Can Intel's 'Management Engine' Be Repurposed? 139
Long-time Slashdot reader iamacat writes:
Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.
The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
Repurposed... (Score:4, Interesting)
Re: (Score:2)
Re: (Score:3)
Quite right, however if it's not your own machine you're using to mine BTC, then you have neither the cost of hardware nor power to contend with.
And since we're talking about a separate computing system on the mainboard, 99.9% of the users probably wouldn't notice anything strange.
Imagine a botnet of a few dozen thousands of these mining for you.
Re: (Score:2)
Exactly. Mining by web browser hidden javascript is about the worst way to mine ths side of an old Basic interpreter. But if it isn't your electricicity and you have millions of people inadvertently doing it for you, it's very doable.
Re: (Score:2)
It'd still suck balls, just an FYI.
It's lower spec than the lowest end Atom, and I *think* lower spec than the Edison module.
You'd think I'd actually know the specs for the damn thing with how much code I wrote for it... but I don't. I only remember it never felt like it had enough always live RAM and it was just fast enough to get done what needed to be done.
No, if you want to make money off a compromised ME mining BTC or any other crypto currency is *not* it. Vastly more valuable in a botnet as a distri
I have a repurpose for ME. (Score:1)
Since it renders ANY computer vulnerable to being hijacked, even if shut off, the ME can now be used as a shield against any claims of copyright infringement.
Re: (Score:2)
Re: (Score:2)
Re:Repurposed... (Score:5, Funny)
Better yet, repurposed to send the following email to Intel's CEO every 10 minutes.
"Hi, this is an automated message sent from a hijacked Intel Management Engine to remind you of what you enabled by adding me to the design of your chips. The owner of the computer is unable to stop this, and in fact is completely unaware that it's happening! Currently the computer is turned [on/off]. I strongly recommend you rethink adding this to the next line of cpu chips as a botnet is currently being formed to send these reminders to you!"
I think I'm mostly joking.
Re: (Score:2)
Stop tempting me!
Re: (Score:2)
I like it!
Can you also add something about treating people like humans and not making your dev team feel like a bunch of chumps by ignoring them then shipping all the dev out of country because you didn't like what your devs were saying? (Hint, there were a lot of us against parts of this).
Also, as long as you're in the ME you can tell him it's:
* on
* in suspend
* in hibernate
* off
and
* connected via wired LAN
* connected via WiFi
Re: (Score:2)
Better yet, repurposed to send the following email to Intel's CEO every 10 minutes.
"Hi, this is an automated message sent from a hijacked Intel Management Engine to remind you of what you enabled by adding me to the design of your chips. The owner of the computer is unable to stop this, and in fact is completely unaware that it's happening! Currently the computer is turned [on/off]. I strongly recommend you rethink adding this to the next line of cpu chips as a botnet is currently being formed to send these reminders to you!"
I think I'm mostly joking.
I'd help Kickstart that project.
Linux won (Score:1)
It seems that Linux is better designed than Minix after all.
Re: (Score:1)
Slackware was far from the first linux distro, if that was what you were (trying to) get at. Slackware was based on SLS.
Re: (Score:2)
Re: (Score:2)
With no added systemd
Re: (Score:1)
Yggdrasil tried to call their first release 'LGX' which I assume is something they had copyrighted. The release with the manual on white paper with just green and white printing on the cover.
Re: (Score:1)
'green and black', obviously.
Re: Linux IS MINIX! (Score:2)
Repurposed? That's exactly what it is intended for (Score:5, Interesting)
The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place. Back when it was first introduced, I worked for a company that created a program that would wake a remote computer on demand and run a few sundry tasks: a defrag and a backup. Intel partnered with various software vendors to create demos of what ME could do. And heck, even without ME, most network cards have a wake-on-LAN feature anyway.
Intel clearly didn't do a good job marketing the feature if nobody thought of how to use it until a vulnerability was found in it.
Unless someone discloses the signing key... (Score:1)
Much like Xbox mods and others, it is of limited to no use, since it loses code on poweroff and due to signing, any attempt at exploits which carry over across power cycles will either cause the system to crash or simply not work.
What is needed is some corporate espionage to find/leak these signing keys, or documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak, then either assigning a new key there, or fusing it open so the signing check is al
Re:Unless someone discloses the signing key... (Score:4, Interesting)
since it loses code on poweroff
Yeah, but then when power is restored, the OS boots, and the application just re-registers itself with AMT again. There's a public API to do it. It doesn't have to be burned into the firmware to work. It just needs to wake the OS when a request is made.
Re: (Score:2)
You can bet every intelligence organization on the planet is after Intel's ME keys. Sooner or later someone will get them.
You're making the assumption that they don't already have them.
Re: (Score:2)
Yeah, in the US the NSA would just send a National Security Letter to Intel
https://www.newyorker.com/tech/elements/what-its-like-to-get-a-national-security-letter [newyorker.com]
Actually I bet the NSA has people working at companies like Intel and Microsoft who get briefed on things like the ME and have some input into how they work.
Re: (Score:3)
documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak
There is no documentation on update/replacemet because it's not possible. If they leaked, chips using those keys would be compromised.
From the only authoritative book on the subject; 'Platform Embedded Security Technology Revealed' by Xiaoyu Ruan:
The Boot Guard configurations set by the OEM slightly vary among different products. In general and at a minimum, the OEM is responsible for configuring its public key hash for a verified boot, and the boot policies via the security and management engine.
The security of a verified boot is rooted to the OEM's asymmetric keypair. The OEM generates a 2048-bit RSA keypair as its root key for signing manifests for the initial boot blocks. The private portion of the root keypair must be kept securely, and signing manifests for initial boot blocks shall be its sole usage. On the other hand, the SHA-256 hash of the public key is programmed to the field programmable fuses during the manufacturing process. The public key hash consumes 256 fuses that belong to the multiple-bit one-time programming category, which cannot be updated once written. Because of the one-time programming limitation, the OEM will not be able to renew the root key or update the hash, even if the private key is compromised. Therefore, the OEM must protect its root private key in a signing server with strong protection from attacks or leakage.
Xiaoyu Ruan is responsible for designing cryptography infrastructure and security applications for Intel's security and management engine.
FREE BOOK about the Intel Management Engine (Score:3)
Chapters:
Front Matter
Cyber Security in the Mobile Age
Intel's Embedded Solutions: from Management to Security
Building Blocks of the Security and Management Engine
The Engine: Safeguarding Itself before Safeguarding Others
Privacy at the Next Level: Intel's Enhanced Privacy Identification (EPID) Technology
Boot wit
Articles (Score:2)
I agree. It seems to me that Intel ME could be a good idea. What is extremely self-destructive to Intel is that customers have insufficient understanding and insufficient control.
Intel news stories [slashdot.org] (April 17, 2017 )
Articles about spyware in CPUs [slashdot.org] (June 18, 2017)
"ME is turning into a colossal dumpster fire." [slashdot.org] (December 10, 2017 )
Re: (Score:3)
NO, it can never be a good idea. It can only go from a terrible idea to a terrible idea with some upside. Having a BMC with limited access to the main system was a good idea, but we've had those for over a decade now.
Why "can never be a good idea"? (Score:2)
Suppose the same functions were implemented in a separate chip?
Could you explain why "... it can never be a good idea." I'm guessing I know less than you about the situation. Also, I don't know the meaning of "BMC".
The main question is, it seems to me: How can Intel arrange its hardware in a way that assures customers that there are no back doors? At present that seems FAR from an easy goal.
Re: (Score:3)
BMC = baseboard management computer. A small embedded system built in to the main system. The difference is that it does not share memory access or the PCI bus. Instead, it is connected to one of the serial ports, the power and reset lines, and often the USB controller. The latter allows it to emulate a DVD drive to support virtual boot media. The serial connection allows for console over LAN (if the OS has a serial console configured). Newer ones also can snoop the video chip to support a built in KVM (for
Re: (Score:3)
And this is what a lot of us wanted when working on the ME, but there were other forces at play.
Part is that there is/was a grand plan that streaming services could use the ME to lock content to a given machine, allowing download and play offline capability, but IDK if that ever came to fruition, I think Netflix went another way with that.
Re: (Score:2)
And of course, now that ME is cracked, no media company will trust it, no user ever had reason to trust it, and the gigantic security holes are baked in. The question now is will Intel admit they screwed up or will they double down.
Re: (Score:2)
your guess is as good as mine, I haven't been there for well over a year, and not on the ME team for over 2.
Thanks! Bad management at Intel is a tragedy. (Score:2)
BMC sounds excellent. I like this: "The BMC often has it's own private LAN connection so management can be over a physically separate network."
In more than 11 years, I haven't seen anything like full awareness by other people of the fact that Intel is badly managed. To me, the fact that Intel has provided forced secret access to its hardware, later found to have vulnerabilities, is a tragedy for Intel, the United States, and the world.
I mentioned that in another comm
Re: Idiots (Score:2)
iamacat writes:
Not a day goes by without a story about another Intel Management Engine vulnerability.
I've missed at least the last 60 of these. Being generous.
Submission is real confused.
Re: (Score:1)
Re: (Score:2)
If there is off the shelf software that does what I want (on demand services on a box that uses very little power when not in use), I would be happy to purchase it for reasonable price. If not, I can only gain the functionality by hacking and repurposing it.
Re: (Score:1)
The problem is ME is like a colander designed to be a boat for large companies. In the end, large companies were already planning to line the bottom of their boat with a hard seal, so no real problem for them. The rest of us, though, aren't willing to seal off the boat because that fundamentally defeats the purpose. So, I'd argue that in effect Inte
Re: (Score:2)
Re: (Score:2)
Rather, the ME has been *purposefully* kept secret, which forces one to ask why? The obviousness is that
Re: (Score:2)
lulz, no.
It's been publicized and pushed in every 'Q' sku chipset.
It is effectively a RILO card embedded into every workstation, on steroids.
The sales pitch to enterprise was:
Your IT dept can remote wake, apply patch, and shut back down overnight, thus not bothering your staff, or consuming work hours to accomplish patching network wide.
Re: (Score:2)
the capabilities, even the existence, of the ME has just come out recently... why has it gone undocumented and unrealized for so long?
No, they released an SDK for it in 2008. Companies like Lenovo and Dell use it for anti-theft software. Corporate IT departments use it to deploy scripts to monitor antivirus and firewall settings. I wrote code for it in 2008 for a product called "Spare Backup." It used AMT to wake at either a specific time, or in response to a specific packet, to initiate a backup.
It depends on your risk-management philosphy (Score:3, Informative)
Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow". It was quite ingenious and had a very small surface area. I knew a few fellow admins that blocked the exploit at their firewall but then used it for remote management because it was memory/network efficient and supported all of their needs better than any third-party company could.
Risk v.s. Reward is always prevalent. Good luck on your efforts.
Re: It depends on your risk-management philosphy (Score:5, Informative)
Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow".
Just for the record, Cult of the Dead Cow was the name of the group which created it; Back Orifice was the name of a program which they released.
And yes, it was tiny enough to be easily attached to even something as small as a keygen, turning it into an easy trojan, while also being a great remote administration tool for more legitimate use.
Re: (Score:2)
And then BO2K was horribly bloated with all the plugins that seldom played nice with one another and, at least according to this humble scribe, failed to deliver on most of its promises because it was overly ambitious and took too many steps forward all at once.
But the release party for it was quite an affair..
Re: (Score:2)
Wait....uh, different suite?
Re: (Score:2)
This is what happens when people use joke names for things/companies all day. The exploit was assumed to be the real software [wikipedia.org].
Re: (Score:2)
Good times at school with that and netbus.
Ask the NSA (Score:2)
..
What's what WOL is for (Score:1)
That's exactly what WOL is for, as I run mine on a pre-IME processor...as my Plex box doesn't require that much horsepower to do what it does.
Re:What's what WOL is for (Score:5, Insightful)
Yes and no. WOL can wake a sleeping computer, but not reboot it if it hangs, nor provide any other sort of remote administration beyond what the OS gives you once it comes up. And if it doesn't come up, WOL just left you in the lurch. You need remote-hands to recover.
I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.
IME sounds like it could serve this purpose and more, perhaps providing a useful subset of iLO/DRAC functionality, but not just for server boards.
Re: (Score:2)
I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.
How? That would be a god-send for cheap servers!
Re: (Score:2)
I mean, you could probably rig up something with a raspberry pi to short the actual reset jumper on the motherboard. I all you need to do is reset the power then you could rig something up for a pretty low price.
Re: (Score:2)
Here's my implementation [i3detroit.org], which uses a bit of circuitry to work around the NIC's behavior.
Here's some prior work that I found out about after I'd made mine [utah.edu], which is much simpler because their NIC apparently deasserts the wake output after some time.
Admin network (Score:2)
If someone knew about this setup and was on your LAN they could wreak havoc with your server.
A well designed server farm would use a separate, segregated network for administration.
(That's actually part of the criticism against Intel ME/AMT : it listens on the same physical network connection, meaning potential exploits from an internet facing port)
Nope (Score:3)
Nope, the NSA have it completely secured to prevent anyone from stopping it mining Bitcoins.
Re: (Score:2)
Indeed, it only likes to run signed code.
For any kind of low power application there are better options. Like a Raspberry Pi.
Re: (Score:1)
This week it's the Latvians.
The baddies rotate in and out and take turns being the baddies.
Next week is Singapore's turn, I heard.
Re: (Score:1)
Dilutes the spam and crapflooding, I think you meant to type.
Watch for the security services? (Score:2)
Unexpected gov/law enforcement/mil staging servers reaching around for the port?
If only a big pool of users globally had some software installed that could be updated to keep watch for strange port and hardware request activity?
Re: (Score:2)
IF the NSA is behind this you can bet they have a rootkit and backdoor in all the routers and switches too which will prevent you from blocking the port even if Cisco IOS says it's blocked. There is no way to know
Re: (Score:2)
Lights Out Management Engine (Score:5, Interesting)
The Intel ME (I think) was a combination Light Out mangement management engine and a VNC server, basically IPMI over IP with a remote console.
It wasn't that secret as I recall it started with something like the P68 chipset on Intel motherboards and was ubiquitous, the weird path to obscurity was when they tried to monetize and license it..
The best thing Intel could do today would be to fully document and open it up. People would probably choose to either disable it, or more probably add-on a seperate ethernet card for secure traffic, and reserve the built-in NIC for management activities like on HP servers with its iLO interface.. they also had a "shared" mode stealing interstitial ethernet CDMA intervals to virtualize two seperate Ethernet MAC addresses on the same physical hardware.. duty cycle something like 80/20 but they had the lesson learned to also make it disabled and use (only) a seperate add-on interface connected to different pins on the motherboard, for 100/100 across two different NIC interfaces for practical reasons. Ironically it all started with the Gas and Oil industry, Exxon back in the days when they wanted remote mangement on their servers.. in pre-HP Compaq days.. Intel saw that and wanted some of that business.. so it crept into the base designs later.. without a lot of thought.. which has come home to roost
Q35 (Score:1)
The Q35/Q45 chipsets each had bugs that allowed them to be exploited (Q35) and disabled (Q45).
The X58, I forget if due to bugs or some other needs, didn't have an Intel ME available in it, utilizing a regular southbridge plus a limited chipset hub.
Sandy Bridge was the first to have it, and as a result of buggy XAPIC2 support on the Nehalem/Westmere boards was the first to have reliable IOMMU/VTd support, but also had mandatory intel me firmware (until me_cleaner figured out how it operated and that it could
Re: (Score:1)
Funny. In 2000 I did this with two modems, two computers and two Ethernet cards to guaranty 99.999 up time for data collect at client sites. The Ethernet cards queried each other every half minute and if one was down the other would reboot the downed server and become the primary. It was a fun project.
I used Compaq Alpha computer as they came with a monitor card with a modem; your concept of a ME. The boxes came with two Ethernet cable so it was just the obvious to use a cross over cable to each other and o
Re: (Score:2)
So which LOM on a server does *NOT* use some bastardization of VNC wrapped up in some god dam awful Java plugin, that if you are lucky and the vendor has update will run in a modern web browser with a modern version of Java.
Basically though the easiest way to defeat the Intel ME is stick a PCI/PCIe network card in the machine that it knows nothing about and ignore the onboard ethernet.
It would however be cool to hack the ME with a vanilla Minix :-)
Re: (Score:2)
So which LOM on a server does *NOT* use some bastardization of VNC wrapped up in some god dam awful Java plugin, that if you are lucky and the vendor has update will run in a modern web browser with a modern version of Java.
iDrac in the Rx30 series (idrac 8?) has an HTML5 version in addition to the java applet. IIRC you can get to the vnc protocol with a standard vnc client too.
Not worth it. (Score:2)
While it's possible to bend the IME to your own will, it's far more trouble than it's worth. For one, you can get an entire dedicated NAS [crowdsupply.com] that uses less power and space for less money than any comparable Intel setup. This approach requires magnitudes less time, effort and expertise. The design of the IME is such that it is suited to be an invisible backdoor that cannot be removed. It is for this reason that the most reasonable course of action is to disable and shutdown the IME after it has finished the
Leaked signing key... (Score:1)
Would take care of that. Given your own code in the ME and assurances that no one can remotely unlock/reprogram the SPI flash, the ME would actually make an excellent secondary processor for a number of purposes, including working with an modified keyboard with encryption over the line to decode keystrokes intended to be sent to the OS, while providing local services unavailable to the OS when needed for unlocking/decoding/passing through keys from secure key storage.
The possibilities for a user controlled
Re: (Score:1)
Nobody wants to work that hard to steal your WoW account, so you probably should just settle down and admit nobody cares about what you do on your PC enough that they will break in.
'Real System Integrity' is complicated. Have you audited the firmware on the embedded controller inside your hard drive? How about the embedded controller in your keyboard?
Re: (Score:2)
Embedded NAS boxes don't have much CPU/GPU power though. The way Intel ME is marketed, it sounds like you can have powered off desktop that costs pennies/month in electric use, doesn't make noise, doesn't wear out fans and so on. And then it can wake up and transcode 4K video for Plex or stream Steam games seconds later. It's not that easy to approximate this even using a secondary embedded device that powers the main PC on and off. If same ethernet card is used, one could imagine main CPU cores taking over
Re: (Score:1)
Embedded NAS boxes don't have much CPU/GPU power though.
If that's what you need from a NAS then you are doing it wrong for sure.
Not safely (Score:4, Interesting)
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.
Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.
The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.
Re: (Score:2)
For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN
It's worth nothing that BMC's are notoriously buggy as well, often requiring unplugging the server in order to get the BMC out of a "stuck" state.
At least with a BMC, however, there wasn't much damage that a hard power cycle wouldn't fix.
Re: (Score:2)
Yeah, some are better than others. No design is so good that a crappy implementation can't mess everything up, but at least the various issues with the BMC didn't create security holes that couldn't be fixed.
Re: (Score:2)
There were a couple of years where the network bridge would lock up and take the main computer off the net unless you used the dedicated management connection. Other than that, around the same era, some BMCs would crash so that no management functions worked, but the main computer would keep going.
What were your experiences?
overkill (Score:1)
How is that "repurposed"? (Score:2)
Replace the OS (Score:2)
Open Source Hypervisor (Score:1)
Re: (Score:1)
Re: (Score:2)
What would a hypervisor running on a really low performance cpu be any good for?
Seems like (Score:2)
The name of the game these days is to dress up a vuln/backdoor to make it appear as, "Oh, but it does xyz useful thing!" IMHO it's kind of dangerous to portray something pretty fucking insecure appear to be useful in any way. ME just needs to go away (or open sourced, which it appears legally it should be [slashdot.org]) so it can be fixed properly.
Re: (Score:2)
IMHO it's kind of dangerous to portray something pretty fucking insecure appear to be useful in any way
Well, that's pretty much what happens for everything that uses "crypto".
Vanishingly few people know how to implement any given crypto algorithm securely, but that doesn't stop companies from handing the spec to an intern and tell them to implement it in hardware.
I quite liked the cryptanalysis of Infineon's TPM's chip being along the lines of "The mistake is too stupid to have been malicious." I wish I could find the link...
Re: (Score:2)
Re: (Score:2)
Ah, but Enterprise IT wants to be certain their more technically-inclined lusers can't disable the enterprise's ability to "manage" and "audit" the systems they manage. It's literally one of the selling points touted by Intel (and AMD for their equivalent of ME) until recently.
It's not like the machines Enterprise IT buys are any different from the ones I can buy as a consumer, and bulk buyers have a hell of a lot more sway than individual consumers.
Honestly, if you want secure, you gotta use ARM these days
Flip the power switch off (Score:2)
Easy Security Fix for ME (Score:1)
Can I mine Bitcoin in ME? (Score:2)
Re: (Score:1)
Re: (Score:1)
Hey, it ain't like you have to tell us to ignore a post signed with APK...
Re: (Score:3)
Re: (Score:2)
It's economics 101 and completely obvious to any 5 year old with a long enough attention span to have learned how to read and type. I really can't believe I had to explain it.