The short version is that every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.
We knew this would happen. We knew that the Management Engine was a backdoor, and we knew it was only a matter of time before someone would figure out how to exploit it. This is exactly the reason why Libreboot exists (https://libreboot.org/faq.html#intel). And now, far from being the tinfoil hat distro that is often portrayed, it will become a bare necessity.
Let's hope one of the other CPU manufacturers (e.g. AMD) starts supporting LibreBoot and allows to officially disable the ME-equivalent hardware feature, so that Intel get's forced by market-pressur to follow.
Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got forced to release a new CPU the had in their basement for years - suddently it's possible for them to release i7 notebook CPUs with more then two cores!! Even back in 2010 it would have been viable to produce 4 core notebook CPUs - but the went away because the had no competition.
I'm having fun, I finally have an excuse to dust off my Libreboot X200 (refurbished and modded Thinkpad with Libreboot firmware).
However, I strongly disrecommend buying from Leah Rowe unless you enjoy waiting months for payment confirmation and delivery. The worst webshop experience I've ever had.
I recommend you build/flash your own, contract it out or look for a different vendor.
> For obvious reasons we couldn’t publish what we found
It's not obvious to me why anyone not under an NSL or NDA would sit on this vulnerability for 5 years and wait until it's actively being exploited in the wild before public disclosure.
It's extremely negligent to global security for SemiAccurate to not immediately publicly disclose the vulnerability 5 years ago after Intel refused to fix it. Of course this is ignoring the root of the problem, which is that the US government has deeply compromised Intel since the very first security management interfaces were added to Intel chips in the early 90s.
The real solution to the root issue is legislation that forces security disclose timelines of 90 days or less for government-found vulnerabilities, and prevents the stockpiling of vulnerability exploit kits.
That seems strange. Since it's a security hole you can exploit on your very own Intel computer, there's no issue about "hacking" into someone else's system. Researching this is legally safe. There should have been a Defcon talk and a CERT advisory years ago.
This was my thought too as I read it. If they didn't feel they could handle the disclosure, Google Project Zero could have been a good recipient to report to Intel.
One wonders if they knew of this particular vulnerability 5 years ago or they just knew that there must be vulnerabilities lurking in the ME somewhere.
Is there a better source for this than SemiAccurate? The article doesn't really have much beyond self-aggrandizement and "we can't tell you any details, but you're screwed". For something that could be anything from "Charlie Demerjian heard a rumor about a ME patch and wanted some pageviews" to the actual security apocalypse, I'd like credible sources.
>>every Intel platform with AMT, ISM, and SBT from Nehalem in 2008 to Kaby Lake in 2017 has a remotely exploitable security hole in the ME (Management Engine) not CPU firmware.
>>there is literally no Intel box made in the last 9+ years that isn’t at risk
>>SemiAccurate has been begging Intel to fix this issue for literally years
Am I the only one who is so cynical to think it must have been deliberate? Intel dragging their feet for YEARS -- what could justify such a delay? The paranoid side of me asks "Were they waiting to patch this hole, until they found a different one that could be utilized?"
Which begs the next quesion: Where is the NSA in all of this? It's the sort of thing that would be mighty handy to a group wishing to snoop on everyone and everything?
Last question: Why would anyone trust the encrypted management engine after this? (Why would anyone trust it before?)
>> What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices.
What, indeed? Is this the method used to interfere with Iran's nuclear program centrifuges?
Extending the attack surface in the name of alleged convenience seems more a plan to enable hacking than a reasonable design and marketing approach for microprocessors. IoT fanboys with an urge to make home appliances remotely exploitable might be in good faith, but Intel is smarter than them.
As a sysadmin at a Windows shop, I don't know what to make of this. Has Intel commented on this, yet? Any OEM?
Joanna Rutkowska, who is a renowned security researcher, warned of something like this happening sooner or later[1], so I don't think I can afford to just ignore this.
But without something more specific to act on, there is nothing I can do, except wait firmware updates to be released by various vendors. If that happens.
And what if Intel does make a statement that essentially says, "This is all total BS"? I wouldn't know whether to believe them or not.
The only scenario where I could have any degree of certainty would be if Intel came out and said, "Yeah there's an exploitable security hole in ME, here's a patch to disable it".
It confirms much of the SemiAccurate report, but also includes this:
"This vulnerability does not exist on Intel-based consumer PCs."
Which seems to differ from what SemiAccurate was saying. I'm not sure if it's SemiAccurate being... er... not completely accurate :D, or if it's Intel trying to downplay things.
I guess we'll find out more over the next few days/weeks.
Believe it in proportion to the supporting evidence presented. At the moment, that's nothing except an appeal to the widespread belief that an Intel ME security flaw is inevitable.
This thread (and the link for it) have some decent information, for those looking for it. It had a cross-link here, figured I might as well link back to it: https://news.ycombinator.com/item?id=14242508
Zero details and zero cross references, zero mentions on Google and zero mentions in any security list I'm on. Charlie blowing nonsensical steam yet again?
The article implies that they have been privately trying to get Intel to fix it, so there is no reason it would have been mentioned publicly anywhere.
Now a patch is coming out but Intel is still trying to keep it quiet, so he's trying to warn people disable AMT and be ready to apply patches ASAP.
Presumably he didn't even want to disclose the existence of the vulnerability publicly until there was some sort of fix, and he still won't want to disclose details before the fix is released.
Of course, you can doubt the veracity of this story, but I'm just pointing out that there would be no reason to expect details, cross references, or mentions on Google or security lists yet if it is true.
I think it is high time for companies who make hardware be financially fined for lapses like this. In this particular case, the manufacturer was warned and did nothing for years.
This is negligence especially considering these chips control critical devices that can cause damage or even loss of life if they are successfully exploited.
Can you imagine if car maker didn't fix a hardware defect they knew for years. Oh wait...
From the perspective of an everyday user these things came out of nowhere to evolve into this para-computer running along side me that I cannot see and have no control of. It is on literally ALL hardware
Why is it that any attempts to disable it knock your whole computer out?
And this is the world of technology that we want? I'm so sick of technology companies appearing to work for their customers but secretly working against them.
The functionality ME attempts to provide is lights out a.k.a. out-of-band management (like IPMI) to the desktop.
If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every PC on a floor, he could, through ME, remotely reboot (force power reset if necessary) or power on every machine, have the machines boot to a (remote) OS install disk, run the install, and reboot.
ME allows one to do almost anything remotely to a PC, regardless of what the main processor is doing. That is both useful and frightening.
I think the problem is not that this technology exists but rather that the operation of this engine is not transparent, the user cannot examine or disable the software in this engine, cannot write his own software.
Security is a cost center and most OEMs run on margins too thin
to bother with security patches even if they cared. Most simply don’t care.
I think that sums up pretty well why downstream vendors are treating security casually. So the billion dollar question is, how do we fix this, as a tech community?
After learning about remote management capabilities I've always suspected it had holes. Large attack surface, any exploit would have a high value, and closed source.
Perhaps one day we'll be able to buy CPU's without this "feature".
I'm betting AMD and ARM are in the same boat.
"It is this last point that has been causing some political unrest in the US, and the rest of the Western world. As you undoubtedly know, China is very nearly the sole producer of all electronic goods. It would be very, very easy for the Chinese government to slip a hardware backdoor into the firmware of every iPad, smartphone, PC, and wireless router." 2012 https://www.extremetech.com/computing/133773-rakshasa-the-ha...
Made in China, designed in the USA. Everyone wants their own backdoor.
Patching is going to be a nightmare considering that many OEMs drop support for a motherboard after 3 years. There will be unpatched systems floating around for a very, very long time.
I've got a Lenovo T530 and a Lenovo T450s. I wonder if they've released a firmware update yet...?
I can't say I'm surprised, but I am surprised at the fact that finally, after all these years, someone finally got down to patching some vulnerabilities in this area.
Worrying about the ME and my dislike of secure boot is what has kept me from upgrading beyond the Core 2 Duo with BIOS. It's starting to feel slow now, but I still don't feel I can upgrade unless there is at least a way to disable the ME. So far, there don't seem to be any reliable methods of doing so.
Even without any newly discovered backdoor. The Intel ME was always a fuing security issue. A BACKDOOR. It is completely naive to think the NSA can't use the ME to get access to anything, but hey it needs another Snowden for people to listen again.
[+] [-] AdmiralAsshat|9 years ago|reply
We knew this would happen. We knew that the Management Engine was a backdoor, and we knew it was only a matter of time before someone would figure out how to exploit it. This is exactly the reason why Libreboot exists (https://libreboot.org/faq.html#intel). And now, far from being the tinfoil hat distro that is often portrayed, it will become a bare necessity.
[+] [-] SEJeff|9 years ago|reply
https://github.com/corna/me_cleaner
[+] [-] frik|9 years ago|reply
Intel needs more competition - thanks to AMD latest new 8-core CPU Intel got forced to release a new CPU the had in their basement for years - suddently it's possible for them to release i7 notebook CPUs with more then two cores!! Even back in 2010 it would have been viable to produce 4 core notebook CPUs - but the went away because the had no competition.
[+] [-] cryptarch|9 years ago|reply
However, I strongly disrecommend buying from Leah Rowe unless you enjoy waiting months for payment confirmation and delivery. The worst webshop experience I've ever had.
I recommend you build/flash your own, contract it out or look for a different vendor.
[+] [-] BrainInAJar|9 years ago|reply
[+] [-] Sephr|9 years ago|reply
It's not obvious to me why anyone not under an NSL or NDA would sit on this vulnerability for 5 years and wait until it's actively being exploited in the wild before public disclosure.
It's extremely negligent to global security for SemiAccurate to not immediately publicly disclose the vulnerability 5 years ago after Intel refused to fix it. Of course this is ignoring the root of the problem, which is that the US government has deeply compromised Intel since the very first security management interfaces were added to Intel chips in the early 90s.
The real solution to the root issue is legislation that forces security disclose timelines of 90 days or less for government-found vulnerabilities, and prevents the stockpiling of vulnerability exploit kits.
[+] [-] Animats|9 years ago|reply
[+] [-] gtirloni|9 years ago|reply
Intel would like to thank Maksim Malyutin from Embedi for reporting this issue and working with us on coordinated disclosure.
[+] [-] dantiberian|9 years ago|reply
[+] [-] wmf|9 years ago|reply
[+] [-] tomku|9 years ago|reply
[+] [-] milcron|9 years ago|reply
There's also an Intel advisory https://security-center.intel.com/advisory.aspx?intelid=INTE...
[+] [-] na85|9 years ago|reply
Maybe then we'll finally see hardware companies taking security seriously.
[+] [-] Natanael_L|9 years ago|reply
[+] [-] unknown|9 years ago|reply
[deleted]
[+] [-] codedokode|9 years ago|reply
[+] [-] davidgerard|9 years ago|reply
[+] [-] Jan_jw|9 years ago|reply
[+] [-] jackhack|9 years ago|reply
>>there is literally no Intel box made in the last 9+ years that isn’t at risk
>>SemiAccurate has been begging Intel to fix this issue for literally years
Am I the only one who is so cynical to think it must have been deliberate? Intel dragging their feet for YEARS -- what could justify such a delay? The paranoid side of me asks "Were they waiting to patch this hole, until they found a different one that could be utilized?" Which begs the next quesion: Where is the NSA in all of this? It's the sort of thing that would be mighty handy to a group wishing to snoop on everyone and everything?
Last question: Why would anyone trust the encrypted management engine after this? (Why would anyone trust it before?)
>> What about embedded devices that are increasingly PC based? Digital signage perhaps? Industrial controls. HVAC. Security systems. Flight controls. Air traffic controls. Medical devices.
What, indeed? Is this the method used to interfere with Iran's nuclear program centrifuges?
[+] [-] HelloNurse|9 years ago|reply
[+] [-] regularfry|9 years ago|reply
The discussion probably went something like:
Person 1: "Should we issue a recall and disable a feature which bought us a several billion dollar customer?"
Person 2: ...
[+] [-] unexistance|9 years ago|reply
https://www.cia.gov/news-information/featured-story-archive/...
[+] [-] krylon|9 years ago|reply
Joanna Rutkowska, who is a renowned security researcher, warned of something like this happening sooner or later[1], so I don't think I can afford to just ignore this.
But without something more specific to act on, there is nothing I can do, except wait firmware updates to be released by various vendors. If that happens.
And what if Intel does make a statement that essentially says, "This is all total BS"? I wouldn't know whether to believe them or not.
The only scenario where I could have any degree of certainty would be if Intel came out and said, "Yeah there's an exploitable security hole in ME, here's a patch to disable it".
[1] http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf
[+] [-] justinclift|9 years ago|reply
https://security-center.intel.com/advisory.aspx?intelid=INTE...
It confirms much of the SemiAccurate report, but also includes this:
"This vulnerability does not exist on Intel-based consumer PCs."
Which seems to differ from what SemiAccurate was saying. I'm not sure if it's SemiAccurate being... er... not completely accurate :D, or if it's Intel trying to downplay things.
I guess we'll find out more over the next few days/weeks.
[+] [-] tomku|9 years ago|reply
[+] [-] theossuary|9 years ago|reply
[+] [-] yxhuvud|9 years ago|reply
[+] [-] _wmd|9 years ago|reply
[+] [-] resoluteteeth|9 years ago|reply
Now a patch is coming out but Intel is still trying to keep it quiet, so he's trying to warn people disable AMT and be ready to apply patches ASAP.
Presumably he didn't even want to disclose the existence of the vulnerability publicly until there was some sort of fix, and he still won't want to disclose details before the fix is released.
Of course, you can doubt the veracity of this story, but I'm just pointing out that there would be no reason to expect details, cross references, or mentions on Google or security lists yet if it is true.
[+] [-] some1else|9 years ago|reply
[+] [-] yxhuvud|9 years ago|reply
Seems legit.
[+] [-] bnmathm|9 years ago|reply
[+] [-] electic|9 years ago|reply
This is negligence especially considering these chips control critical devices that can cause damage or even loss of life if they are successfully exploited.
Can you imagine if car maker didn't fix a hardware defect they knew for years. Oh wait...
[+] [-] tomc1985|9 years ago|reply
From the perspective of an everyday user these things came out of nowhere to evolve into this para-computer running along side me that I cannot see and have no control of. It is on literally ALL hardware
Why is it that any attempts to disable it knock your whole computer out?
And this is the world of technology that we want? I'm so sick of technology companies appearing to work for their customers but secretly working against them.
[+] [-] jnwatson|9 years ago|reply
If, for example, an admin needed to add a dual-boot-to-Ubuntu option to every PC on a floor, he could, through ME, remotely reboot (force power reset if necessary) or power on every machine, have the machines boot to a (remote) OS install disk, run the install, and reboot.
ME allows one to do almost anything remotely to a PC, regardless of what the main processor is doing. That is both useful and frightening.
[+] [-] codedokode|9 years ago|reply
[+] [-] thunder-ltu|9 years ago|reply
[+] [-] joatmon-snoo|9 years ago|reply
[+] [-] devy|9 years ago|reply
[+] [-] thraway2016|9 years ago|reply
[+] [-] lurker456|9 years ago|reply
After learning about remote management capabilities I've always suspected it had holes. Large attack surface, any exploit would have a high value, and closed source.
Perhaps one day we'll be able to buy CPU's without this "feature". I'm betting AMD and ARM are in the same boat.
[+] [-] kartan|9 years ago|reply
Made in China, designed in the USA. Everyone wants their own backdoor.
[+] [-] discreditable|9 years ago|reply
[+] [-] imode|9 years ago|reply
I can't say I'm surprised, but I am surprised at the fact that finally, after all these years, someone finally got down to patching some vulnerabilities in this area.
props to whomever forced Intel's hand.
[+] [-] PhantomGremlin|9 years ago|reply
So if you're running a desktop that has a physical Ethernet card in it, and the Intel Ethernet isn't connected, are you OK?
And if you're running on a laptop that uses Intel's Ethernet, (and most of them do?) then are you vulnerable?
[+] [-] shdon|9 years ago|reply
[+] [-] snackai|9 years ago|reply
[+] [-] akeck|9 years ago|reply
[+] [-] mtgx|9 years ago|reply
https://news.ycombinator.com/item?id=11913379
[+] [-] j_s|9 years ago|reply
> do the first three steps of thinking for them. Make it really easy for the other person to say yes or no
source: http://firstround.com/review/how-to-become-insanely-well-con... | https://news.ycombinator.com/item?id=14195664
I've agreed to include a bit of detail when spamming all my friends links via e-mail going forward.