Researchers promise demo of 'God-mode' pwnage of Intel mobos Security researchers say they've found a way to exploit Intel's accident-prone Management Engine, and will reveal the problem at Black Hat Europe in December. Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake …
How is this an x86 problem? Corporate users demand this sort of "lights off" remote management capability, and if they were using ARM PCs that provided the same features there's nothing special about ARM that would prevent the same problems.
It is down to poorly written software, but even well written and highly audited software sometimes has security issues found in it. Programmers only have to screw up once to leave a hole open.
Complain to your vendor if they don't offer a way to disable the functionality in EFI.
It becomes an x86 problem because the two x86 vendors:
* Made its use mandatory (i.e. it can't be completely turned off or even have its firmware replaced outside of an official update from Intel/AMD).
* Gave it the highest possible privilege level in the system.
Furthermore, in a more general sense, both of these vendors misled consumers about "Disable" (hint: it's integral to both the platform and various DRM schemes). "Disabled" in the EFI interface just means "running in the background without advertising itself to the OS". There is no way to disable it on x86 platforms, whereas e.g. ARM allows an individual with proper access to disable / replace the TrustZone firmware and platforms like OpenPOWER keep the BMC as a separate, open-source compatible component without an elevated system privilege level.
Like it or not, this is an x86 specific problem, and it all comes down to both sides of the duopoly deciding that DRM was more important than your security. This probably won't even make a dent in their consumer sales, so from a business POV it's a smart move.
"it all comes down to both sides of the duopoly deciding that DRM was more important than your security. "
Yep. That's what "trusted computing" has meant in recent years. It didn't mean that the apparent 'owners' and 'users' of the system could trust it to not misbehave. It did mean that the DRM-dependent 'high value content rights owners' and their friends/puppets, whose interests are diametrically opposite to those of the the people who *thought* they owned and controlled their own computer systems, thought they could trust that their high value content was safe.
Exactly! What really surprises me though is people that should know better that just keep on going for the most convenient thing, even though it means loss of privacy and more expense later on to buy new "fixed" hardware that'll even then only be reasonably secure for another year or two.
Then again, the number of people that apparently don't care about W10's maximum telemetry setting enough to actually change it is quite unsettling....
For my server board (Asus Z10PA-D8) this note is published on AMT.
They say "ASUS server product is not featured with Intel Active Management Technology(AMT)."
Does this mean that Asus have already disabled/blocked it in Firmware - or is their statement not strictly correct?
Para. 3 rendered thus ...
Intel Management Engine (ME), a microcontroller that handles much of the communication between the processor and external devices, hit the headlines in May 2017 due to a target="_blank" rel="nofollow" href="https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/">security concerns regarding the Active Management Technology (AMT) that runs on top of the engine.
or maybe that's just /my/ internet connection playing down again ...
Independent from the OS and present in different forms for AMD and Intel.
So even the Magic Penguin (other anthropomorphic OS icons are available, just not here) cannot save us!
Hang on, the bad stuff on the bad processor is being run by Penguins (or close relatives). Woes!
Does your firewall have known backdoors (cisco, et al)? Does it, perchance, use an x86 processor with a vulnerable ME (i.e. more firewalls than you might think)? Do you use Windows (especially W10)?
If you can answer no to all of those questions, you might have a chance so long as no other box on the internal network is ever hacked. In all honesty though, if this is as big as it could be, it's time to get new hardware. Think long and hard as to whether you need x86 (or modern x86) when replacing it...
> when Intel switched Management Engine to a modified Minix operating system, it introduced a vulnerability in an unspecified subsystem.
This is where it goes seriously pear-shaped. They are treating the ME like yet another general purpose computer, running a general-purpose OS, with general-purpose bugs... Pretty soon it will have a sub-ME of its own (it's ME's all the the way down).
Whereas it should have had a minimal OS, with minimal applications, reviewed, tested and static-analyzed to hell and back, like some space probe controller software.
"This is where it goes seriously pear-shaped. They are treating the ME like yet another general purpose computer, running a general-purpose OS, with general-purpose bugs..."
The 'console' being a fully fledged machine running it's own OS has been a thing for many decades now (common on big iron), sometimes it was a very handy thing to have. IMO it went pair shaped when that 'console' widget got hooked up to cables carrying random traffic.
It would be nice if Intel had all the bootstrap for that console widget on a physically replaceable flash device - so customers could actually have control over their own machines for a change. :)
Well, technically it is on a replaceable Flash device, the problem is that the CPU / PCH requires the firmware stored on that Flash device to carry a valid Intel cryptographic signature. Furthermore, you can't just delete the firmware since it's integral to system boot (the x86 CPU literally won't come out of reset without it).
If you want this level of control, the new POWER9 systems that are being released this year use essentially the proposed scheme. There might be a couple of ARM systems too, not sure. If you need x86 though, you're kind of stuck just living with the security problems -- rumor has it that even Google couldn't get Intel to provide chips without mandatory signed ME firmware....
"Well, technically it is on a replaceable Flash device, the problem is that the CPU / PCH requires the firmware stored on that Flash device to carry a valid Intel cryptographic signature"
That rather misses the point, the point is to reduce the complexity and return full control of what boots back to the customer. It's about having a choice - and not having to put blind faith in a very complex setup that is known to be vulnerable until the day you decide to re-purpose that box as a boat anchor.
Ideally all the bootstrap would do is load a few bytes off the flash and execute them. The customer, if they chose, could then put some signature verification code in for bootstrapping the main CPU.
There is nothing stopping Intel et al from providing a flash drive with their current crapware installed gratis. That would give the folks who give a toss a chance to fix the hardware - and of course for Intel it gives them an easy out should they ship broken by design bootstraps in the future.
Yeah, I was being pedantic on purpose. Agree pretty much 100% with the rest of this. Intel and AMD will never allow it though since by the design of their systems allowing this level of control would make their DRM basically ineffective.
I assume you've seen Talos II? That machine does all of this but it's not x86...
"I assume you've seen Talos II? That machine does all of this but it's not x86..."
That's news to me, but as fun as POWER boxes are ... I just want vendors to wind back the clock to the 70s and give us machines that don't have a billion lines of crapware baked into the bootstrap. :)
THIS IS WHY my company and ME! runs our custom-designed and burned hardware!
We do ALL the chipbuilding OURSELVES! including custom CPU/GPU/DSP/MCU hardware!
Our own motherboards, our own network chips and IP4/IP6/Ethernet/ATM/SONET stacks,
our own driver controller chips, own drivers, own BIOSes, own comms protocols,
own firewall/gateway/router hardware/software systems and custom built
anti-virus/anti-malware hardware and software own NON-LINUX-based
operating systems and custom file systems that are high-bit-length
Shor's Algorithm resistant encrypted! We even have our own SQL
engines and JAVA/HTML/PYTHON interpreters and Assemblers
and Compilers ! There is NOTHING that is third party! We even
make our OWN power supplies, small and large capacitors and
other micro-circuitry! YES! we are NOT a normal company and
NO ONE ELSE could do what we do because they DO NOT HAVE
our COMPLETE AND ALL IN-HOUSE expertise in LOW-LEVEL
hardware and software design and manufacturing!
...BUT... we aren't normal people to begin with! We are BEYOND paranoid!
Sucks to be You!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
