HN Gopher Feed (2017-12-27) - page 1 of 10 ___________________________________________________________________
How to hack a turned-off computer, or running unsigned code in
Intel ME [pdf]
320 points by danjoc
https://www.blackhat.com/docs/eu-17/materials/eu-17-Goryachy-How...___________________________________________________________________
saulrh - 5 hours ago
Money quote, though this may be slightly old news and this is just
a summary of known information: One of the most common questions
regards the possibility of remote exploitation. We think that
remote exploitation is possible if the following conditions are
true: 1. The target platform has AMT activated. 2. The
attacker knows the AMT administrator password or can use a
vulnerability to bypass authorization. 3. The BIOS is
not password-protected (or the attacker knows the password).
4. The BIOS can be configured to open up write access to the
ME region. If all these conditions are met, there is no reason
why an attacker would not be able to obtain access to the ME
region remotely. Also note that during startup, the ROM does
not check the version of firmware, leaving the possibility that
an attacker targeting an up-to-date system could maliciously
downgrade ME to a vulnerable version. That list of conditions
does not seem incredibly unusual to me. Consumer hardware should
have AMT disabled and be safe, but on business machines the highest
bar is an AMT vuln, and given the huge size and apparently terrible
code quality of the AMT I expect to be seeing auth bypasses for it
on a regular basis.
ksk - 4 hours ago
Could you elaborate on why you think its apparent that AMT has
'terrible code quality'? Specifically, versus other high profile
products that continue to have multiple security bugs being
introduced every release cycle - Windows, iOS, Android, Linux,
etc.
Animats - 2 hours ago
It has a classic C buffer overflow - there's a read where the
amount read can exceed the buffer size. This is a consequence
of C's biggest design flaw - the language doesn't know the size
of arrays. That's the root cause of most buffer overflow
vulnerabilities. It also means that Intel didn't do much code
review. There are automated tools which recognize that specific
class of bug.
feelin_googley - moments ago
Intel code quality, or lack thereof, is a red herring.The true
issue with ME is that for non-corporate users it is not needed
and should not exist. But yet these users, no matter what
Intel chip they are using, have this "feature" anyway. Why?The
notion that all Intel-based computers must be ready for being
remote-controlled, that this is being implmented at the chip-
level and that the settings are outside of the purview of most
users, is something that rational people will question.There is
no option to say "No, thank you. I do not need that feature
given the use case for which I am purchasing this computer."
saulrh - 3 hours ago
Every description I've heard of it has language like this: AMT
is a large module with a huge number of different network
protocols of various levels integrated into it. This module
contains a great deal of legacy code but can only be found in
business systems. In absolute terms it's probably not as bad
as a desktop operating system, which is laboring under
sisyphean compatibility constraints on top of huge attention
from researchers and a nearly totally intractable threat model.
Relatively speaking, though, those same things must be taken
into account - their attack surfaces are thousands of times
bigger and they attract thousands of times more attention.
Seeing about as many critical vulns in the AMT as in, say, the
entire Linux kernel... yeah, I'd call that "awful code
quality".Plus there's the fact that the original vulnerability
was literally "you can get in by sending an empty password". A
culture that lets a bug like that through cannot be conducive
to good code.
ksk - 3 hours ago
>Seeing about as many critical vulns in the AMT as in, say,
the entire Linux kernel... yeah, I'd call that "awful code
quality".But that is not the case. Linux has had 400+
security bugs this year (as you point out, in part due to its
greater attack surface) versus the 2 from AMT. I'm trying to
reconcile this idea that "ME = BAD" in a practical way by
comparing it to software that's in mass use and already being
exploited. The tech press over time has needlessly over-hyped
such security issues making it harder to put things in
perspective. So far, I'm not seeing anything special about ME
that would also not apply to many many other
products.https://www.cvedetails.com/vulnerability-
list/vendor_id-238/...https://www.cvedetails.com
/vulnerability-list/vendor_id-33/p...>Plus there's the fact
that the original vulnerability was literally "you can get in
by sending an empty password". A culture that lets a bug like
that through cannot be conducive to good code.I don't see the
tech press not recommended OSX anymore !https://www.theregist
er.co.uk/2017/11/28/root_access_bypass_...
saulrh - 2 hours ago
Filter Linux's list to "scores > 8" to take the sampling
bias into account - the only way to observe an AMT
vulnerability in the first place is to gain remote super-
root on a widely-deployed core system that may be a PITA to
patch. That takes linux down to 27 for 2017. Of those, only
about ten are for the kernel itself rather than for binary
drivers for nvidia, broadcom, qualcomm, or htc hardware.
About half of the total are marked "android"; given that my
understanding is that the android kernel has significant
changes I wouldn't be surprised if those are android-only
exploits. The intersection leaves a grand total of 6
vulnerabilities that are in the actual linux kernel and
comparable in severity to the two AMT compromises we've
seen.> I don't see the tech press not recommended OSX
anymore !I certainly don't rec apple. Never have, though
previously for non-security reasons, and unless they do a
lot of changing, never will.
ksk - 26 minutes ago
Sure but as a user of Linux, I don't particularly care
why the bugs are present in Linux. My view is if you ship
it, you should own it. Assigning blame to Nvidia or
whoever can go both ways. They might point the blame back
at the interfaces inside Linux for being unclear or less
than adequately documented, or whatever. Or they might
blame some other aspect. Nobody knows unless you're the
person who actually wrote the code or has intimate
knowledge specific to the bug. In any case, my point
wasn't to compare Linux vs AMT. I'm considering deploying
ME/AMT to manage systems inside our office. After all
this news having come out, I'm waiting till the dust
settles. I have to unfortunately wade through a lot of
hype to get to the meat of the issue. So far I haven't
seen anything that would dissuade me from deploying ME
internally.
thisacctforreal - 46 minutes ago
The problem is the location of the vulnerablities: on the
CPU itself.Get pwned in linux? Nuke and pave can usually
solve it. The exceptions being BIOSes and hdds/usbs with
vulnerable firmwares which can be exploited to restore the
malware. However in that case an actor has to target your
hardware combination specifically, and there are a plethora
of different hdd/usb manufacturers.Get pwned in ME? No
longer your hardware. On top of that it applies to all
Intel CPUs, and potentially remotely to Intel AMT CPUs.
derefr - 4 hours ago
I would presume that in large corporations where AMT isn't
actively used for configuration management, corporate IT will
almost always have disabled AMT in the BIOS. Am I wrong about
this?
gumby - 4 hours ago
I agree, and where AMT is in use the passwords presumably will
be managed. So the attack surface doesn?t seem particularly
large.
stusmall - 3 hours ago
Some IT shops aren't very on top of BIOS configs. They should
be, but just because they should be doesn't mean it matches
reality. It doesn't occur to everyone to go into BIOS for any
reason other than boot problems, let alone to audit for
reducing attack surface area. I can see that falling through
the cracks in policy and practice.
ams6110 - 1 hours ago
My experience backs this up, in fact I've never worked
anywhere that ever updated BIOS from what came with the
machine.
brndnmtthws - 5 hours ago
Intel ME is frequently featured here on HN, but the general
population is completely clueless.This is quite possibly the worst
and most widespread computing vulnerability that has ever existed,
and it's likely that Intel will just maintain the status quo until
there's some sort of black swan event.
benevol - 4 hours ago
> Intel will just maintain the status quo until there's some sort
of black swan event.I absolutely hate Intel and AMD for
sabotaging their customers like that. Please people, get to that
black swan event ASAP.
Filligree - 4 hours ago
If we're unlucky, the 'black swan event' will be something
along the likes of Pluto's Kiss. Imagine a Morris worm
equivalent, but which bricks the computers it infects after
destroying the filesystem.Even if everyone has backups of
everything, offline, it'll be years before all the destroyed
computers can actually be replaced. This isn't a scenario I
want to happen for real.
abecedarius - 2 hours ago
You could do some much more interesting things with a hack
than wiping and bricking a bunch of computers, even if the
bricking part is doable.
LeoPanthera - 3 hours ago
On the plus side, you can probably guarantee it would only
ever happen once.
Zopieux - 2 hours ago
Haha, no, you can't. Since when do humans learn from their
mistakes?
eightysixfour - 3 hours ago
As a note, the latest AGESA for Ryzen seems to have the ability
to turn off the PSP, it is showing up in some of the latest
beta bios releases.No official statement yet, but some info can
be had here:
https://www.phoronix.com/scan.php?page=news_item&px=AMD-PSP-...
madez - 3 hours ago
I also hate Intel and AMD for that, but I think they'd prefer
we didn't hate them. I conclude that there are big reasons to
still do what we hate them for. I'm afraid even a black swan
event wouldn't make those reasons go away.What I think needs to
happen is for other countries to realize this issue is a matter
of national security, and to fund development of alternatives.
na85 - 3 hours ago
They don't care at all if we hate them, because we're still
buying their chips en masse.
madez - 3 hours ago
Well, I will not buy an Intel CPU anymore. I also try to
avoid Intel in all other chip classes like networking chips
where Intel is suspiciously active. Sometimes I wonder if
their name is giveaway that people just don't realize. Soon
I intend to move to an Intel-free single board computer for
my day-to-day computer usage. Now, for other people I can't
speak.
[deleted]
joe_the_user - 4 hours ago
"This is quite possibly the worst and most widespread computing
vulnerability that has ever existed."The problem is to make that
true, you have to carefully phrase the situation as "this has the
potential to give rise to the worst, bad .... etc".And that's the
thing. Ignoring this ranks along attitudes like "that cement pool
of mining tails right above town is quite sturdy", "we just need
a little time to reduce our carbon emissions..." and "we
shouldn't kill the IoT with too much regulation..." etcIf X isn't
a problem right now!, then it seems like X is going to get about
zero attention from a world swimming in things that are a problem
right now.And that too is going to give rise to further problems
down the road, to say the least.
eggoa - 4 hours ago
Yes, but I don't think it's a black swan if you're waiting for
it.
brndnmtthws - 4 hours ago
True, but I meant for all of those who aren't prepared for or
aware of this issue.
Crontab - 1 hours ago
> Intel ME is frequently featured here on HN, but the general
population is completely clueless.That's what they want: a
backdoor advertised as a feature.
yread - 4 hours ago
Worst vulnerability ever? AMT has to be enabled, attacker has to
know AMT password, BIOS password and BIOS has to be
misconfigured. I understand clickbait hyperbole and appeal to
emotions are good for getting eyeballs but lets keep some
perspective. Remember heartbleed, conflicker or blaster?
jstanley - 4 hours ago
ME is running regardless of those things.
ajross - 4 hours ago
But not vulnerable. This is like saying a local root exploit
is the Worst Vulnerability Ever in a system that was
correctly firewalled from its earliest
implementations."Worst" implies harm, not just potential. It
doesn't get to be The Worst until something happens, no
matter how much it offends your personal design sensibilities
or confirms your conspiracy priors.
ptero - 4 hours ago
Sorry, but "running but not vulnerable" is not nearly good
enough nowadays. This means that a real exploit (e.g., via
yet another insert-your-favorite-spooky-agency tool leak)
can be quickly scaled to a large fraction of computers
worldwide.If you are saying that when assessing the
vulnerabilities, potential harm is not important, only
actual is, would you feel that putting remotely activated
bombs on all planes is not a major vulnerability as long as
no one has a password?
ksk - 4 hours ago
>Sorry, but "running but not vulnerable" is not nearly
good enough nowadays.What does that mean practically?
What you said applies to every networked device and tech.
All routers, all computers, all OSs, all voip phones,
etc, etc are 'one vulnerability away'. from total
compromise.
jstanley - 3 hours ago
Normally you only run things if you think they are
useful, and you are cognizant of the risk.It's very hard
to avoid running ME even if you believe it's actively
harmful.
ksk - 3 hours ago
That is a good point. I suppose you could mitigate that
if you were building new systems and used AMD products.
brndnmtthws - 3 hours ago
AMD has its own equivalent of ME also.
xkarga00 - 3 hours ago
How do you know that AMD does not run its own version of
ME?The only viable solution I see is open hardware.
kbenson - 2 hours ago
Mitigation does not necessarily mean to entirely protect.
Having less of a homogeneous ecosystem mitigates the risk
of any one vulnerability, as it's unlikely to affect as
many systems. It's not a solution, but it may help.
ksk - 3 hours ago
What does viable mean? Where can I go out and purchase
it? Yes, hypothetically, anything is possible.
ajross - 4 hours ago
You're talking past me. It's an important flaw. It
should be fixed where possible. It should be mitigated
where not possible.It's not remotely The Worst
Vulnerability Ever and any attempt to hyperbolize in that
direction is hurting the efforts of the people actually
trying to protect you.
kbenson - 2 hours ago
I think you're right it's not remotely The Worst
Vulnerability Ever. Personally I'm a bit worried that
we're just one exploit away from it being that in the
future though. :/I usually like to include a metaphor to
explain the equivalence as I see it, but I'm struggling
to come up with any other thing where we've built in a
problem like this that's waiting for a single event that
could effect nearly everyone. The closest I can come up
with is Snow Crash, and having to reach that far into
science fiction leads me to think we likely have a poor
grasp on how to assess this risk (since we as a species
are fairly bad at assessing and mitigating risk for
events we haven't encountered before). Hopefully it's
just an extreme failure of imagination on my part.
bo1024 - 1 hours ago
1. You have no idea if it's vulnerable or not. For
starters, you don't have the source code and nobody you
trust has seen it. You would have to take Intel's word that
"disabling" it actually works, and hope that there is no
other vulnerability Intel doesn't know about.2. It doesn't
have to be "vulnerable" to be used in an attack; it's
essentially designed to be an attack. So any government
agency or leaked Intel info may be sufficient to abuse.3.
You can't reliably check/audit if it is being exploited or
not since it runs at a higher privilege than any
diagnostics you might try to run on your own
computer.Disclaimer: I am not an expert in computer
security.
jjawssd - 5 hours ago
What is harmed most directly by publicizing Intel ME
vulnerabilities?Is it in the interest of this entity to restrict
the publication of Intel ME vulnerabilities to the general
public?How does the general public obtain information on a day to
day basis?Who runs the mass media?Is the mass media affected by
this entity?Is the mass media narrative influenced by this
particular entity?
gtcode - 5 hours ago
In the meantime, a high level of technical proficiency is needed to
defend against monolithic personal computing environments that are
hostile by design.* Assume personal computing environment is
hostile* Use an external firewall and have a whitelist-only policy*
Use an external NIDS* Physically disable all hard-connected non-
wired interconnectivityMonitors and keyboards ("I leave message
here on service but you do not call") still leak, of course, but
this is a good start, and most people need to be concerned with
practical attacks that could be carried out over the internet.New
Year's 2018 resolutions: 1) Review backup policy including backup
testing procedures 2) Implement personal digital security
measuresI've often thought that the current mentality of a
"convenient" monolithic personal computing environment (whether an
iPhone, laptop, or PC) doesn't properly assess threats.When
broadband internet first became popular in my area growing up, it
was acceptable practice (and recommended by ISP's) to simply plug
your non-firewall'ed DSL modem ethernet directly into your
computer. It truly was unprotected sex in the worst possible way.
Perhaps the next evolution will fundamentally reconsider personal
computing design from a security-first perspective.
marcosdumay - 4 hours ago
> Use an external firewall and have a whitelist-only policyHow
much do you trust that firewall?> ...it was acceptable practice
(and recommended by ISP's) to simply plug your non-firewall'ed
DSL modem ethernet directly into your computerYou have to plug
that modem into some non-firewalled computer. Honestly I trust a
well kept PC much more than a firewall appliance.
guelo - 4 hours ago
The only firewall I trust is a hardened openbsd running pf.
squarefoot - 3 hours ago
Hopefully on a non ME plagued platform.
mulmen - 1 hours ago
You can just disable ME in the BIOS to mitigate this right?
Houshalter - 1 hours ago
How?
mulmen - 47 minutes ago
Hmm, looks like I conflated the AMT and ME. This does
make it significantly worse.
gtcode - 4 hours ago
Your reasoning has merit, of course. And, that's a sad
commentary on the current state of affairs, in which one cannot
trust a firewall appliance to do its job.Perhaps the movement
for open source hardware should focus on minimal security
appliances.
1001101 - 4 hours ago
> How much do you trust that firewall?Not very much after
seeing some of the Shadow Brokers revelations.
based2 - 4 hours ago
https://www.reddit.com/r/IntelME/
JoshMnem - 2 hours ago
Why aren't companies pressuring Intel to remove or disable the ME?
It seems like a huge security risk for entire organizations. It's
especially difficult to fix when running Linux, and many
organizations/servers use Linux.
trendia - 1 hours ago
IIRC, Google has been flashing the code portion of the ME
(rendering it useless)
krylon - 1 hours ago
I ask myself that question every time I read something about
ME.Possible answers, in ascending order of paranoia, are: * A
lot of people just don't care. "It's not gonna happen to me"
* Some customers like the remote management capabilities without
having to spend money on licenses for vendor-specific remote
management systems such as HP iLO. If you have to manage hundreds
or thousands of machines, it can make your life a lot easier.
* The NSA tells Intel (and AMD) to put it in there or else. I
assume some customers talk to Intel about this. I vaguely recall
reading that the NSA gets servers with ME disabled. So "They" are
most certainly aware of the risks.FWIW, a while ago someone
posted a video of a talk on HN given by a Google employee who
talked about replacing stuff like UEFI firmware in their servers
with their own code. If that person keeps going down that road,
it's just a matter of time before he runs into the Management
Engine.I really hope that this issue generates enough pressure on
Intel/AMD to provide a way to disable or replace their
proprietary ultra-privileged code. But it is not easy to explain
this to people without sounding like a paranoiac.
snowpanda - 37 minutes ago
>The NSA tells Intel (and AMD) to put it in there or
else.Exactly. And this is where mass surveillance comes in to
play: having dirt on anyone and being able to use it as
leverage.ie. Intel is forced to put it in there or the NSA will
'leak' how they
in that will put them out of business if published.>
niceperson - 6 hours ago
The talk was kind of disappointing honestlySORRY
MichailP - 5 hours ago
What can an ordinary person do? Plugging out the network cable?
What about laptops? Can this vulnerability hack into Wi-Fi and
allow itself to the internet? But then again the moment you plug
internet back in you're done.
jacek - 5 hours ago
I removed Intel ME from my Thinkpad x230 last weekend. I highly
recommend this machine. Still quite powerful, very serviceable,
upgradeable, Linux friendly and cheap (you can get one in good
condition for ~$150 USD in USA).I used the following guide (very
easy to follow): https://steemit.com/tutorial/@joeyd/run-don-t
-walk-from-the-...EDIT: You can also get a laptop with Intel ME
disabled. As far as I know you can get a modern laptop without ME
from System76, Purism. For a while Dell offered such machines,
but that might no longer be the case.
zanny - 5 hours ago
The me-cleaner is getting more and more bugfixes over time. For
the average person simply sanitizing a firmware image to disable
the ME will be enough. The question is more at what point are you
confident you won't brick the system doing it.I have not done any
research recently in the success rate of ME cleaner, but it isn't
that low, it usually works to the best of my knowledge, and once
we have good documented statistics saying "this works most of the
time" it becomes more feasible for those not directly involved in
its development to start using it more proactively to get rid of
this vulnerability.
userbinator - 5 hours ago
The irony is that AFAIK the ME cleaner itself depends on
exploiting some vulnerability in ME in order to disable it...
so it may get more difficult in the long term.
CapacitorSet - 1 hours ago
As far as I know it's not exploiting vulnerabilities, just
the fact that it won't mind if most modules are not present.
kogepathic - 5 hours ago
> What can an ordinary person do?Use non-x86 platforms such as an
ARM based Chromebook, or potentially an x86 with the ME partially
disabled (coreboot or similar, but it's not a 100% guarantee).>
Plugging out the network cable?It depends on the vulnerability
scope. If it's over HECI (virtual PCI device between host OS and
ME) then removing the network cable won't save you from local
malware owning the ME via HECI.> But then again the moment you
plug internet back in you're done.Well considering how few people
ever update the firmware of their devices, it's unlikely a
majority of computers would ever be patched against an ME
vulnerability anyway.Starting with ME12 Intel is going to start
checking the ME firmware version number in the ME's silicon
(read-only) boot ROM to prevent firmware downgrade attacks. [1]
This version number is stored in single use eFuses which can only
be incremented, and are during an ME update.But it depends on
your threat model. As stated in the PDF, there are only 3 known
exploits against the ME, and only one results in unsigned code
execution. Until someone weaponizes such an exploit, which at the
moment it seems physical access is needed, then Intel x86 owners
are safe.If your adversary is a three letter agency or nation
state attacker, then you've got bigger concerns than someone
hacking your ME (starting with, say, your OS).[1]
https://github.com/corna/me_cleaner/issues/111#issuecomment-...
userbinator - 5 hours ago
an x86 with the ME partially disabled (coreboot or similar, but
it's not a 100% guarantee)Or even x86 before it had ME at all,
which means anything before ~Core 2 or so. AFAIK the Thinkpad
x60 is one of those.
MisterTea - 4 hours ago
> Use non-x86 platforms such as an ARM based ChromebookCareful
there. Microsoft has been slipping PC bits into their Windows
Arm systems because Windows is so hopelessly tied to the PC
platform that they had to PCify their Arm with EFI, ACPI and
other PC legacy junk. Just be sure your Arm does not have any
of this anti-consumer crap and you should be good to go.
criddell - 5 hours ago
An ordinary person can buy a PC with it disabled. Dell has
started offering to disable the management engine for $30. Choose
"Intel vPro - ME Inoperable, Custom Order" when ordering.
ploggingdev - 5 hours ago
It's not possible to disable ME completely. See :
https://twitter.com/rootkovska/status/939058475933544448
criddell - 5 hours ago
I think people are mostly worried about the persistent,
highly privileged processes that it starts (especially the
remote-access features when they don't need them).The
initialization stuff (in the BUP module) are necessary and
AFAIK, nobody is suggesting that be removed.
userbinator - 5 hours ago
Note that this document is dated 2017-12-05, so it's not anything
new to those who have seen the previous items about ME on
HN.According to page 12, one of the conditions for remotely
exploiting this is that AMT has to be activated, something which
probably isn't going to be true for PCs used at home and not part
of a corporate network.Such a vulnerability has the potential to
jeopardize a number of technologies, including Intel Protected
Audio Video Path (PAVP),Good. Fuck DRM.
anonymousDan - 4 hours ago
How does this affect SGX?