Personal computing discussed

Moderators: renee, Flying Fox, morphine

 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 5:41 am

I have been reading articles about the Intel Management Engine that has been embedded in Intel's CPU and chipsets during the last few days such as this:
http://www.networkworld.com/article/308 ... f-you.html

It's bad enough that OEMs are putting stuff like SuperFish on their systems, but this is even worse. I think it's very likely that this will end up being a vector for malware and PUPs, with end users not going to be able to do anything about it. Just a matter of time.

And It's my understanding that AMD also has something like this in their CPUs and chipsets as well.
 
ronch
Graphmaster Gerbil
Posts: 1142
Joined: Mon Apr 06, 2009 7:55 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 6:15 am

If you're afraid of Intel's security management, just get an AMD FX. AFAIK FX CPUs don't contain TrustZone™. :-D
NEC V20 > AMD Am386DX-40 > AMD Am486DX2-66 > Intel Pentium-200 > Cyrix 6x86MX-PR233 > AMD K6-2/450 > AMD Athlon 800 > Intel Pentium 4 2.8C > AMD Athlon 64 X2 4800 > AMD Phenom II X3 720 > AMD FX-8350 > RYZEN?
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 6:19 am

Interesting. It needs to be taken in context though; this is just the next step of something that's been going on for years.

Since the 486 days x86 systems have had something called SMM (System Management Mode); this is a special execution mode which is entered via a System Management Interrupt, which cannot be disabled by the OS. It is typically used by the BIOS to implement functions in firmware which are meant to be transparent to the OS (e.g. system monitoring, fan speed control, PS/2 keyboard emulation for USB keyboards, etc.)

Since Windows 8, Microsoft has included something called Windows Platform Binary Table, which allows the motherboard BIOS to silently inject an executable which is run during Windows startup. (Lenovo and others have already exploited this "feature" to automatically run installers for their own bloatware even on clean Windows installs from generic Windows installation media.)

If you are going to worry about the possibility of vendor booby-trapped (or malware infected) motherboard firmware, exploitable mechanisms have literally been in place for decades already.
Nostalgia isn't what it used to be.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 7:11 am

just brew it! wrote:
If you are going to worry about the possibility of vendor booby-trapped (or malware infected) motherboard firmware, exploitable mechanisms have literally been in place for decades already.

And now I'm wondering what can the end user can do to make it harder to get exploited.
 
blahsaysblah
Gerbil Elite
Posts: 581
Joined: Mon Oct 19, 2015 7:35 pm

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 7:16 am

No problem, they have full source for UEFI firmware.
 
Aranarth
Graphmaster Gerbil
Posts: 1435
Joined: Tue Jan 17, 2006 6:56 am
Location: Big Rapids, Mich. (Est Time Zone)
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 7:18 am

whm1974 wrote:
And now I'm wondering what can the end user can do to make it harder to get exploited.


Nothing really except to practice safe computing.

This is the ultimate in security by obscurity.
Main machine: Core I7 -2600K @ 4.0Ghz / 16 gig ram / Radeon RX 580 8gb / 500gb toshiba ssd / 5tb hd
Old machine: Core 2 quad Q6600 @ 3ghz / 8 gig ram / Radeon 7870 / 240 gb PNY ssd / 1tb HD
 
just brew it!
Administrator
Posts: 54500
Joined: Tue Aug 20, 2002 10:51 pm
Location: Somewhere, having a beer

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 7:27 am

whm1974 wrote:
just brew it! wrote:
If you are going to worry about the possibility of vendor booby-trapped (or malware infected) motherboard firmware, exploitable mechanisms have literally been in place for decades already.

And now I'm wondering what can the end user can do to make it harder to get exploited.

Not much you can do about vendor-installed crap like the Lenovo stuff if you want to run Windows. Linux would obviously be immune to that specific type of shenanigans (since it requires cooperation from the OS to do its dirty work), but not necessarily to exploits of IME or SMI.

Beyond that, follow standard "safe computing" practices and cross your fingers.

If that's not good enough, then become a hermit and live in a cave, off the grid with no internet access. It's the only way to be sure. :wink:
Nostalgia isn't what it used to be.
 
Aphasia
Grand Gerbil Poohbah
Posts: 3710
Joined: Tue Jan 01, 2002 7:00 pm
Location: Solna/Sweden
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 8:47 am

^ jbi pretty much covered it.
or
Nuke the entire site from orbit -it’s the only way to be sure.


As for some seriousness though, not much you can do, but Intel is invested enough in it so while you can never be fully sure, they should have the expertise to implement something like this in a decent manner. But if a workable exploit is found, we would be in for a bad time.

These technologies rarely have much use outside the enterprise world though, although when working with thousands of workstations/servers/etc/appliances, etc having the ability to remote control certain features outside of the normal in-band technology is pretty darn useful, no matter if it's called LOM, IME, ILO or similar functions that can all tap into various features and functions of a machine. Some deeper, some of lesser capability. Now, while some examples have been available that are simply atrocious, I think intel might have better know how in many ways, not that we have any choice in the matter, but considering the features it has, if they don't we are screwed anyway.
 
Kretschmer
Gerbil XP
Posts: 462
Joined: Sun Oct 19, 2008 10:36 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 8:50 am

No. /Thread
 
Techgoudy
Gerbil First Class
Posts: 142
Joined: Tue Oct 02, 2012 5:01 pm

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 10:16 am

just brew it! wrote:
Since Windows 8, Microsoft has included something called Windows Platform Binary Table, which allows the motherboard BIOS to silently inject an executable which is run during Windows startup. (Lenovo and others have already exploited this "feature" to automatically run installers for their own bloatware even on clean Windows installs from generic Windows installation media.)


Do they use this technique for installing device drivers too? Or is it just annoying bloatware?
 
maxxcool
Gerbil Elite
Posts: 855
Joined: Thu Sep 12, 2002 8:40 am
Location: %^&*%$$
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 10:22 am

whm1974 wrote:
I have been reading articles about the Intel Management Engine that has been embedded in Intel's CPU and chipsets during the last few days such as this:
http://www.networkworld.com/article/308 ... f-you.html

It's bad enough that OEMs are putting stuff like SuperFish on their systems, but this is even worse. I think it's very likely that this will end up being a vector for malware and PUPs, with end users not going to be able to do anything about it. Just a matter of time.

And It's my understanding that AMD also has something like this in their CPUs and chipsets as well.


About as much as AMD's version.
Cybert said: Capitlization and periods are hard for you, aren't they? I've given over $100 to techforums. I should have you banned for my money.
 
RAGEPRO
Gerbil
Posts: 58
Joined: Wed Mar 23, 2016 9:50 am
Location: Golden Triangle, Texas
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 10:38 am

This isn't actually news; the Coreboot guys have been trying to warn everyone to stay away from Core i-series chips for a while now for this very reason. This page was created in 2014, and there have been alarmists and paranoids talking about it since well before then.

The thing is, even making use of Intel ME legitimately is difficult; there are no public tools for using it and the private tools are obscure at best and cryptic at worst. People might complain about the "security through obscurity" nature of the beast but if the Coreboot guys can't get around it, I don't think we have to worry too much about random malicious coder A from Slovakia. (No offense intended to Slovaks.)

There's always the concern about government-issued malware, of course, but at a certain point I have to wonder; to what lengths are you willing to go to prevent being spied on?

The only reason anyone is talking about this right now is that a couple of scaremongering articles hit the mainstream (or at least, the mainstream tech audience.) Intel ME isn't new and while I'd love to see it gone, I find it highly unlikely. Aside from fodder for fun conspiracy theorizing, I don't think it has a lot of relevance to the majority of users. Ultimately I think nothing will change in your life if you just ignore it.
 
meerkt
Gerbil Jedi
Posts: 1754
Joined: Sun Aug 25, 2013 2:55 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 11:00 am

blahsaysblah wrote:
No problem, they have full source for UEFI firmware.
Thanks for the pointer.

Re IME, this is interesting (linked from the coreboot page): https://github.com/skochinsky/papers/ra ... 0Later.pdf
 
biffzinker
Gerbil Jedi
Posts: 1998
Joined: Tue Mar 21, 2006 3:53 pm
Location: AK, USA

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 11:13 am

AMD Platform Security Processor (PSP) #amdpsp

This is basically AMD's own version of the Intel Management Engine. It has all of the same basic security and freedom issues, although the implementation is wildly different.

The Platform Security Processor (PSP) is built in on all Family 16h + systems (basically anything post-2013), and controls the main x86 core startup. PSP firmware is cryptographically signed with a strong key similar to the Intel ME. If the PSP firmware is not present, or if the AMD signing key is not present, the x86 cores will not be released from reset, rendering the system inoperable.

The PSP is an ARM core with TrustZone technology, built onto the main CPU die. As such, it has the ability to hide its own program code, scratch RAM, and any data it may have taken and stored from the lesser-privileged x86 system RAM (kernel encryption keys, login data, browsing history, keystrokes, who knows!). To make matters worse, the PSP theoretically has access to the entire system memory space (AMD either will not or cannot deny this, and it would seem to be required to allow the DRM "features" to work as intended), which means that it has at minimum MMIO-based access to the network controllers and any other PCI/PCIe peripherals installed on the system.

In theory any malicious entity with access to the AMD signing key would be able to install persistent malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD firmware in the past, and there is every reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to remotely monitor and control any PSP enabled machine. completely outside of the user's knowledge.

Much like with the Intel Boot Guard (an application of the Intel Management Engine), AMD's PSP can also act as a tyrant by checking signatures on any boot firmware that you flash, making replacement boot firmware (e.g. libreboot, coreboot) impossible on some boards. Early anecdotal reports indicate that AMD's boot guard counterpart will be used on most OEM hardware, disabled only on so-called "enthusiast" CPUs.


https://libreboot.org/faq/#amdpsp
It would take you 2,363 continuous hours or 98 days,11 hours, and 35 minutes of gameplay to complete your Steam library.
In this time you could travel to Venus one time.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 12:04 pm

OK maybe I'm making a mountain out of a molehill here. But like Microsoft's Windows Platform Binary Table I wouldn't be surprised if OEMs start abusing this.
 
Ryu Connor
Global Moderator
Posts: 4369
Joined: Thu Dec 27, 2001 7:00 pm
Location: Marietta, GA
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 12:29 pm

Calling MEI or PSP security through obscurity is fairly misleading.

Sure the code can't be audited, but that's not exactly new in the computing industry. Nor does having code audited necessarily make it more secure. Shellshock took twenty-five years to find in freely available source.

Age does not make code more secure.
Availability does not make code more secure.
There's always another bug.

Both AMD and Intel implemented real security into the MEI and PSP. It has real security in the form of a required cryptographic digital signature. That's not security through obscurity, that is security.
All of my written content here on TR does not represent or reflect the views of my employer or any reasonable human being. All content and actions are my own.
 
whm1974
Emperor Gerbilius I
Topic Author
Posts: 6361
Joined: Fri Dec 05, 2014 5:29 am

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 1:16 pm

Ryu Connor wrote:
Calling MEI or PSP security through obscurity is fairly misleading.

Sure the code can't be audited, but that's not exactly new in the computing industry. Nor does having code audited necessarily make it more secure. Shellshock took twenty-five years to find in freely available source.

Age does not make code more secure.
Availability does not make code more secure.
There's always another bug.

Both AMD and Intel implemented real security into the MEI and PSP. It has real security in the form of a required cryptographic digital signature. That's not security through obscurity, that is security.

I'm well aware that there is no such thing as 100% security or hacker proof software. And any developers who claim otherwise is asking to get hacked.
 
Flying Fox
Gerbil God
Posts: 25690
Joined: Mon May 24, 2004 2:19 am
Contact:

Re: Intel Management Engine. Should we be worried?

Tue Jun 21, 2016 1:53 pm

whm1974 wrote:
OK maybe I'm making a mountain out of a molehill here.

That may apply to a lot of your threads. :P
The Model M is not for the faint of heart. You either like them or hate them.

Gerbils unite! Fold for UnitedGerbilNation, team 2630.

Who is online

Users browsing this forum: No registered users and 1 guest
GZIP: On