Intel Management Engine JTAG flaw proof-of-concept published The security researchers who found a way to compromise Intel's Management Engine last year have just released proof-of-concept exploit code for the now-patched vulnerability. Mark Ermolov and Maxim Goryachy at Positive Technologies have published a detailed walkthrough for accessing an Intel's Management Engine (IME) feature …
USB host-to-host cables can be bought on Amazon for a few quid, or can be made using nothing more technical than two normal USB cables and a pair of scissors.
The software is easily acquired should one desire it.
Yes, you need physical access, but once you have that it's a privilege escalation right up to Ring Minus One - permanent, ongoing and irrevocable access to everything in the machine - simply by plugging your Raspberry Pi into an open USB port.
That's why it matters.
The reason it's no longer very serious is that a patch is available.
No, it isn't. All the motherboards I've seen with USB debugging support have a USB port soldered vertically to the motherboard (it's a port, not a header). If you want to do USB debugging you need to open up the case.
I have in the past exposed a USB debug port to the case USB ports, as I was short of USB ports from the motherboard headers, but I needed to solder it myself as it didn't seem like the cables were otherwise available.
This post has been deleted by its author
The issue here is it's supposed to be a USB port, not a debug port. The software has the *option* of doing debugging-over-USB-port, which - when enabled - would make it a debug port. But that shouldn't be enabled in production! And if it's turned off, it shouldn't be possible for an attacker to turn it back on.
There are plenty of systems shipped with a fully functional JTAG port, since its an integral part of the chip
Often the drive to reduce cost is the thing that removes the components on the PCB for it. Security doesn't factor into the discussion, since someone who wants an active JTAG will just solder in the missing components and make up the required cable - as can be seen by the variety of recovery or modification procedures for many of the home grade devices - routers, PC's, consoles, etc.
In many way, providing a hidden interface is a combination of security by obscurity; providing a support method to perform initial programming; a method to recover corrupted kit and to provide in the field upgrades.
This is no different to the routers that hide their serial console in one of the RJ45 connectors by placing extra traces on the PCB under the connector, so a suitably modified RJ45 gives both Ethernet and console access - ideal for manufacturing simplicity
The only way they would have found this is by examination of the PCB, so its the same old "with physical access, security is lost" mantra.
The very same.
The PoC code doesn't represent a significant security threat to Intel systems, given that there's a patch and the requirements for exploitation include physical access via USB
If the JTAG lines are present in the standard externally accessible ports, it's a problem. Plenty of smartarse dweebs out there in corporateland with user level accounts would love to get local admin on their desktops, especially if someone started sellling boxes to do it for 20 quid.
And then there are evil cleaner attacks...
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
