Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
Bug Intel Security Hardware

Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports (thenextweb.com) 171

Slashdot user bongey writes: A pair of security researchers in Russia are claiming to have compromised the Intel Management Engine just using one of the computer's USB ports. The researchers gained access to a fully functional JTAG connection to Intel CSME via USB DCI. The claim is different from previous USB DCI JTAG examples from earlier this year. Full JTAG access to the ME would allow making permanent hidden changes to the machine.
"Getting into and hijacking the Management Engine means you can take full control of a box," reports the Register, "underneath and out of sight of whatever OS, hypervisor or antivirus is installed."

They add that "This powerful God-mode technology is barely documented," while The Next Web points out that USB ports are "a common attack vector."

Researchers Run Unsigned Code on Intel ME By Exploiting USB Ports

Comments Filter:
  • by Anonymous Coward

    A couple of days ago, a story ran discussing many massive vulnerabilities in the Linux kernel USB drivers. Users laughed it off, saying that if someone has physical access, the computer is already compromised. When USB is then used to exploit a vulnerable IME, it's considered a serious issue. Why is it that Linux gets a free pass when other systems do not?

    • by Anonymous Coward

      IT doesn't.

      But Linux machines in a server farm are common. So all it takes is someone on the "inside", like someone who owns a machine next to yours in a shared cabinet to start compromising all the neighboring machines.

      With a laptop or desktop, you only need to compromise one machine to access the network. Like I need to express this point bluntly. IF YOU CAN UNPLUG THE MACHINE, YOU HAVE ACCESS TO THE NETWORK. Change the MAC address on your device to match the one you unplugged and then go nuts via the eth

    • Re:Please explain (Score:5, Insightful)

      by Anonymous Coward on Saturday November 11, 2017 @06:59PM (#55532797)

      even an AC on this site should be smart enough to know the difference. if you can't, perhaps you should go run along to reddit or some other site where the users and their submissions are down at your own comprehension level.

      vulnerabilities in linux kernel drivers for usb are relatively easy-to-fix *SOFTWARE* issues.

      the code is worked-on and reviewed by multiple, independent parties; and can also be examined and compiled by end users.

      vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

      the feature is embedded in the silicon of every fucking processor they manufacture. a similar feature is also found inside the more recent amd processors as well. problems here would require swapping hardware (processors, processors and/or bios). these features and the firmware that controlls them are closed-source, proprietary, and not documented for the public. you have to give blind faith and trust to hardware vendors (intel, amd, bios producers, motherboard manufacturers, etc) to actually fix the vulnerabilities and/or allow the total and irreversible disabling of the features.

      • by Anonymous Coward

        The vulnerabilities in IME are software. The software is stored in the BIOS and can be upgraded.

        • You know this is Intel right? They didn’t even bother fixing scaling issue on some of their integrated graphics (over scanning or under scanning). Their solution was to load custom resolution which doesn’t work on some effected system because the drivers didn’t allow you to load custom resolutions. And you can’t add a graphics board because the system is a micro PC. Do you really think Intel will go back and fix ME for systems that are more than 3 years old?

      • vulnerabilities in intel management engine are not. they are flaws in the *HARDWARE*

        But you still need physical access to the machine.

        And I think its mostly firmware, not hardware, so it's probably patchable.

      • by Khyber ( 864651 )

        "vulnerabilities in linux kernel drivers for usb are relatively easy-to-fix *SOFTWARE* issues."

        And yet one sits there, still fucking untouched, and has been since 2003.

        Wake me up when Linus actually makes a WORKING fucking product and maintains the core components of it.

  • If they can get a JTAG connection to it directly, does this mean we could also just fry the thing to neutralize it without harming the rest of the computer then?

  • by jfdavis668 ( 1414919 ) on Saturday November 11, 2017 @06:53PM (#55532773)
    I here it runs a version of MINUX 3. Can we hack in and install the more nomenclaturely correct Windows ME?
  • by Anonymous Coward

    So all this is really saying is physical access is god mode. You don't need an ME for that to be true.

    • Re:God mode. (Score:4, Interesting)

      by duke_cheetah2003 ( 862933 ) on Saturday November 11, 2017 @07:51PM (#55532985) Homepage

      So all this is really saying is physical access is god mode. You don't need an ME for that to be true.

      Sadly, you're incorrect. This is a fairly viable remote attack vector. All you need to have is something to deliver the sploit to the host, infect any usb storage devices with your ME sploit and wait for some fool to boot one of those devices accidentally or intentionally. In the mean time, your malware continues to infect every USB device ever attached to the machine. You'll definitely hook a good number of targets, with that number always climbing as more machines get infected and infect more USB storage devices.

      • by Anonymous Coward

        You're still forgetting the "remote" part. There's nothing remote about saying physical access means root. And if someone has physical access there's a whole bunch of ways that don't require an ME to execute.

      • I don't think this exploit involves booting from a USB storage device, rather it's taking advantage of the fact a USB device can send malformed packets. To exploit this, you're going to need to do more than write data to a USB storage device, you're going to have to hack the USB device's firmware.

        That's a tall order - yeah, there's probably quite a few out there that have exploits that would allow you to overwrite the firmware, but what's the betting your virus is going to have the right exploit for the

        • Rewrite or replace the hardware. Many USB memory sticks have plenty of free space inside - you could easily stick a little CPLD chip in there to sit between the USB port and the flash memory. It'd even still work as a memory stick. You'd need one skilled hacker to design the CPLD, but once it's designed the actual construction is only a low-skill soldering job. Anyone who can buy a PCB and solder an SMD could do it, and you can buy custom-made PCBs on eBay. And CPLDs too.

          • Yep, that would do it too. The point is though it's not something you can (easily and effectively) do by creating a virus that'll target USB mass storage devices. If you were going the "untargeted virus" route, you'd have to write something that knows about a lot of exploits for a lot of different USB devices. Targeting cellphones, or just creating a custom USB stick the way you're suggesting for a specific target, is much easier.
      • infect any usb storage devices with your ME sploit and wait for some fool to boot one of those devices accidentally or intentionally

        USB DCI doesn't work like that. This would need to enumerate as a specific DCI device to the USB Host. It isn't some virus that sits on a storage controller and short of bricking every device that becomes attached to the system it won't spread. Furthermore it will be immediately obvious that something has gone wrong.

        Additionally DCI is highly system specific, and while it is possible that Intel's ME is configured identically in every system the odds of it are highly unlikely limiting any exploit, even if it

  • by Anonymous Coward on Saturday November 11, 2017 @07:04PM (#55532819)

    What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

    There's nothing wrong with a God mode. They key is making sure the right person is God.

    • by duke_cheetah2003 ( 862933 ) on Saturday November 11, 2017 @07:38PM (#55532943) Homepage

      What I hate about all these stories? We have security researchers who decry the evil of Intel ME. How it can be used to fully control a system. How it allows remote access. You know, those are GOOD things. The only bad parts are (1) it's closed source, (2) it has security vulnerabilities, and (3) the owner (whether it's a corporation or a single person) doesn't have control over it. What I want to see is not the Intel ME disabled. I want to see it turned into a bare bones OS precisely for the average user to remotely log in, flash a new BIOS (or recover from a brick), and to maximize control over things like power settings, usb access, etc.

      There's nothing wrong with a God mode. They key is making sure the right person is God.

      The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

      The closed-source nature of it is a huge problem too, as obvious from this article. So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can. This is a pretty viable attack vector too, since you know, a payload could deliver the ME sploit, infect any usb storage devices, and hope for the next fool who boots accidentally or intentionally from those devices. I imagine if an attacker took control of the ME subsystem, it'd be a real bitch to eject their crap, considering how poorly ME is documented and how arcane the tools are.

      In my experience as a refurbisher, it's a very rare sight to see any laptop or desktop computer that even mentions ME, or has an option to turn it off in the BIOS. Most of the ME implementations are completely transparent to the host computer, never mentioned in the BIOS, no way to turn it off, no indication it's even there.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        The problem here is as the TFA points out, the Intel ME stuff is really poorly documented and it's very complicated what tools and documents I've come across. Certainly way more than an end user could wrap their head around if a refurbisher like me is still trying to understand ME and how it works, when it works, etc.

        What you describe covers a lot of electronics that have been co-opted by hackers and turned into Linux running systems. I'm not saying it's a trivial task, and I don't think I'm personally up

        • by unrtst ( 777550 )

          So yeah, sure, God-mode might be pretty cool, but it's a bit dangerous if others can exploit it just as easily as I can.

          Compared to what? Exploiting the kernel? Exploiting the BIOS? We're talking about another level underneath that's fundamentally the same thing. Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS. Obviously, the focus should be about documenting it and pushing for as many people as possible to replace it.

          WTF? It is not fundamentally the same thing! The BIOS is there to initialize the hardware so that the OS can boot. The boot manager handles passing on that to the OS, where the kernel takes over as the running/managing process. That entire time, the ME is still there, and provides no value to that process. (I'm not saying it has zero value, but its value is not in that series of events, but outside it)

          Is getting rid of it any sort of answer? About as much as getting rid of the kernel or the BIOS.

          So "yes", definitely. Is that way you meant to say? We've been working to get rid of the traditional BIOS f

    • There's nothing wrong with a God mode. They key is making sure the right person is God.

      Problem is that everyone thinks they're the one - or should be.

    • by MrKaos ( 858439 ) on Saturday November 11, 2017 @08:03PM (#55533027) Journal

      There's nothing wrong with a God mode. They key is making sure the right person is God.

      Yeah, I'm kinda thinking that if the management engine is on the machine and it is MINIX, I'd like to use it myself to, you know, manage the machine. I'm pretty sure I paid for it.

    • That's easy, Intel and no one else.
      However, during development a guy in a dark suit comes along, representing $TLA.
      "Thou shalt not..." he says, so now there 2 Gods.

      Said agency looks at the matter and insists on a kill switch for their own boxes - which is a wise move and everyone should have that. But then again, where is the fun in being God if everyone can lock you out?

      So it is kept top secret how to access the ME and only $ThirdParty with the appropriate clearing learn about it. Amongst them $Contractor

    • by Anonymous Coward

      There's nothing wrong with a God mode.

      There certainly is something wrong with a "God mode" management engine. Think about it--why do you need a second processor running MINIX and controling the main CPU? It's only because the present-day operating systems running on the main CPU are too handicapped to do the things you want. In principle, if things were designed elegantly, you could just have a single processor with a single operating system that actually did everything.

    • by Gravis Zero ( 934156 ) on Saturday November 11, 2017 @09:27PM (#55533275)

      We have security researchers who decry the evil of Intel ME.

      The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

      You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

      • by Anonymous Coward

        The part they decry more than anything else is that it cannot be disabled. Seriously, this is the biggest issue about IME is that it is designed to always run no matter what and if it's not running, the rest of the system is prevented from running.

        No, people decry the level of authority (the God mode) that is granted to Intel along with the difficulty or inability to disable it. Although to that end, it's absurd precisely because Intel is the creator of the CPU and hence already has a lot of supreme power

        • by rastos1 ( 601318 )

          No, people decry the level of authority (the God mode) that is granted to Intel along with the difficulty or inability to disable it. Although to that end, it's absurd precisely because Intel is the creator of the CPU and hence already has a lot of supreme power over the system.

          Yes, Intel has supreme power over the system. And we trusted Intel to not abuse that power. Those that did not trust it were ridiculed for the tinfoil hat. And now we have found (*) out that they did abuse the power. Or prepared the

      • by Zumbs ( 1241138 )
        Indeed. The default should be disabled, so that it is possible for experts, e.g. the IT department, to enable the specific parts of it that they want to use.
      • by AmiMoJo ( 196126 )

        The problem is that they use it to boot the system, so you need it for at least the boot part before it can be disabled. There is that secret NSA disable bit, but you can't rely on it because at the very least the boot code has the execute first and that could be compromised.

        To overcome this either Intel would have to create a new boot system and somehow disable any capability to change/update it (unlikely), or it will have to be replaced by an open source system that we can at least audit. Well, I guess th

      • You may think it's cool but doing so is as stupid as thinking, "that's an awesome gun" when someone has one pointed at your head.

        I would think the same thing if I knew there were no bullets. Intel's ME runs all the time because it has system reasons for doing so. The thing that freaks out most people (remote administration) is controlled by the user. This can easily be verified by a network that doesn't respond to anything when it is disabled.

        At that point you are limited to physical attacks that require someone to already own your machine.

        "That's a pretty neat and loaded gun that you're about to shoot me with" I said as I lay bleedi

        • Intel's ME runs all the time because it has system reasons for doing so.

          It only has reason to run during the initial boot sequence. This has been verified and yet IME still runs even if you disable ATM.

          The thing that freaks out most people (remote administration) is controlled by the user. This can easily be verified by a network that doesn't respond to anything when it is disabled.

          IME monitors packets and only acts when it gets the proper packet sequence. The stars will burn out long before you're done enumerating every packet value.

          At that point you are limited to physical attacks that require someone to already own your machine.

          Permanently disconnecting your computers from all networks and external devices is the only real option here. A compromised installer, updater or USB device could easily result in a permanently owned box. At that point the

          • IME monitors packets and only acts when it gets the proper packet sequence.

            IME enumerates a separate interface for networking. When you disable the network interface IME is no longer listening.

            Unless you can show me a detailed description of where it says otherwise.

            • They've found at least in the case of laptops that have cellular enabled wireless, disabling your network interface does nothing because the IME has direct access and control over the wireless radio. Neither does yanking the power cord or removing the battery, because the newer ones have started coming with their own power supplies, sort of like the old CMOS batteries, only you can't access or remove those, either.

              • They've found at least in the case of laptops that have cellular enabled wireless, disabling your network interface does nothing because the IME has direct access and control over the wireless radio.

                And yet IME does not actually listen or respond to cellular interfaces. It does have control but that's about it. If you did have a point it was diminished by the fact that you believe a tiny battery will power fully functioning network interfaces / cellular modems.

      • by havana9 ( 101033 )
        What should be done for safety is to add a couple of pin on the chip, one that enables the BIOS flash an the one that enables the ME engine or not. So a couple of jumpers on the motherboard could make the buyer to control the behaviour. IF this is difficult because is a laptop or an embedded ssytem they could be changed with soldered blobs or even using a keyboard controller that remember the configuration set with a particular key combo on power on in an eeprom. Problem solved.
        • Intel won't even allow people to disable IME, let alone give them the option of how to do it. They could solve this problem a bunch different ways with ease but the point is that Intel does not want to allow you to disable IME.

    • The problem is you can't get rid of it by reformatting your hard drive. This isn't a root account, and it's not ring 0. Unless you know how to make it secure, it shouldn't exist, and Intel doesn't know how to make it secure.
    • by sjames ( 1099 )

      It's a dangerous as hell way to "solve" an already solved problem. The servers I work with have IPMI and a BMC on them rather than the ME. The BMC can emulate a USB DVD drive so I can do a fresh OS install. It also connects to an internal serial port so I can do serial console over LAN. It can simulate a press on the power and reset buttons. The newer ones can also act as a KVM for dealing with OSes that insist on GUI interaction. Using that, I can fully manage a server I have never actually seen that lives

  • dahlink (Score:2, Offtopic)

    by PopeRatzo ( 965947 )

    A pair of security researchers in Russia

    I've found a photo of this pair of "security researchers" in Russia:

    https://pre00.deviantart.net/f... [deviantart.net]

     

  • Beyond scary (Score:5, Interesting)

    by markdavis ( 642305 ) on Saturday November 11, 2017 @07:10PM (#55532847)

    This Management Engine stuff just gets scarier and scarier. Just like intentional backdoors in encryption WILL be found and exploited, these undocumented "systems" within our systems will be cracked and the result can and will be DEVASTATING. It is hard enough to keep operating systems updated and secure. Firmware-level security is not something that can be easily maintained on running machines, even if Intel and friends can put out patches fast enough. I want my machine to be MINE.

    These "infected" machines are making their way into our entire infrastructure- controlling everything from power generation, traffic, government operations, military, healthcare, just about everything. Imagine black-hatters, rogue nations, criminals, or terrorists simply bypassing all normal security and just taking control of the hardware and doing whatever they want.

    WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

    Oh, and AMD is doing the same thing as Intel, so don't look to them as some alternative.

    • No computer running a general purpose OS is secure. None. Security is the antithesis of general purpose computers.
      • >"No computer running a general purpose OS is secure. None. Security is the antithesis of general purpose computers."

        With that type of broad statement, you are correct- NOTHING is really "secure". Security is always matter of degrees. There is no safe that can't be broken into, eventually, with enough effort and resources. And once that method is found, it could quickly enable other safes to be broken. We shouldn't allow some company to have control over our safes and install a bunch of secret "locks

    • This Management Engine stuff just gets scarier and scarier. Just like intentional backdoors in encryption WILL be found and exploited, these undocumented "systems" within our systems will be cracked and the result can and will be DEVASTATING.

      You are now finally on the same page that computer scientists have been on for over a decade. It's been repeated many times that it's not a question of "if" it will be compromised but rather "when".

      The fact that you are only just started freaking out clearly exemplifies the problem: the general public doesn't care about security until it's too late and they won't listen to experts.

      • >"The fact that you are only just started freaking out clearly exemplifies the problem: the general public doesn't care about security until it's too late and they won't listen to experts."

        I have been freaking out about it ever since it was introduced, and really believed that it would have been stopped or undone by now. I am not the "general public" but I agree with what you are saying. Now that there are millions of such chips out there, we have lots of ticking time bombs just waiting for the right e

    • by jbn-o ( 555068 ) <mail@digitalcitizen.info> on Saturday November 11, 2017 @11:49PM (#55533701) Homepage

      WE ALL NEED THE ABILITY TO ABSOLUTELY DISABLE ME AT THE BIOS AND/OR HARDWARE LEVEL. And we need it NOW!

      What you're describing is software freedom. And you deserve software freedom for all of the computers you own. You should be allowed to run, inspect, share, and modify the BIOS, "Management Engine" (or workalike), and all of the other software on the computer including any encryption keys used. Fortunately for all of us people are working on different architectures and on freeing common architectures [slashdot.org], so I hope you'll help them.

      • Except the software is the smallest part of the ME.The ME comprises a series of CPUs (some ARM-based), low-level hardware access, and in some cases found so far, it's own power supplies and cellular data connection.

        The software side of it is only a small start to things that need remedied in this situation, especially a situation in which we find a system-within-a-system such as this that can entirely override the command functions of the UEFI/BIOS firmware, the OS, and last but not least, the end-users/sys

  • by Gravis Zero ( 934156 ) on Saturday November 11, 2017 @07:24PM (#55532895)

    This could potentially give people full access to the Intel Insider [wikipedia.org] core which is what all the 4K DRM relies on.

    I hope after IME is fully pwn3d that people will start taking a crack at AMD's PSP because I would like to have a fully open system but I refuse to financially support Intel due to their highly unethical and anti-competitive behavior.

    • How practical is it to execute code on ME?
    • How powerful is the ME processor compared to the real one? 100% the power? 10%? etc?
    • Is it possible to take advantage of this to not only stop the ME from spying, but to increase performance?
    • How practical is it to execute code on ME?

      For general applications, it's absolutely worthless. It doesn't even use the x86 architecture.

      Is it possible to take advantage of this to not only stop the ME from spying, but to increase performance?

      Realistically, no.

  • This isn't a bug (Score:2, Insightful)

    by Anonymous Coward

    This is not an exploitable bug, it is an NSA feature.

  • I knew there was a good reason to keep this VIA C3 Mini-ITX motherboard around!

  • Nerd: *tapa tapa tapa* Oh my god! The Intel Managament Engine... it's gone rogue! It's out of control!
    Man With Shades And Many Chevrons: Shut it down!
    Nerd: *tapa tapa tapa* I'm trying! But it's not responding to the shutdown code!
    Man With Shades And Many Chevrons: Just pull the plug or something!
    Nerd: It already has control over our systems! We'll need to do a manual override!
    Man With Shades And Many Chevrons: Dammit! Where's Bruce Willis when you need him?!

  • It helps to protect Intel's valuable intellectual property called ME from people like us. Don't listen to this barefoot Hippie Stallman from the FSF, he just wants the unwashed masses to have actual control over the machines they payed for.

  • I have no idea how powerful that engine is.

    I hope someone will come out with some neat idea to usefully exploit that ME in favour of the users.
    Maybe some femto-kernel or the likes...

    • by Anonymous Coward

      I have no idea how powerful that engine is.

      In raw number crunching "power"? Not very powerful.

      In complete access to your system "power"? Quite powerful.

"Maintain an awareness for contribution -- to your schedule, your project, our company." -- A Group of Employees

Working...