.<p>

          Mine is the one with the tin-foil hat in the pocket.

          1. Anonymous Coward
            Anonymous Coward

            Sparc may be Open Source, but Sun/Oracle's SC (System Controller - essentially the same as Intel's ME) is not.

            Not really relevant, though. An SC is a system controller, you can use a SPARC processor without any need for one, that will depend on your system design. Just as with Power, you can design a SPARC system to make no use of any additional controller if you don't need one. Intel's ME is a core that is integrated into the processor, you have it whether you want it or not, and since the processor is not open source you can't even fab one that doesn't have it, which is the problem.

        2. tim292stro

          "...SPARC is also open source..."

          Yes, but SPARC is also now owned by Oracle, and if you've watched what they did with the open source Java library, you'd understand that making changes and including other functionality is at risk of being later litigated. Oracle knows how to kill any standard. Even as "open source" as SPARC or POWER is, I personally think the way forward will be based on RISC-V, and it'll probably even kill off ARM eventually. The whole RISC-V ISA was written from researchers and academia and is all in the public domain. Essentially anyone can take the ISA and push it into their own ASIC or FPGA, and they are wrapping their ISA commits into Linux kernel 4.15. There are already 3rd party vendors like SiFive and lowRISC who are packaging up 4+1 core configurations to work on modern fabs for turnkey stuff running between 16-64bit instructions, with a pre-planned path to 128 bit instructions.

          1. Anonymous Coward
            Anonymous Coward

            Yes, but SPARC is also now owned by Oracle,

            No, SPARC is open source. There are two companies that make SPARC chips, Oracle and Fujitsu.

            1. tim292stro

              RE: No, SPARC is open source. There are two companies that make SPARC chips, Oracle and Fujitsu.

              You... may want to take another look at that partnership - Fujitsu is not totally independently producing SPARC processors, or modifying the ISA they way they feel like it. It's more like Fujitsu is a glove and Oracle is the hand inside it - and the tool the gloved hand picks up is more or less Oracle-only software... Kind of makes my point actually - like the MySQL fiasco, and the ongoing Java saga. Because Oracle own the copyright to SPARC, MySQL, and Java - they can and in actuality have the right to do whatever they want with the license at any time, which gives them an enormous amount of power over the users of those items. Just look at how hard Oracle has been going after Google for Java, it's a valid risk having that hanging over one's head.

      2. Yet Another Anonymous coward Silver badge

        Why bother coercing / cajoling Intel into slipping in a hidden backdoor when you know they'll build in aircraft hangar sized doors through sheer incompetence.

        You might, as an organisation tasked with securing the nation, consider that leaving your own economy and infrastructure vastly more vulnerable to a foreign attack wasn't a good price to pay to be able to read the emails of a few minority protest groups

        1. N13L5

          "Securing the Nation"

          Globalists banksters have no concern for your nation - its a throw-away tool to them at most.

          You appear to be caught in their maze of mirrors, if you believe in the politics show on TV.

      3. Old Coot

        Open-source chipsets

        Aren't those Chinese Yeelong laptops using a MIPS open-source CPU? I recall Richard Stallman using on of those for just that reason. They come with Debian, or at least used to.

      4. tim292stro

        "...Who knows. Perhaps NSA saw what Intel was up to and simply decided to let them get on with it, knowing that they'd fsck it up badly to NSA's advantage.

        Why bother coercing / cajoling Intel into slipping in a hidden backdoor when you know they'll build in aircraft hangar sized doors through sheer incompetence... So long as Intel stick to this idea of an ME, there's code there that will likely have flaws..."

        I think this is exactly it, and that's why the NSA asked for a "High Assurance" firmware option be made available that is part of all secure system orders - which disables the whole suite of Intel ME functionality. The same guys who found these bugs have been following the breadcrumbs left by the NSA for this research.

  3. Jon Smit

    This isn't news

    This build in bug has been known about for some time, plenty long enough for every state security agency in the world to have found ways to make use of it. Even it Intel provide a method of disabling the Management Engine, who's to say it can't be reversed or will just continue to work ignoring whatever updates provided by Intel?

  4. ThatOne Silver badge
    Trollface

    If Apple hardware ships without this erm, feature, the solution is to buy Apple computers to run your copy of Windows or Linux...

    1. whitepines Silver badge

      No, Apple computers have the same problem. Every modern x86 CPU / platform has an equivalent to the ME, ostensibly to allow remote administration (in one of the most insecure ways possible), but when you dig into it a bit more and look at things like PAVP the real reason appears to be implementing unbreakable DRM on all consumer platforms. The kind of DRM that means you are only a less-privileged user of "your" computer, sadly....

      1. Anonymous Coward
        Anonymous Coward

        The real reason...

        As prophesied by Cory Doctorow? The coming war on general-purpose computing?

      2. Dan 55 Silver badge

        Apple computers don't have AMT, as reported by this esteemed organ in May this year.

        The hidden web server test (http://localhost:16992 or http://other.lan.ip:16992) fails on my Mac, whereas if you were to try that on e.g. a Dell Wintel aimed at business it'll probably work.

        Not that the web server is the only way to exploit it.

      3. ThatOne Silver badge

        > No, Apple computers have the same problem.

        Yes, I know. It was a joke based on what the article says. I thought the troll icon might be a giveaway.

      4. rmullen0

        Well, I just ran the checker app on my MacBook Air and it said it wasn't vulnerable.

  5. Schultz
    Holmes

    Niche Market

    So when are companies going to fill the niche market of backdoor-less computing? Low end computers without black-box Management Engine / Secure Boot /... might start to look attractive for more security-sensitive applications. It looks like the hardware can be easily custom manufactured (e.g., simple ARM development platforms such as the new Arduinos, or bigger ones like the Samsung Artik). Something like MINIX might be enough to create a functional (and transparent) platform. Create an audit trail to certify the software and sell it under a Swiss brand name.

    1. whitepines Silver badge
      Linux

      Re: Niche Market

      Here you go! Backdoor-free, powerful, and completely under your control....

      https://raptorcs.com/content/TL2DS1/intro.html

      (No, this isn't possible with any modern x86 processor. If you need x86 you don't get privacy, or security, sorry!)

      1. bazza Silver badge

        Re: Niche Market

        Whitepines beat me to it.

        Yes, OpenPower seems to me to be a very viable way to go. The CPU is genuinely the Central Processing Unit,

        1. Sir Runcible Spoon Silver badge

          Re: Niche Market

          F$ck me, that ain't cheap is it?

          Still, if it's totally secure then it's probably worth it.

          1. Dan 55 Silver badge

            Re: Niche Market

            If that's above your budget you could try a Beowulf cluster of Raspberry Pis.

            1. tim292stro

              Re: Niche Market

              "...If that's above your budget you could try a Beowulf cluster of Raspberry Pis..."

              All ARM have Trustzone (even RPi). It's not the system space level that is being attacked, it's the lower debug/management level that's being attacked. If you look at the graphic at: https://www.arm.com/products/security-on-arm/trustzone you'll see there is a secure software stack, a non-secure software stack - and debug going outside of both stacks. Though Trustzone hasn't been broken YET (that I'm aware of), I fathom once people actually start looking very critically at it (like researchers did this year with AMT and ME), it will not be long before critical and embarrassing failures of security are discovered there too. This model of having a "secret" system doing work below the known system, is pure and simply security by obscurity. It's much better to just document that dang thing, get the problems found and fixed within a generation or two of silicon, rather than put a decade's worth of silicon in the field and find out the plan was a bad one. Unless Intel's "fix" is to blow a physical fuse on the die as part of a software update to disable the entire block of hardware, I cannot in good faith trust their fix is permanent. Since the current security failure allows analysis of the whole ME system, that means even the fix can be observed already, analyzed and picked apart, then scrutinized for more weaknesses.

              Securing a system is hard enough without the ME engine in there, regardless that Intel marketing and public relations doesn't want the ME system called a back door. When you show the world your goatse, all you want people to do is stop looking at it - but trust me, it's hard to un-see from back there. ;-)

  6. Adrian Midgley 1

    Not very surprising ... Now

    Track back who caused it please.

    1. Anonymous Coward
      Anonymous Coward

      Re: Not very surprising ... Now

      Everyone seems to want to assign blame.

      Me, I just want it to STOP. Can we the people please just get a cpu that is actually a cpu, and not some system-on-chip that we (at best) borrow from the Great Powers?

      Can dream, can't i?

      1. elDog

        Re: Not very surprising ... Now

        Not if you want all the bells and whistles that are built into modern CPUs.

        Do you want various levels of cache on-chip? How about microcode to pipeline instructions to available cores/processors? I think there are a lot of added enhancements to support extended and virtualization of memory, peripherals, interrupt handling.

        My hardware days are many years in the past but the pattern was to move more and more peripheral processing closer to the CPU - along with the need to be able to update the underlying processor chip instruction sets.

        I think the end goal would be for every user to see where every bit comes and goes in all cases. Probably several orders of magnitude than all of the currently configured processors could compute - if you believed them.

  7. Anonymous Coward
    Anonymous Coward

    I wonder how many admins are now demanding AMD inside?

    1. whitepines Silver badge
      FAIL

      AMD, the one with the ME equivalent called the PSP? Isn't that like jumping from one sinking ship to another?

      1. Anonymous Coward
        Anonymous Coward

        Depends, does it have the same features as Intel? i.e. pwned from day 0, can you actually disable it...just because it's AMD it shouldn't be dismissed out of hand.

        1. whitepines Silver badge

          Unable to be disabled....check!

          Cryptographically locked to prevent machine owners from altering it...check!

          Super secretive about true capabilities.....check!

          Used for DRM purposes (thus making vendor true owner)....check!

          Mandatory in all of the vendor's CPU lineup....check!

          The ME and PSP are really two sides of the same coin, unfortunately.

          1. Anonymous Coward
            Anonymous Coward

            Yeah, the funny thing is Intel isn't too loud on talking about it or how it works when it comes to their system, but AMD is pretty open about it and goes into quite a deal of detail discussing it, even using it in marketing as a promotional point for EPYC. Makes me wonder why htey are so much more open about their chip, what it is and what it can do, than Intel.

            1. whitepines Silver badge

              Eh, AMD isn't all that great here either. Whenever you get close to figuring out how to interact with the PSP at anything other than a consumer level you run into a "burn after reading" NDA requirement, which makes it not a whole lot different than Intel. Remember, Intel's also been fairly public about AMT itself, and I'd say that AMD's marketing is just that -- marketing, focusing on how the PSP can be used to "secure" machines instead of what the PSP really is (a backdoor waiting to be activated).

              At the end of the day it makes no difference that you know how a backdoor works if you can't deactivate or disable it....

      2. kain preacher Silver badge

        how do we know that AMD has the same issues?

        1. whitepines Silver badge

          Because, fundamentally, it's the same basic design. A vendor-provided, vendor-locked binary running on a chunk of the processor's silicon that is more privileged than anything running on the CPU itself. It's the exact same setup and will eventually cause the same kind of problems we see today with the ME.

          Remember, it is possible to simply have two bad choices in front of you given the conditions one sets forth. Where there is a duopoly involved (in this case, Intel and AMD for x86 processors) simply using "the other one" doesn't always fix the problem you were wanting fixed...

          Moving away from x86 entirely, on the other hand, allows these problems to be fixed. Can't do that? Then learn to live with the bugs and security problems. Might want to lawyer up too and start proactively filing patents on anything you consider valuable....

  8. Anonymous Coward
    Terminator

    Intel finds critical holes in secret Management Engine

    They would wouldn't they, as Intel put them there in the first place and wouldn't be currently reporting on this except Intel got found out by some third party who leaked that Intel had set the IME to login anyone with a zero length password and inserted a kill switch at the behest of the NSA.

  9. something_or_another

    What is, Not New News?

    We were warned.

    https://www.theregister.co.uk/2015/12/31/rutkowska_talks_on_intel_x86_security_issues/

  10. Christian Berger Silver badge

    If this wasn't meant as a deliberate backdoor...

    ... why does Intel have it running on all their systems? Given their track record, they would have made it an optional feature costing quite some money.

    1. bazza Silver badge

      Re: If this wasn't meant as a deliberate backdoor...

      I suspect it started off as a platform on which all the power management code could be run. The idea was that with the CPU looking after itself (power settings, cooling, voltages, clock frequencies, etc), you then wouldn't have to put all that code into the main operating system.

      This was sensible, given that getting all that hardware management wrong could fry the silicon to a crisp. Offloading it to a separate microcontroller with a fixed binary blob meant that Microsoft, the Linux community, Apple, and every OS developer didn't have to do it themselves and get it right.

      Then the feature creep started.

      I'm sure that Intel's intentions where perfectly harmless. Being able to manage a server like you can (mount ISO images, see the console, all sorts of useful admin things can be done from afar) is incredibly useful. Just a shame the made a complete mess of it.

      To be honest I can't see a way of implementing remote management of that sort without having an ME CPU bolted on the side with quite a lot of low level access. Though I don't see why that should need the ability to access all physical RAM, all Ethernet traffic, etc.

      1. Christian Berger Silver badge

        Re: If this wasn't meant as a deliberate backdoor...

        Well yes, it can be a usefull feature, however given that Intel has a history of locking out features on cheaper CPUs, why didn't they do that with ME? I mean surely there would be people paying for that feature.

      2. Hans 1 Silver badge
        Facepalm

        Re: If this wasn't meant as a deliberate backdoor...

        Though I don't see why that should need the ability to access all physical RAM, all Ethernet traffic, etc.

        How else do you want the NSA to be able to intercept all network traffic from a box ? They need access to RAM to get the encryption keys to decrypt the Ethernet traffic ... d'oh!

        1. Anonymous Coward
          Anonymous Coward

          Re: If this wasn't meant as a deliberate backdoor...

          Via the network controllers, which in the name of performance would likely have DMA access. This has the added advantage of being CPU-agnostic so should work with Intel, AMD, or whatever CPU is running the thing. It would also have the advantage of working with otherwise-open-source hardware since the technology behind high-speed low-latency networking is still patent-protected last I checked, making open-source network chips of any serious performance nigh-impossible to obtain.

      3. DainB Bronze badge

        Re: If this wasn't meant as a deliberate backdoor...

        "Being able to manage a server like you can (mount ISO images, see the console, all sorts of useful admin things can be done from afar) is incredibly useful."

        First of all you're talking about desktop version of Intel CPUs that have ME, not server ones.

        Second - what you're describing on servers called BMC ILOM and works at a totally different level and is usually separate processor running it's own embedded OS, i.e. Emulex Pilot, which now owned by Chinese ASPEED, so you should not be worrying about NSA anymore and start worrying about whatever their Chinese peer called.

  11. John Smith 19 Gold badge
    WTF?

    It's 2017 and buffer o/flows & security by obscurity is still thought a brilliant plan.

    And note that word "trusted"

    Not in "we" can be trusted to run your applications safely,no.

    You can be trusted to run only the content you have purchased.

    This is at least as much about the hardware realization of Microsoft "Palladium" AKA "Trusted Computing Initiative" as anything else.

    The computer hardware equivalent of "The Manchurian Candidate."

  12. Anonymous Coward
    Anonymous Coward

    Following todays triple whammy

    I have my wife dusting off her trusty abacus.; I am fairly certain it cannot be hacked, although it WAS made in China.

    1. Anonymous Coward
      Anonymous Coward

      Re: Following todays triple whammy

      Yes, check the beads with a magnet. If they respond it can be controlled from a distance. A small distance to be sure, but none the less. :)

  13. Anonymous Coward
    Anonymous Coward

    What a mess

    1 - insert a backdoor and don't tell anyone about it

    2 - because nobody knows, quality of that backdoor is not really important.

    3 - someone finds out

    4 - major embarrassment and exposure of most of the online world

    5 - as a practical monopoly, people still buy the stuff

    6 - firmware fixes promise to fix things - are we going to trust that without independent confirmation?

    No wonder Intel and Microsoft got on so well.

    Sadly there are no victims known of this yet, but now it's out I am willing to bet that both NSA as well as criminals are flogging their staff to use it. That said, the NSA may have actually been involved in these "bugs", in which case the person who discovered it should look around for dark panelled vans showing up near his house..

    1. Sir Runcible Spoon Silver badge

      Re: What a mess

      Sadly there are no victims known of this yet

      I'm not quite sure how anyone would ever know either.

  14. unwarranted triumphalism

    Another failure from crApple

    One wonders why they bother.

    1. Kane Silver badge
      Trollface

      Re: Another failure from crApple

      "One wonders why they bother."

      Back! Back, I say! Back under your bridge!!

  15. HmmmYes

    Trusted computing eh?

    Only if its SPARC, PowerPC or ARM by the looks of it.

    Fucktards.

    1. Dave Pickles

      "Only if its SPARC, PowerPC or ARM by the looks of it."

      IIRC Sun Fire servers had a similar management engine, though I think you could only talk to it via a dedicated ethernet connector.

      1. Anonymous Coward
        Anonymous Coward

        Sun Fire servers had a similar management engine

        That's in the server, not the processor. Intel's ME is actually inside the chip.

    2. Anonymous Coward
      Anonymous Coward

      Only if its SPARC, PowerPC or ARM by the looks of it.

      I recall years ago warning our management who liked to use the "interop demo" room for meetings that that was a bad idea with all the machines (our real motive was that we had to be in and out there often and them meeting there got in the way). When they didn't listen, we routed the mic of a SPARC pizza box with SunOS to a file and played back their meeting afterwards - problem solved :)

  16. John Smith 19 Gold badge
    Gimp

    "In response to issues identified by external researchers, " So no Intel did not find these.

    It had to have them pointed out to it.

    Because it clearly did not go looking for them in the stuff the code monkeys who wrote this handed over to them.

    Let's be clear here.

    Intel insisted on giving users a second processor they can't ordinarily access that has very deep control of their systems security and they wrote the software to run on it with the most cursory (if any?) checks on its fitness for use.

    If Intel really want to differentiate "home" from "data centre" processors this would seem to be an area they should do so.

    How many home users need this? How many home users even know it exists?

    If you want all this high end sysadmin functionality then by all means have it, at the price.

    But how many really need it? It looks like "Because we can."

    And that's the motto of data fetishists everywhere.

    1. Anonymous Coward
      Anonymous Coward

      Re: "In response to issues identified by external researchers, " So no Intel did not find these.

      Interestingly, AMD have done exactly this. While the chips physically exist in the Ryzen and Threadripper dies, they are only activated in the EPYC and RyzenPro lines for businesses.

  17. steelpillow Silver badge
    Boffin

    Open Management Engine?

    I don't know what these management processors are supposed to do, but presumably it is useful when you have another half dozen or so processors clamouring for attention and all mixed up with some proprietary tweaks. For example I can imagine an ARM chip having say seven 64-bit cores and a 16-bit ARM ME.

    Rather than make a management-free multi-core chip, it might be better to open up the management subsystem with a published specification and accessible UI/utilities in its own right. One obvious feature would be to patch its firmware with code you trust. You are then back in control.

    I don't see how else Intel can put the genie back in the bottle. But hey, do they care?

  18. Doctor Syntax Silver badge

    It has been assailed as a "backdoor" – a term Intel emphatically rejects

    Are they still rejecting that? It must be a fairly hard job to argue that line now.

    1. Anonymous Coward
      FAIL

      It has been assailed as a "backdoor" – a term Intel emphatically rejects

      More of an open patio window really, leading right into the heart of the house where all the best stuff is, and nice and wide so everyone can get in at once.

      1. John Smith 19 Gold badge
        Thumb Up

        "More of an open patio window really,"

        Nice.

        And while accepting blank login credentials that makes it a patio window without glass either.

    2. Spud

      All UR ME,TXE,SPS,MINIX,AMT,PTT,PSP,WTF R BELONG TO US !!!

      But it's still not a backdoor ... more like a front door where the key is under the mat.

    3. tim292stro

      "...Are they still rejecting that? It must be a fairly hard job to argue that line now..."

      Well, no - there is no "door" just a framed hole in the wall. We meant to put a door there at one time... It's not a back door, it's rear hallway that whistles. Enter Goatse. ;-)

  19. Anonymous South African Coward Silver badge

    how jolly (and all things ending in olly)

    I suppose a downgrade to Pentium2 CPU's and OS/2 Warp LAN Server is in order then...

    1. Hans 1 Silver badge
      WTF?

      I suppose a downgrade to Pentium2 CPU's and OS/2 Warp LAN Server is in order then...

      Core 2 Duo's and Core 2 Quad's did not have these ... ;-)

      1. Charles 9 Silver badge

        I could've sworn there were come Core 2's that carried the vPro label, though.

      2. 404 Silver badge
        Devil

        Yeah and I easily have 25-30 of them laying around too...

  20. Anonymous Coward
    Anonymous Coward

    The Hidden Cyberwar On The Motherboard

    Similar Chinese/Korean mechanisms are be resident on all chipsets which is one of the reasons this has been embedded: to report, combat and neutralise.

  21. imanidiot Silver badge

    Surprised

    Surprised is not what I am right now. Anybody who knows anything about the Intel ME could have seen this coming a mile off. And it won't be the last hole found either. I suspect the ME is FULL of holes. Plugging one or two holes in a sieve doesn't fix much.

    1. Anonymous Coward
      Anonymous Coward

      How far back does this go?

      "Anybody who knows anything about the Intel ME could have seen this coming a mile off."

      I bought an HPQ DC7700 (desktop minitower) as a cheap refurb machine for home use many years ago. The product family involved came out over a decade ago; there may have been others similar before it.

      Then I bought a vPro -enabled laptop (from a similar era) for similar reasons.

      One of the reasons I bought the specific variants I chose was to see what the management engine malarkey enabled, in particular for OS-less remote management, having played the remote management game in the 1980s and 1990s on now allegedly obsolete non-Windows non-x86 stuff.

      Please don't assume this is in any way a 'recent' issue.

  22. Anonymous Coward
    Anonymous Coward

    Is it just me...

    ... or the tool that Intel requires me to run on servers for a security assessment is only provided with an obsolete MD5 hash, not an SHA256 one or a proper PGP signature?

    *sigh*

    1. Norman Nescio

      Re: Is it just me...

      I echo your sigh.

      The licence for the (Linux) tool is also not exactly helpful - I quote the "SINGLE USER LICENSE"

      note item 3:

      "3. You may not reverse engineer, decompile, or disassemble the Software."

      I have not downloaded it, but I assume this means it is not open source. So Intel wish me to trust some closed source software that I should run on my PC? Without checking, I don't know it it requests root privileges, but it doesn't exactly inspire me with confidence.

      (The full licence pops up if you attempt to download the linux tool)

      SINGLE USER LICENSE. You may copy the Software onto a single computer for

      your personal, noncommercial use, and you may make one back-up copy of the

      Software, subject to these conditions:

      1. This Software is licensed for use only in conjunction with Intel

      component products. Use of the Software in conjunction with non-Intel

      component products is not licensed hereunder.

      2. You may not copy, modify, rent, sell, distribute or transfer any part

      of the Software except as provided in this Agreement, and you agree to

      prevent unauthorized copying of the Software.

      3. You may not reverse engineer, decompile, or disassemble the Software.

      4. You may not sublicense or permit simultaneous use of the Software by

      more than one user.

      5. The Software may include portions offered on terms in addition to those

      set out here, as set out in a license accompanying those portions.

  23. Anonymous Coward
    Anonymous Coward

    Saved by Windows 7!

    Sheez that was close... one of the reasons why I opted for the i7 4790 is because it was the fastest generally available Intel which could run Windows 7... 5th gen... Mind you, Minix is inside that too.

  24. mark l 2 Silver badge

    I knew there was a reason why I kept my 10 year old Dell laptop, perhaps I can now sell it on ebay for more than it is worth as a backdoor free machine.

  25. Updraft102 Silver badge

    Mitigation

    In order for this exploit feature to work, you have to be using a compatible Intel NIC as well as one of the vulnerable CPUs. I don't know about anyone else's gear, but my desktop PC motherboards all come with dual NICs onboard as standard equipment (Intel via the PCH/chipset and an additional Realtek). Of course, they're also Sandy Bridge, so they're not on the vulnerable list anyway, but it suggests to me that dual ethernet NICs are (or at least were) fairly common.

    Are such setups still common? I'd guess they are, given that the reasons to include the second NIC onboard are as valid now as they were when my gear was new. I have to admit to not keeping up to date with what is available in anything newer than Ivy Bridge, as I haven't yet seen anything I'd really want to upgrade to. Crappy CPU integrated heat spreaders using thermal grease don't hold much appeal, given what I've seen about how well the stuff holds up after 5+ years. It seems to me to be yet another planned-obsolescence time bomb designed to shorten the life of equipment whose useful service life is the longest its ever been (to the chagrin of Microsoft, Intel, and others who have a vested interest in keeping us all on the upgrade treadmill).

    None of the performance gains from generation to generation have been significant enough to make me want to take the chance with the crappy TIM, and while delidding is an option (speaking as a consumer; I can't imagine businesses doing it), it's an unnecessary risk that shouldn't be necessary in the first place. Now that Microsoft has embargoed the latest CPUs on their last usable OSes, it only makes new gear even less appealing, though I am gradually transitioning to Linux anyway in the wake of the Win 10 disaster.

    Everyone says Realtek ethernet is crappy and Intel is great, but which one of them has a built-in backdoor? Kinda changes the perspective a bit, I think. In the end, you pays your money and you takes your chances...

  26. Anonymous Coward
    Anonymous Coward

    Intel will be pleased that they have finally unlocked the key to continued processor sales despite the mere 10-20% performance improvement per generation since Sandy Bridge - when the security updates to the CPU or the chipset finish, it is time to upgrade.

    Oh yeah, Intel Management Engine 10 and earlier do not have these flaws. Sure.

    But what to upgrade to from the good old i7-2600K?

    1. 404 Silver badge

      You don't.

      You pimp it out with maximum memory and a Samsung PRO(! that's important !) SSD.

      ;)

  27. Norman Nescio

    CVE number?

    I wonder if the person who assigned the CVE number CVE-2017-5705 was a City Boy fan? Will that question be answered?

  28. Anonymous Coward
    Anonymous Coward

    not a back door?

    Hidden from OS - check

    No security - check

    Total denial it is a backdoor - check

    Its a backdoor.

  29. Aodhhan

    Settle...

    When it comes down to it, this is an injection attack via web services.

    Something us penetration testers see all the time. Fuzz the web application to grab information, and then craft or intercept/edit HTML packets from information we gather.

    Don't over think the problem and develop conspiracy theories about this. I doubt the NSA or anyone else purposely coded in weak routines which can be exploited in many of the applications I've tested in the past year with similar vulnerabilities.

    This is just a common problem which needs to be addressed through better coding practices and better testing.

    Don't be too rough on developers. You'd be amazed at the turn over rate at some companies. This means you have new developers getting placed into large development projects which have been alive for years. Pretty soon, nobody is an expert on the entire mess of coded inhumanity.

  30. Anonymous Coward
    Anonymous Coward

    Yet?

    No one seems to be concerned that many of power supply chips have a 10+GHz Dipole antenna that seems to use a FET to short out critical bits if the antenna gets the right serial stream. Someone who can put a transmitter in orbit can shut down lots of equipment.

    1. DainB Bronze badge

      Re: Yet?

      There is a very good reason why you need satellite dish with direct line of sight to satellite to receive 10GHz+ TV signal.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yet?

        Yet your GPS doesn't need a huge dish and those signals work very much like the 10GHz. The circuits appears to work by feeding pulses into a pulse shift much like the 50 baud stuff off a GPS sat without the frequency hopping stuff. Send the right pattern and make the chip and devices to turn into a brick.

    2. Vendicar Decarian1

      Re: Yet?

      Link.

      1. Anonymous Coward
        Anonymous Coward

        Re: Yet?

        It is part of the reason behind this:

        https://asia.nikkei.com/Business/Companies/Apple-to-design-power-chips-in-house-as-early-as-2018-Sources

  31. JeffyPoooh Silver badge
    Pint

    e.g. ESP32's ULP Coprocessor

    Coprocessors lurk everywhere.

  32. Jerrycan

    What about the compilers ?

    I'm sure I read an essay from either Brian Kernighan or Dennis Ritchie, where they speculated that you could insert bad code into the compiler source, then compile the compiler, then drop the old compiler. Now all you have is a compiler that even with just a 'Hello World' will create a binary that might not be what you think it is..

    How would we know if this has already happened ?

    1. Anonymous Coward
      Anonymous Coward

      Re: What about the compilers ?

      "I'm sure I read an essay from either Brian Kernighan or Dennis Ritchie,"

      Ken Thompson's Reflections on Trusting Trust which got him the ACM Turing Award in 1984 (!), perhaps? He's from the same mould even if he's not K+R.

      Reposted at e.g.

      https://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html

      and discussed in various places of varying quality e.g.

      https://www.schneier.com/blog/archives/2006/01/countering_trus.html

      1. Charles 9 Silver badge

        Re: What about the compilers ?

        Didn't someone write a counterpoint to that same paper, saying there's a way to detect if a compiler is bad? David Wheeler's "Countering Trusting Trust," IIRC?

        http://www.acsa-admin.org/2005/abstracts/47.html

  33. TheNotSoEvilEngineer

    Not a flaw... its a feature

    The ME was developed by Intel in conjunction with the intelligence agencies. There have been plenty of intel Anon's who've complained about this over the past few years. How you have to have security clearance even to work in the ME group. How you can't disable the ME and it's always on providing access well beyond what it should. The ME was designed to give these agencies a backdoor into every server that carries an Intel chip... it's not a mistake that these backdoors exist, they were designed that way.

  34. Vendicar Decarian1

    Retards are using C

    The OS is obviously written in C, and since C doesn't manage pointers properly and the C standard library is chock full of buffer overflows, they obviously couldn't manage to produce correct working code because the errors were to deep in the OS.

    C is by far the worst programming language ever created, and it's authors should have been strung up and publicly hanged for their incompetence.

    1. Anonymous Coward
      Anonymous Coward

      Re: Retards are using C

      But there's a triangle involved here, isn't there? Tight, Fast, Safe: pick any two? What would your proposal be to defy the triangle and produce safe and fast code that can nonetheless work with a small memory footprint (since some people code for IoT and/or embedded devices with limited memory)?

  35. Keith_Rhodes

    Did intel know about this back in July 2016?

    The tool supplied by Intel has a PDF "user's guide".

    The PDF's title field has a value of "Kaby Lake Platform Message of the Week WW30, 2016".

    This makes me think that either the people at Intel are just bad at creating PDF documents, or else Intel knew about this and prepared the tool in the final week of July 2016. And then sat on it until it felt forced to come clean(ish).

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019