Misleading information about Intel ME (your ME probably can't access the network and probably doesn't contain a Web server) filtered through black-and-white thinking instead of risk analysis.
Also, this topic has been rehashed to death on HN already.
I agree that the article doesn't add anything, but accessing the network is a standard function of ME, via its AMT component. One of the leading features and selling points of ME is remote management independent of the OS (i.e., even if there is no functioning OS) - useful for support and for deploying OS, BIOS, and other updates.
Open a resume.
Browse from a coffee shop.
Click on a link from your bank.
Use your phone while on the subway.
Play music that you paid for.
Cross an international border.
Intel ME is a processor that runs the MINIX operating system. It's the operating system that connects to the network. AMT is a module that is run in the operating system, that uses the network functionality. Although no one really knows for sure, as it's completely closed source and very little "technical" documentation is provided about it.
Does the 'base' ME not have a number of network functions aside from AMT, eg anti-theft, system defense (packet filter), serial over LAN? From what I have read, the ME has the dynamic application loader that can load applets. It would be difficult, but not impossible to re-flash an ME. Are we sure that not having AMT is 'enough?' I can imagine the power of the ME would prove very tempting to talented state-sponsored groups.
In the semi-authoritative book on ME, Platform Embedded Security Technology Revealed by Xiaoyu Ruan of Intel, it says that only AMT can access the network (if I remember it correctly).
The book is three years old, so maybe that's changed. Or maybe the functions you describe are part of AMT. I'd be interested in knowing more.
> system defense (packet filter)
At least that doesn't sound like it needs to transmit.
"Some of the other modules include ... a system for location tracking and remote wiping of laptops for anti-theft purposes." [1] (link to Igor Skochinsky slides).
> AMT is not included in every ME and your computer probably doesn't have AMT.
As far as I know, AMT is on almost every ME implementation, but I'd love to learn more about it. When is it included? What is that based on?
Here's what I know:
1. Every system with the VPro branding includes AMT with remote access (I'm 90% sure of that). Considering the audience here at HN, most of their computers probably are VPro models.
2. Non-VPro models also include AMT, and possibly some have remote access. I recently was working with a non-VPro system that certainly had AMT, but had the Small Business Technology implementation, which purposefully omits remote access.
There's also Standard Manageability, which "appears only on Intel Desktop Boards that support Intel AMT but that do not have a vPro-compatible processor installed"; AFAICT it's a implementation of AMT, and I think it includes remote access. (There are not enough days in the week to sort out Intel's product line, and that was one thing I didn't need to know.)
Your ME can trivially pwn your OS and can therefore access the network. Moreover, I'd be shocked if the ME couldn't reflash your full firmware. How? By subverting early boot or by subverting SMM. This means that an ME code execution exploit can very likely become persistent. I bet it can also fairly bypass Boot Guard. Secure Boot doesn't help at all.
The upshot being that it's very likely that a malicious USB stick can persistently compromise any modern Intel box in a fairly generic way.
To turn the tinfoil hat the other way though... until recently it would have been trivial for a nation-state to intercept and add a hardware implant to a motherboard.
So on the one hand SecureBoot & ME are terrible, but on the other hand the pre-existing security regime was also terrible.
The ideal would of course be for Intel to be more open about the ME, but who knows if that will ever happen.
SecureBoot is fine actually as long as you can replace the root keys. (It is about add trustworthy as TPM hardware and Intel's SINIT blob, which does not say much.)
Even though it has been rehashed to death you don't seem to have gotten the message: yes it can access the network or else it couldn't Wake on LAN and yes it does have a full minix operating system including a webserver but you just go ahead and spew apparently completely uninformed bs - it is your job after all.
> your ME probably can't access the network and probably doesn't contain a Web server
> probably
Therein lies the issue. The real objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious.
It's 10PM. Do you know if your ME has been provisioned by evil malware?
I don't care about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.
My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.
The list, which is only 6 links and a small part of the blog post, is only a tiny, unrepresentative part of the ME research corpus.
The real title of the blog post is "The Bad Thing"; I'm glad that's not the HN title, but our current one is unrepresentative of the content. Perhaps, "Intel ME: The Bad Thing".
I wonder if anyone has given thought to the possible dangers (some of) the engineers at Intel could be in. Intel has created, from my understanding, the ultimate backdoor.
This is something that governments worldwide, large criminal organizations and others would be interested in.
I can't believe I'm even typing something like this! It reads like something from a bad dystopian film. To even have something like Intel ME considered would have been mind-blowing enough. To have implemented it... there are no words.
I have had pretty good luck running me_cleaner on various computers - the main difficulty is the hardware access to the SPI flash, but once you have that it's not too difficult, and low risk because you can always flash a backup of the original back on.
It is a bit unfortunate that all we can do is disable some modules or set the HAP bit without knowing exactly what has been neutralized, but it's certainly far better than the extremely limited control Intel provides the user over the ME.
It will be interesting to see if Intel tries to make this more difficult with future iterations (it will certainly be even more suspicious if they do).
23 comments
[ 5.9 ms ] story [ 54.1 ms ] threadAlso, this topic has been rehashed to death on HN already.
The book is three years old, so maybe that's changed. Or maybe the functions you describe are part of AMT. I'd be interested in knowing more.
> system defense (packet filter)
At least that doesn't sound like it needs to transmit.
> anti-theft
What anti-theft service does ME provide?
"Some of the other modules include ... a system for location tracking and remote wiping of laptops for anti-theft purposes." [1] (link to Igor Skochinsky slides).
[1] https://www.eff.org/deeplinks/2017/05/intels-management-engi...
As far as I know, AMT is on almost every ME implementation, but I'd love to learn more about it. When is it included? What is that based on?
Here's what I know:
1. Every system with the VPro branding includes AMT with remote access (I'm 90% sure of that). Considering the audience here at HN, most of their computers probably are VPro models.
2. Non-VPro models also include AMT, and possibly some have remote access. I recently was working with a non-VPro system that certainly had AMT, but had the Small Business Technology implementation, which purposefully omits remote access.
There's also Standard Manageability, which "appears only on Intel Desktop Boards that support Intel AMT but that do not have a vPro-compatible processor installed"; AFAICT it's a implementation of AMT, and I think it includes remote access. (There are not enough days in the week to sort out Intel's product line, and that was one thing I didn't need to know.)
Your ME can trivially pwn your OS and can therefore access the network. Moreover, I'd be shocked if the ME couldn't reflash your full firmware. How? By subverting early boot or by subverting SMM. This means that an ME code execution exploit can very likely become persistent. I bet it can also fairly bypass Boot Guard. Secure Boot doesn't help at all.
The upshot being that it's very likely that a malicious USB stick can persistently compromise any modern Intel box in a fairly generic way.
This is bad.
So on the one hand SecureBoot & ME are terrible, but on the other hand the pre-existing security regime was also terrible.
The ideal would of course be for Intel to be more open about the ME, but who knows if that will ever happen.
> probably
Therein lies the issue. The real objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious.
It's 10PM. Do you know if your ME has been provisioned by evil malware?
I don't care about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.
My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.
The real title of the blog post is "The Bad Thing"; I'm glad that's not the HN title, but our current one is unrepresentative of the content. Perhaps, "Intel ME: The Bad Thing".
This is something that governments worldwide, large criminal organizations and others would be interested in.
I can't believe I'm even typing something like this! It reads like something from a bad dystopian film. To even have something like Intel ME considered would have been mind-blowing enough. To have implemented it... there are no words.
It is a bit unfortunate that all we can do is disable some modules or set the HAP bit without knowing exactly what has been neutralized, but it's certainly far better than the extremely limited control Intel provides the user over the ME.
It will be interesting to see if Intel tries to make this more difficult with future iterations (it will certainly be even more suspicious if they do).
It's no replacement for a system with a trustworthy firmware, but right now the available choices aren't good.