Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Intel Linux Build

Can Intel's 'Management Engine' Be Repurposed? 139

Long-time Slashdot reader iamacat writes: Not a day goes by without a story about another Intel Management Engine vulnerability. What I get is that a lot of consumer PCs can access network and run x86 code on top of UNIX-like OS such as Minix even when powered off.

This sounds pretty useful for tasks such as running an occasional use Plex server. Like I can have a box that draws very little power when idle. But when an incoming connection is detected, it can power itself and the media drive on and serve the requested content.

The original submission ends with an interesting question. "if Intel ME is so insecure, how do I exploit it for practically useful purposes?"
This discussion has been archived. No new comments can be posted.

Can Intel's 'Management Engine' Be Repurposed?

Comments Filter:
  • Repurposed... (Score:4, Interesting)

    by Type44Q ( 1233630 ) on Sunday December 17, 2017 @09:42PM (#55758555)
    Repurposed... to mine bitcoins!
    • Comment removed based on user account deletion
      • by Kokuyo ( 549451 )

        Quite right, however if it's not your own machine you're using to mine BTC, then you have neither the cost of hardware nor power to contend with.

        And since we're talking about a separate computing system on the mainboard, 99.9% of the users probably wouldn't notice anything strange.

        Imagine a botnet of a few dozen thousands of these mining for you.

        • Exactly. Mining by web browser hidden javascript is about the worst way to mine ths side of an old Basic interpreter. But if it isn't your electricicity and you have millions of people inadvertently doing it for you, it's very doable.

        • It'd still suck balls, just an FYI.
          It's lower spec than the lowest end Atom, and I *think* lower spec than the Edison module.

          You'd think I'd actually know the specs for the damn thing with how much code I wrote for it... but I don't. I only remember it never felt like it had enough always live RAM and it was just fast enough to get done what needed to be done.

          No, if you want to make money off a compromised ME mining BTC or any other crypto currency is *not* it. Vastly more valuable in a botnet as a distri

      • by Anonymous Coward

        Since it renders ANY computer vulnerable to being hijacked, even if shut off, the ME can now be used as a shield against any claims of copyright infringement.

      • by Plugh ( 27537 )
        No sense mining BTC with them; ASIC farms have pretty much made it impossible to find blocks with anything but specialized hardware. There are cryptocurrencies whose mining function is specifically designed to be ASIC-resistant and therefore which are still profitable to CPU mine. Monero [getmonero.org] is probably the most popular of them (and has the benefit of an encrypted blockchain, so others can't see the wallet to which your botnet is sending its ill-mined coins)
    • It's a shitty bitcoin miner, even with several hundred thousand in the botnet. I'm making more money selling the ones located on .gov addresses to the FSB.
    • by Anonymous Coward on Monday December 18, 2017 @07:16AM (#55760037)

      Better yet, repurposed to send the following email to Intel's CEO every 10 minutes.

      "Hi, this is an automated message sent from a hijacked Intel Management Engine to remind you of what you enabled by adding me to the design of your chips. The owner of the computer is unable to stop this, and in fact is completely unaware that it's happening! Currently the computer is turned [on/off]. I strongly recommend you rethink adding this to the next line of cpu chips as a botnet is currently being formed to send these reminders to you!"

      I think I'm mostly joking.

      • Stop tempting me!

      • I like it!

        Can you also add something about treating people like humans and not making your dev team feel like a bunch of chumps by ignoring them then shipping all the dev out of country because you didn't like what your devs were saying? (Hint, there were a lot of us against parts of this).

        Also, as long as you're in the ME you can tell him it's:
        * on
        * in suspend
        * in hibernate
        * off
        and
        * connected via wired LAN
        * connected via WiFi

      • Better yet, repurposed to send the following email to Intel's CEO every 10 minutes.

        "Hi, this is an automated message sent from a hijacked Intel Management Engine to remind you of what you enabled by adding me to the design of your chips. The owner of the computer is unable to stop this, and in fact is completely unaware that it's happening! Currently the computer is turned [on/off]. I strongly recommend you rethink adding this to the next line of cpu chips as a botnet is currently being formed to send these reminders to you!"

        I think I'm mostly joking.

        I'd help Kickstart that project.

  • by Anonymous Coward

    It seems that Linux is better designed than Minix after all.

  • by MobyDisk ( 75490 ) on Sunday December 17, 2017 @09:47PM (#55758567) Homepage

    The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place. Back when it was first introduced, I worked for a company that created a program that would wake a remote computer on demand and run a few sundry tasks: a defrag and a backup. Intel partnered with various software vendors to create demos of what ME could do. And heck, even without ME, most network cards have a wake-on-LAN feature anyway.

    Intel clearly didn't do a good job marketing the feature if nobody thought of how to use it until a vulnerability was found in it.

    • Much like Xbox mods and others, it is of limited to no use, since it loses code on poweroff and due to signing, any attempt at exploits which carry over across power cycles will either cause the system to crash or simply not work.

      What is needed is some corporate espionage to find/leak these signing keys, or documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak, then either assigning a new key there, or fusing it open so the signing check is al

      • by MobyDisk ( 75490 ) on Sunday December 17, 2017 @10:30PM (#55758677) Homepage

        since it loses code on poweroff

        Yeah, but then when power is restored, the OS boots, and the application just re-registers itself with AMT again. There's a public API to do it. It doesn't have to be burned into the firmware to work. It just needs to wake the OS when a request is made.

      • documentation explaining what key update/replacemet mechanism was build into the southbridges in case the key DID leak

        There is no documentation on update/replacemet because it's not possible. If they leaked, chips using those keys would be compromised.

        From the only authoritative book on the subject; 'Platform Embedded Security Technology Revealed' by Xiaoyu Ruan:

        The Boot Guard configurations set by the OEM slightly vary among different products. In general and at a minimum, the OEM is responsible for configuring its public key hash for a verified boot, and the boot policies via the security and management engine.

        The security of a verified boot is rooted to the OEM's asymmetric keypair. The OEM generates a 2048-bit RSA keypair as its root key for signing manifests for the initial boot blocks. The private portion of the root keypair must be kept securely, and signing manifests for initial boot blocks shall be its sole usage. On the other hand, the SHA-256 hash of the public key is programmed to the field programmable fuses during the manufacturing process. The public key hash consumes 256 fuses that belong to the multiple-bit one-time programming category, which cannot be updated once written. Because of the one-time programming limitation, the OEM will not be able to renew the root key or update the hash, even if the private key is compromised. Therefore, the OEM must protect its root private key in a signing server with strong protection from attacks or leakage.

        Xiaoyu Ruan is responsible for designing cryptography infrastructure and security applications for Intel's security and management engine.

    • "Intel clearly didn't do a good job marketing the feature..."

      I agree. It seems to me that Intel ME could be a good idea. What is extremely self-destructive to Intel is that customers have insufficient understanding and insufficient control.

      Intel news stories [slashdot.org] (April 17, 2017 )

      Articles about spyware in CPUs [slashdot.org] (June 18, 2017)

      "ME is turning into a colossal dumpster fire." [slashdot.org] (December 10, 2017 )
      • by sjames ( 1099 )

        NO, it can never be a good idea. It can only go from a terrible idea to a terrible idea with some upside. Having a BMC with limited access to the main system was a good idea, but we've had those for over a decade now.

        • "BMC"?

          Suppose the same functions were implemented in a separate chip?

          Could you explain why "... it can never be a good idea." I'm guessing I know less than you about the situation. Also, I don't know the meaning of "BMC".

          The main question is, it seems to me: How can Intel arrange its hardware in a way that assures customers that there are no back doors? At present that seems FAR from an easy goal.
          • by sjames ( 1099 )

            BMC = baseboard management computer. A small embedded system built in to the main system. The difference is that it does not share memory access or the PCI bus. Instead, it is connected to one of the serial ports, the power and reset lines, and often the USB controller. The latter allows it to emulate a DVD drive to support virtual boot media. The serial connection allows for console over LAN (if the OS has a serial console configured). Newer ones also can snoop the video chip to support a built in KVM (for

            • And this is what a lot of us wanted when working on the ME, but there were other forces at play.

              Part is that there is/was a grand plan that streaming services could use the ME to lock content to a given machine, allowing download and play offline capability, but IDK if that ever came to fruition, I think Netflix went another way with that.

              • by sjames ( 1099 )

                And of course, now that ME is cracked, no media company will trust it, no user ever had reason to trust it, and the gigantic security holes are baked in. The question now is will Intel admit they screwed up or will they double down.

                • your guess is as good as mine, I haven't been there for well over a year, and not on the ME team for over 2.

            • Thanks VERY much for your reply.

              BMC sounds excellent. I like this: "The BMC often has it's own private LAN connection so management can be over a physically separate network."

              In more than 11 years, I haven't seen anything like full awareness by other people of the fact that Intel is badly managed. To me, the fact that Intel has provided forced secret access to its hardware, later found to have vulnerabilities, is a tragedy for Intel, the United States, and the world.

              I mentioned that in another comm
    • iamacat writes:
      Not a day goes by without a story about another Intel Management Engine vulnerability.

      I've missed at least the last 60 of these. Being generous.

      Submission is real confused.

    • Comment removed based on user account deletion
    • by iamacat ( 583406 )

      If there is off the shelf software that does what I want (on demand services on a box that uses very little power when not in use), I would be happy to purchase it for reasonable price. If not, I can only gain the functionality by hacking and repurposing it.

    • by Anonymous Coward

      The submission is confusing because the author proposes "repurposing" the ME, but the example is something that it what it is intended for in the first place.

      The problem is ME is like a colander designed to be a boat for large companies. In the end, large companies were already planning to line the bottom of their boat with a hard seal, so no real problem for them. The rest of us, though, aren't willing to seal off the boat because that fundamentally defeats the purpose. So, I'd argue that in effect Inte

    • Indeed. I feel like i'm the only person who's ever effectively utilized it in enterprise IT. And password protected it.
    • I think this ignores the secrecy behind the ME in the first place. Wake-on-LAN has been a common function for, seemingly, ever, and is well-known, whereas the capabilities, even the existence, of the ME has just come out recently. If it was meant for powering up for such sundry tasks as you mention, why has it gone undocumented and unrealized for so long? You can't blame that on shoddy marketing.

      Rather, the ME has been *purposefully* kept secret, which forces one to ask why? The obviousness is that
      • lulz, no.
        It's been publicized and pushed in every 'Q' sku chipset.

        It is effectively a RILO card embedded into every workstation, on steroids.

        The sales pitch to enterprise was:
        Your IT dept can remote wake, apply patch, and shut back down overnight, thus not bothering your staff, or consuming work hours to accomplish patching network wide.

      • by MobyDisk ( 75490 )

        the capabilities, even the existence, of the ME has just come out recently... why has it gone undocumented and unrealized for so long?

        No, they released an SDK for it in 2008. Companies like Lenovo and Dell use it for anti-theft software. Corporate IT departments use it to deploy scripts to monitor antivirus and firewall settings. I wrote code for it in 2008 for a product called "Spare Backup." It used AMT to wake at either a specific time, or in response to a specific packet, to initiate a backup.

  • by Anonymous Coward on Sunday December 17, 2017 @09:53PM (#55758587)

    Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow". It was quite ingenious and had a very small surface area. I knew a few fellow admins that blocked the exploit at their firewall but then used it for remote management because it was memory/network efficient and supported all of their needs better than any third-party company could.

    Risk v.s. Reward is always prevalent. Good luck on your efforts.

    • by c6gunner ( 950153 ) on Sunday December 17, 2017 @10:23PM (#55758669) Homepage

      Many many years ago there was an exploit called "Back Orifice" which was more properly named "Cult of the Dead Cow".

      Just for the record, Cult of the Dead Cow was the name of the group which created it; Back Orifice was the name of a program which they released.

      And yes, it was tiny enough to be easily attached to even something as small as a keygen, turning it into an easy trojan, while also being a great remote administration tool for more legitimate use.

      • by Myself ( 57572 )

        And then BO2K was horribly bloated with all the plugins that seldom played nice with one another and, at least according to this humble scribe, failed to deliver on most of its promises because it was overly ambitious and took too many steps forward all at once.

        But the release party for it was quite an affair..

    • Good times at school with that and netbus.

  • That's exactly what WOL is for, as I run mine on a pre-IME processor...as my Plex box doesn't require that much horsepower to do what it does.

    • by Myself ( 57572 ) on Sunday December 17, 2017 @10:54PM (#55758719) Journal

      Yes and no. WOL can wake a sleeping computer, but not reboot it if it hangs, nor provide any other sort of remote administration beyond what the OS gives you once it comes up. And if it doesn't come up, WOL just left you in the lurch. You need remote-hands to recover.

      I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.

      IME sounds like it could serve this purpose and more, perhaps providing a useful subset of iLO/DRAC functionality, but not just for server boards.

      • I've gone so far as to repurpose a WOL-capable network card as a reset-on-lan device, because my always-on machine doesn't need waking, but inevitably if I'm on the other side of the country, it somehow manages to need rebooting.

        How? That would be a god-send for cheap servers!

        • I mean, you could probably rig up something with a raspberry pi to short the actual reset jumper on the motherboard. I all you need to do is reset the power then you could rig something up for a pretty low price.

        • by Myself ( 57572 )

          Here's my implementation [i3detroit.org], which uses a bit of circuitry to work around the NIC's behavior.

          Here's some prior work that I found out about after I'd made mine [utah.edu], which is much simpler because their NIC apparently deasserts the wake output after some time.

  • by dohzer ( 867770 ) on Sunday December 17, 2017 @10:23PM (#55758667)

    Nope, the NSA have it completely secured to prevent anyone from stopping it mining Bitcoins.

    • by AmiMoJo ( 196126 )

      Indeed, it only likes to run signed code.

      For any kind of low power application there are better options. Like a Raspberry Pi.

  • That would be some interesting networking globally to watch for?
    Unexpected gov/law enforcement/mil staging servers reaching around for the port?
    If only a big pool of users globally had some software installed that could be updated to keep watch for strange port and hardware request activity?
    • IF the NSA is behind this you can bet they have a rootkit and backdoor in all the routers and switches too which will prevent you from blocking the port even if Cisco IOS says it's blocked. There is no way to know

      • by AHuxley ( 892839 )
        More that an AV or firewall could report on the ports and the number of times, type of requests?
  • by Anonymous Coward on Sunday December 17, 2017 @10:48PM (#55758703)

    The Intel ME (I think) was a combination Light Out mangement management engine and a VNC server, basically IPMI over IP with a remote console.

    It wasn't that secret as I recall it started with something like the P68 chipset on Intel motherboards and was ubiquitous, the weird path to obscurity was when they tried to monetize and license it..

    The best thing Intel could do today would be to fully document and open it up. People would probably choose to either disable it, or more probably add-on a seperate ethernet card for secure traffic, and reserve the built-in NIC for management activities like on HP servers with its iLO interface.. they also had a "shared" mode stealing interstitial ethernet CDMA intervals to virtualize two seperate Ethernet MAC addresses on the same physical hardware.. duty cycle something like 80/20 but they had the lesson learned to also make it disabled and use (only) a seperate add-on interface connected to different pins on the motherboard, for 100/100 across two different NIC interfaces for practical reasons. Ironically it all started with the Gas and Oil industry, Exxon back in the days when they wanted remote mangement on their servers.. in pre-HP Compaq days.. Intel saw that and wanted some of that business.. so it crept into the base designs later.. without a lot of thought.. which has come home to roost

    • by Anonymous Coward

      The Q35/Q45 chipsets each had bugs that allowed them to be exploited (Q35) and disabled (Q45).

      The X58, I forget if due to bugs or some other needs, didn't have an Intel ME available in it, utilizing a regular southbridge plus a limited chipset hub.

      Sandy Bridge was the first to have it, and as a result of buggy XAPIC2 support on the Nehalem/Westmere boards was the first to have reliable IOMMU/VTd support, but also had mandatory intel me firmware (until me_cleaner figured out how it operated and that it could

    • by Anonymous Coward

      Funny. In 2000 I did this with two modems, two computers and two Ethernet cards to guaranty 99.999 up time for data collect at client sites. The Ethernet cards queried each other every half minute and if one was down the other would reboot the downed server and become the primary. It was a fun project.
      I used Compaq Alpha computer as they came with a monitor card with a modem; your concept of a ME. The boxes came with two Ethernet cable so it was just the obvious to use a cross over cable to each other and o

    • by jabuzz ( 182671 )

      So which LOM on a server does *NOT* use some bastardization of VNC wrapped up in some god dam awful Java plugin, that if you are lucky and the vendor has update will run in a modern web browser with a modern version of Java.

      Basically though the easiest way to defeat the Intel ME is stick a PCI/PCIe network card in the machine that it knows nothing about and ignore the onboard ethernet.

      It would however be cool to hack the ME with a vanilla Minix :-)

      • by tbuskey ( 135499 )

        So which LOM on a server does *NOT* use some bastardization of VNC wrapped up in some god dam awful Java plugin, that if you are lucky and the vendor has update will run in a modern web browser with a modern version of Java.

        iDrac in the Rx30 series (idrac 8?) has an HTML5 version in addition to the java applet. IIRC you can get to the vnc protocol with a standard vnc client too.

  • While it's possible to bend the IME to your own will, it's far more trouble than it's worth. For one, you can get an entire dedicated NAS [crowdsupply.com] that uses less power and space for less money than any comparable Intel setup. This approach requires magnitudes less time, effort and expertise. The design of the IME is such that it is suited to be an invisible backdoor that cannot be removed. It is for this reason that the most reasonable course of action is to disable and shutdown the IME after it has finished the

    • by Anonymous Coward

      Would take care of that. Given your own code in the ME and assurances that no one can remotely unlock/reprogram the SPI flash, the ME would actually make an excellent secondary processor for a number of purposes, including working with an modified keyboard with encryption over the line to decode keystrokes intended to be sent to the OS, while providing local services unavailable to the OS when needed for unlocking/decoding/passing through keys from secure key storage.

      The possibilities for a user controlled

    • by iamacat ( 583406 )

      Embedded NAS boxes don't have much CPU/GPU power though. The way Intel ME is marketed, it sounds like you can have powered off desktop that costs pennies/month in electric use, doesn't make noise, doesn't wear out fans and so on. And then it can wake up and transcode 4K video for Plex or stream Steam games seconds later. It's not that easy to approximate this even using a secondary embedded device that powers the main PC on and off. If same ethernet card is used, one could imagine main CPU cores taking over

      • Embedded NAS boxes don't have much CPU/GPU power though.

        If that's what you need from a NAS then you are doing it wrong for sure.

  • Not safely (Score:4, Interesting)

    by sjames ( 1099 ) on Sunday December 17, 2017 @11:17PM (#55758795) Homepage Journal

    For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN. Newer ones provide virtual media and built-in KVM capabilities. At first it was an add-on card that cost an extra $50-$100, then it got so cheap it was simply built in. They spoke IPMI and in some cases also provided http and ssh interfaces. Often they have the option of a physically seperate LAN interface so you can put them on a private LAN. Those are really great for remote management.

    Since they had no access to the flash, main memory, or PCI bus, they had little of the nefarious capability of the ME. They couldn't read data off the drive or snoop the keyboard, for example.

    The ME, on the other hand, is loaded with nefarious potential, so much so that exploiting the ME means game over for the main computer. It already has all of the capabilities TFA suggests, it's just that the chintzy bastards are holding out for more money to turn it on. You can have all the bad parts for free though.

    • by sl3xd ( 111641 )

      For years now, servers have had a Baseboard Management Computer (BMC) that was always on and could control power, press reset, and provide serial console over LAN

      It's worth nothing that BMC's are notoriously buggy as well, often requiring unplugging the server in order to get the BMC out of a "stuck" state.

      At least with a BMC, however, there wasn't much damage that a hard power cycle wouldn't fix.

      • by sjames ( 1099 )

        Yeah, some are better than others. No design is so good that a crappy implementation can't mess everything up, but at least the various issues with the BMC didn't create security holes that couldn't be fixed.

  • This is kind of like saying a bandsaw is a useful tool to shred cheese. You realize that any single vulnerability immediately will run at ring -3 and can over-write anything, I mean any part of your system. I also really doubt you would get any type of speed up over just normal OS.
  • If you're using it to wake up your computer on LAN activity - that is what it was designed to do, it is an option that can be configured in the BIOS of the "nettop" that I have with an Atom processor. If the computer originally came with Win 8 or later (the UEFI-based boot system never show a BIOS screen) then I'm not sure how you'd set this option - but that is exactly what the IME was intended for.
  • Since security problems have been found in the Intel ME, it is probably better to replace the whole operating system. Consider installing Windows. Not having a video adapter connected to the ME engine will fix some annoyances like those BSOD that once in a while appear when running Windows in the user space.
  • Exactly what I was thinking. Could be used for an Open Source hypervisor at the base of the very system. Maybe it could even make Qemu/KVM details more efficient, ... Could be a auxiliary, deep sleep co-processor for your Un*x OS, ... ;_)
  • The name of the game these days is to dress up a vuln/backdoor to make it appear as, "Oh, but it does xyz useful thing!" IMHO it's kind of dangerous to portray something pretty fucking insecure appear to be useful in any way. ME just needs to go away (or open sourced, which it appears legally it should be [slashdot.org]) so it can be fixed properly.

    • by sl3xd ( 111641 )

      IMHO it's kind of dangerous to portray something pretty fucking insecure appear to be useful in any way

      Well, that's pretty much what happens for everything that uses "crypto".

      Vanishingly few people know how to implement any given crypto algorithm securely, but that doesn't stop companies from handing the spec to an intern and tell them to implement it in hardware.

      I quite liked the cryptanalysis of Infineon's TPM's chip being along the lines of "The mistake is too stupid to have been malicious." I wish I could find the link...

  • Comment removed based on user account deletion
    • by sl3xd ( 111641 )

      Ah, but Enterprise IT wants to be certain their more technically-inclined lusers can't disable the enterprise's ability to "manage" and "audit" the systems they manage. It's literally one of the selling points touted by Intel (and AMD for their equivalent of ME) until recently.

      It's not like the machines Enterprise IT buys are any different from the ones I can buy as a consumer, and bulk buyers have a hell of a lot more sway than individual consumers.

      Honestly, if you want secure, you gotta use ARM these days

  • If the Intel ME bothers you, turn off the power switch on the back of your power supply after shutting down your computer for the day, or if it doesn't have one, disconnect the power cord. Can't be accessed remotely if there's no power connected to the box. :-) If you've got a laptop, take the battery out. If you've got a tablet with an Intel processor in it, I guess you're screwed. Get or make small Faraday cage to store it in when you're not using it, or turn off your WAP.
  • There is an easy fix for the potential ( and perhaps already existing ) security breaches that the ME enables. Just start or propogate the rumor that the Chinese have already cracked the ME and are planning to influence the next round of elections. Given how easily politians can get worked up about their job security by nonsensical rumors of Russian interference, they would be sure to force the NSA to allow Intel ( and AMD ) to disable, or verifyably make optional, such customer un-friendly nonsence.
  • Can I mine Bitcoin in ME?

We are Microsoft. Unix is irrelevant. Openness is futile. Prepare to be assimilated.

Working...