I wonder if this will at all dissuade either Intel or AMD into continuing to make these super privileged processors whose functions are completely hidden. The cynic in me thinks that this will change absolutely nothing.
There is a great website called The Bad Thing [1] that has compiled the known information about Intel ME.
I just ran the detection tool on my laptop and I am running a vulnerable version of Intel ME, but I can't even do anything about it until my system manufacturer provides a patch for it. I feel like this is going to be one of those situations that ends up leaving millions of devices unpatched and vulnerable a few years down the road.
[0]: https://www.blackhat.com/eu-17/briefings/schedule/#how-to-ha... [1]: https://www.cs.cmu.edu/~davide/bad_thing.html
I think many discussions miss the nuance here. The problem is that the functionality is hidden, not necessarily that the function is there.
In corporate use, these tools can be incredibly useful. If they were more transparent, then they could be used by normal users for remote administration as well.
But it needs to be secure, and it needs to exist without secrecy. If this portion were free for the user to configure, or if they allowed complete disabling via motherboard jumper, or simply open sourced it, that would be a better step.
However, the NSA's activities have destroyed all trust in these sorts of features coming from an American company, so even if it were completely open sourced, there's no guarantee that there isn't other hardcoded ROM also executing in tandem with the open source components.
> If they were more transparent, then they could be used by normal users for remote administration as well.
The fundamental objection with ME isn't that it's "proprietary" or "non-libre" or whatever other ideological objections, it's that it's an opaque embuggerance that makes any analysis or reasoning about the system's security/trustworthiness/reliability completely impossible and specious. There aren't even any robust specifications for it (like those for ISAs); it's literally a black box -- and one granted terrifying access to both the system's internals and external network interfaces.
It's 10PM. Do you know if your ME has been provisioned by evil malware?
I don't care much about whether its source code is public or not, I care about the fact that I have no verifiable and irreversible way to disable that little implant's function. It's not an innocent housekeeping microcontroller, it's one hell of a remote-access-tool, plain and simple. That intelligence agencies have demanded that Intel provide a bit to neuter the ME after its bringup is testament to that.
My personal computer isn't part of an enterprise/corporate network, and I don't want any RAT (nor an auxiliary CPU with network access that is waiting to be provisioned to act like a RAT) installed on it, the same way my house-lock isn't keyed with a master key that the police holds.
I (and most other end-users) do not need any sort of remote-management capability. We need trustworthy and robust computers that are capable of not leaking secrets and losing control to adversaries -- and "remote management" hardware is a severe step backwards from that.
That wouldn't really work; the ME is essentially "the CPU" of the Platform Controller Hub. Disabling it would be disabling your computer (e.g. your IOMMU, your DRAM refresh, your ACPI command routing, etc.)
All the stuff that used to be done "manually" by the CPU itself back in the 8086 days—using configured IRQs and PITs and whatever else—is done autonomously by the PCH these days, with the CPU just asking the PCH to "get it done." And the logic that runs in the PCH to interpret those requests and decides when and how to apply them, is executed by the ME.
The ME only managed to not exist previously, because mainboards were previously both "simpler" (every bus spoke exactly one protocol and the controller chip for that bus did the protocol signalling) and more complex (tons of single-purpose controller chips.) The PCH boils all that down to one chip, and it needs a CPU to do it, and that CPU is the ME. Getting rid of it would mean going back ~15 years in computer capabilities.
(Another way to think of the PCH is that it's basically an SoC chip, with the "heavy lifting" of application execution moved out to a separate, upgradable CPU socket. But, like any SoC, it still does need some sort of internal CPU. The ME is that CPU.)
I would carefully analyse if patching is a good thing.
Those vulnerabilities might be used in good way to disable ME and all this intel crapware completely, while if patched, this again may be impossible without doing manual chip clip and reprogramming with external device. Of course YMMV.
Here, nice read of current way, using raspberry pi and clipping ME chip while motherboard is off: https://wiki.gentoo.org/wiki/Sakaki%27s_EFI_Install_Guide/Di...
No need to salivate over something that you paid for and that you already used for 8 years.
Post-Snowden if you believe the NSA has already broken into most things and has very often paid to facilitate this (like loss-making Skype US server routing, or inefficiently using valuable silicon space for IME), you are no longer a conspiracy theory lunatic - you are just a mere sane person applying Occam's razor.
I don't think it's necessary to pay when you can just threaten charges of treason (Melissa Mayer) or make an example out of the uncooperative (Joe Nacchio).
Our brightest hope for reform involves (a) a breach involving ME and (b) European regulators laying fines on Intel.
They clearly invested some serious money into this sort of thing and see it as a differentiator (or AMD wouldn't have followed suit). Chances that they'll throw it all away because of a few vulnerabilities are very, very thin.
[0] https://libreboot.org/faq.html#amd-platform-security-process...
Intel managed to make PCs as safe as Android.
Do we really think older systems are magically not vulnerable to any of these? It seems more likely that they're vulnerable but old enough that they're getting ignored... and so they'll never get fixes.
Intel sales slump solved? :-/
Of course as it becomes clear you can (and should) disable it, if you do that on a corporate laptop you might find that your IT team is both mad and proud of you at the same time. Quite the quandry.
Are you really suggesting the IME and AMD's similar component are not the fruit of a collaboration between these market dominating companies and the NSA?
Most annoying thing is that there isn’t even a real alternative. If I understand it right then AMD chips have pretty much the same thing?
I am really looking forward for either ARM to displace x64 or even better RISC-V. With ARM you have many more vendors so more chance for options, and RISC-V is the ultimate in openness.
https://puri.sm/posts/purism-librem-laptops-completely-disab...
ARM could be a affordable alternative to x86 if that works for you.
Even the open source friendly Raspberry Pi relies on proprietary blobs and proprietary firmware, with vast parts of the documentation only being available to system integrators (meaning: not you) under an NDA.
Theirs is a Broadcom chip, but my understanding is that the scenario is pretty much the same for other ARM vendors. If the chip is anything more complicated than your average 8-bit micro-controller, expect it to be running some kind of "system" which is, of course, closed source.
> "Potential Impact: An attacker could load and execute arbitrary code outside the visibility of the user, operating system, and hypervisor/virtualization platform; resulting in exfiltration of secrets, subtle manipulation of system operation, or denial of service."
[0]: https://support.lenovo.com/us/en/product_security/len-17297
[0]: https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulner...
# modprobe mei_me
# modprobe mei_txe
# modprobe mei
# lsmod | grep mei
mei_me 36864 0
mei_txe 20480 0
mei 86016 2 mei_me,mei_txe
# python2 ./intel_sa00086.py
INTEL-SA-00086 Detection Tool
Copyright(C) 2017, Intel Corporation, All rights reserved
Application Version: 1.0.0.128
Scan date: 2017-11-23 20:37:48 GMT
*** Host Computer Information ***
Name: mbair
Manufacturer: Apple Inc.
Model: MacBookAir5,2
Processor Name: Intel(R) Core(TM) i5-3427U CPU @ 1.80GHz
*** Intel(R) ME Information ***
Engine: Intel(R) Management Engine
Version: 8.0.4.1441
SVN: 0
*** Risk Assessment ***
Based on the analysis performed by this tool: This system is not vulnerable.
When the HW dies, I'll most probably go for a Chromebook with Coreboot - and install Debian on it. I've had it - enough with this idiocy from Intel and AMD ; if they can't see how these "signed black boxes" are harming them, they deserve what's coming (open, and powerful enough architectures - i.MX8, RISC-V, etc).
I'd rather have a more thorough ME test than just AMT I could run though, coupled with a statement from Apple that ME is or will be entirely neutered on Macs in the future.
Several HN users here (beefhash, jlgaddis, joe_the_user) have raised the possibility that applying the patch might make it impossible to get rid of the Intel ME entirely.
If you don't apply the patch, someone may come up with a nice new exploit (using the security bugs) to completely remove the Intel ME.
If you do apply the patch, it might close off possible exploits and you'll be left with an Intel ME that's impossible to remove.
Maybe there is a way to reprogram to disable ME without the flash programmer which these fixes may block. If my laptop weren't already ME disabled, I'd probably apply the fixes.
Isn't there an "eFUSE-like" counter that prevents firmware rollback?
Feel free to join.
The question is what the best IRC server would be to use; considerations include reputation and "unpopularity", ie certain overly busy networks may scare some people away.
There's also the possibility of using Discord.
The main issue is encryption; most won't have any opinions on the subject, but more vocal types who may be useful to have on board may insist on specific forms of security in order to participate.
Just my 2c
"Asking for a friend"
Customer. Or customers (plural)??
I ask, because I assume this amount of complexity wasn't created because it was cheap, or end-users were crying out for it. There may be other customers -- those with three-letter agency names, who would wish for code to run on the computer you possess (note, I did not say "own", so long as someone else has control).
It's getting too easy to be this paranoid. Besides, it was fun when I sounded crazy. Now it's alarming.
Now that doesn't mean that the TLAs haven't found and used a vulnerability but that's like everything in a computer.
It’s still not really clear to me why it needs to exist at all.
Serious question.
That _can_ include advanced power management, secure computing stuff, watchdog functions and stuff like that.
As I understand it, the ME subsystem is an overseer, and is running even if your main PC is powered off. It has control over the network, unobservable from the downstream CPU/OS. It could therefore receive commands/input from the network and update itself while "off", or transmit data outbound. So unless the system is unplugged from the wall, the ME subsystem could be doing God-knows-what.
I'm not familiar enough with the Intel ME to tell, but could this possibly be exploited with the arbitrary code execution in the ME being used to set the HAP bit without requiring hardware intervention?
Maybe I'll hold off on patching for a bit.
I think you're suggesting extremely interesting but I'm not totally clear on it. So someone[1] has come up with some code to either disable (kill switch) or remove the Intel ME. (Setting the HAP bit is the kill switch.)
Now Intel and its vendors are going to issue a patch for the Intel ME. Are you saying that as a result of applying this patch we might not be able disable or remove the Intel ME? In other words, we'll end up with a slightly more secure Intel ME, but be worse off since we can't exploit any bugs to get rid of it?
If I'm understanding you correctly, this sounds like the iPhone situation: upgrade to a newer iOS and lose the ability to jailbreak.
[1] https://github.com/corna/me_cleaner/wiki/HAP-AltMeDisable-bi...
However, Intel's own platform tools (MEInfo and MEManuf running in a UEFI shell) can't even communicate with the ME on my 2015 Macbook Pro, so I would be quite interested to know what exactly they have done differently with regard to configuring the platform.
People have been archiving every version of the ME firmware for each chipset, and it would appear there are some versions that may be specific to Apple hardware. I'm not sure what is different, if anything, but you can see (and download) the particular firmware versions here: https://www.win-raid.com/t596f39-Intel-Management-Engine-Dri...
[0]: https://www.macrumors.com/2017/11/19/imac-pro-a10-chip-hey-s...
A vulnerability where someone can remote control your machine even after you swap out all local storage and install a new OS is another thing entirely.
They will of course not let go because it's a backdoor. It's an overprivileged computer within your computer.
Plus, purchasing machines like that one not only sends a clear signal that we want backdoor-free computing, but also allows the further development of more libre computing options. Wouldn't you rather have Linux and BSD as first-class citizens on new hardware, instead of always needing to play catch-up from behind?
Q: Why preorders? Why can't I evaluate a production machine right now?
A: Although we have Talos™ II hardware in our labs, IBM has not yet released the POWER9 CPU to the general public. The POWER9 launch is scheduled for Q4 this year; we intend to make Talos™ II available to everyone shortly after POWER9 launch via our pre-order model. This model allows us to manage supply of the Talos™ II systems for Q4 shipment, and we intend to transition to a more standard ordering model once the POWER9 processor has reached general availablility (GA). Orders placed after our pre-order cutoff will not ship until 2018, and you would be missing out on the benefits of early market access to the POWER9 processor, so we strongly recommend that you place your pre-order as quickly as possible!
“Critical: A vulnerability, which if exploited, would allow remote execution of malicious code without user action.”
“Important: A vulnerability, which if exploited, would directly impact the confidentiality, integrity or availability of user’s data or processing resources.“
$ sudo ./intel_sa00086.py
...
*** Risk Assessment ***
Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
...
If you have a Lenovo machine, check Lenovo's security advisory [0] to see if it is affected. Intel has the wrong URL in their link.
Edit: FWIW, the (Linux) tool creates a .log (and .xml) file in the current directory that was slightly more helpful:
$ tail -n 4 SA-00086-cluefire-2017-11-20-21-09-36.log
HECI error: No device with MKHI found[2]
Can't find SPS version in the tool output
Status: HECI_NOT_INSTALLED
Tool Stopped
Error 9460: Unknown or unsupported hardware platform
[0]: https://support.lenovo.com/us/en/product_security/len-17297
[1]: https://en.wikipedia.org/wiki/Host_Embedded_Controller_Inter...
The tool rightly points out that my desktop consumer system is vulnerable (from the list, no Intel CPU manufactured in the last 5 years isn't), then suggests I contact the manufacturer for an update. Here is what the tool says my system manufacturer is:
Manufacturer: To Be Filled By O.E.M.
Model: To Be Filled By O.E.M.
Some of the board vendors do a better job, but usually still not as good as "namebrand computers." There is a lot of engineering work that goes into integration. It's not readily visible to endusers/consumers and therefore difficult for us to appreciate it or evaluate it for completeness or accuracy.
I hope that someone does a survey of computer and board vendors' support for this problem. I would like to see who abandons products last.
Based on the analysis performed by this tool: Detection Error: This system may be vulnerable, please install the Intel(R) MEI/TXEI driver (available from your system manufacturer).
Does that mean that the Intel ME is disabled, so I don't have to worry about it? I certainly don't want to install anything that might enable the Intel ME if it's already disabled!
What a quandary. This reminds me of all the information I was asked to give to get a detailed credit report. If I didn't give it, they weren't going to give me the report. If I gave it, they would add to my credit file even if they never had it before.
If Intel actually cared about your security they would document that. It says so right in the security advisory that the external researchers are the reason for the security review, and not due to customer concerns.
The Intel dudes could have added "from future import print_function" and made it version-independent.
I'm just waiting for the ransomware that lives on AME, and is burned to the various dies instead of on hard-drives. Isn't that what this open door means?
I almost wish it covered 3rd-5th generation, just to help me push some folks to upgrade.
https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thomp...
Basically you have to trust the compiler because it compiles all code on your system, including itself. Not entirely the same, and I think the Intel trick is more nefarious.
Who knows what benefits this defect can give you down the line. Maybe it will be possible to take over the entire Management Engine. That would be neat.