Another round of crappy journalism. It's not obscure, it's not a CPU feature but a platform feature, and there are plenty of out-of-band communication channels out there, this isn't the only one. On top of that, this was already published two DEF CONs ago.
You can exfil data and even do practival bi-directional communication over: SOL, IPMI, ASF, MT's ARC CPU via injected firmware and then via TCP/IP. Any of them will work. Add vendor-specific firmware addons on top of that (i.e. Broadcom tends to have exploitable firmware in their NIC controllers)
Most of them are in a vulnerable state by default because the technology was supposed to be 'easy' and 'user friendly', but 'users' don't even know what they are, and most deployments are done by the WinTel horde that doesn't actually know anything outside the Microsoft framework. (and thus leave the defaults as-is)
Aaaand I think this is the first public disclosure of malware using the Intel Management Engine / AMT's network connection (that uses SMBus, i talked about it here https://news.ycombinator.com/item?id=14309557 and gave links to appropriate datasheets). Welp.
AMT/ME being used by malware created by well-resourced adversaries is no surprise, and is why Intel needed to give an irreversible and verifiable way of completely disabling it.
> When contacted by Microsoft, Intel said the PLATINUM group wasn't using any vulnerability in the Intel AMT SOL interface, but this was another classic case of bad guys using a technology developed for legitimate purposes to do bad things.
Worst excuse ever. "Look guys, at least it's not a backdoor we left on purpose!!!"
It's surprising that everyone is up in arms about AMT and ME while not complaining in the slightest about SGX. SGX allows third parties to run code on your processor that is outside of your control. We're losing our computers to corporate interests. You are buying a device they can remotely manage, exert control with a higher privilege than yours, hide secrets inside your machine, and make all the decisions for you. To be even more dramatic, you are purchasing your own enslavement.
The reason is that SGX doesn't do remotely the same thing that AMT and ME do. Code that uses SGX doesn't gain privileges it didn't have (in fact, it loses privileges even compared to normal usermode code). It can be scheduled/killed by the OS the same as any other user code, and the feature can be disabled wholesale via firmware (the processor will not shutdown after 30 minutes like it does when ME is prevented from running). The code running in the enclave is also not encrypted; only data it generates at runtime is, so you can inspect it and decide whether you want to run it just fine. Kernels can't even use it directly, so I'm not sure how SGX helps anybody "make all the decisions for you".
In fact, SGX is probably the only way to get some semblance of a defense against compromised ME and SMM code. There's even a number of open source projects that use it (e.g. [0]). To be even more dramatic, not every acronym Intel comes up with is Pure Evil.
SGX, if they allow arbitrary code to be signed, is amazing. It enables remote trust. You could execute jobs "in the cloud" without anyone being able to see your data. You could write a known-correct coin tumbler or trading platform.
If it does only get locked to a few code authors, that would be a tremendous shame.
SGX is the ultimate DRM. Once SGX programs talk directly to monitors that support some HDCP like protocol, it will be the end of ad/tracker blockers. Web pages will run in SGX land.
It's funny that the image of the CPU in the article is a P4-era socket 478 model, which AFAIK comes from a time when Intel ME didn't exist in its current form yet... somewhat like showing a late 80s vehicle in an article about hacking self-driving cars.
"Intel AMT SOL technology" - a most ironic acronym for this situation...
> Intel ME runs even when the main processor is powered off, and while this feature looks pretty shady, Intel built ME to provide remote administration capabilities to companies that manage large networks of thousands of computers.
So they exposed millions of consumer and business computers in order to satisfy a niche enterprise usecase? Why is this not something that has to be manually turned on?
Intel ME has always sounded like a glaring security risk. Another operating system running in the background that can run it's own network stack? This is 100% being exploited by intel agencies.
Maybe because everyone, who had any clue, knew since the begging what was ME intended for. The only news here is that "wrong" guys used this backdoor (again, nothing unexpected).
An ARM CPU is just a core. SoCs probably do have this, pretty often. I know the Raspberry Pi's got a separate processor core running closed-source Broadcom software, and which has access to the system's memory.
I suspect that one can partially mitigate this risk by removing the network card from a laptop motherboard and using a USB network device that requires a software driver.
Intel AMT strikes again. I imagine this problem will only increase in the future, now that more malware creators know they can try to use this CPU backdoor (okay, this "totally-not-intended-for-bad-things and super-useful remote connection enterprise feature").
Exploiting vPro / AMT / any remote access mechanism from any chip maker is hardly a new idea.
AMT and AMD's equivalent (don't remember the name) has been a holy grail for security researchers and malware authors alike for many years. People have been begging Intel for a very long time to make business-tier chips without remote access capabilities.
For personal computing, at least we have enthusiast chips. For example, my i7 K model lacks the technology.
EDIT: AMD's remote tech is called Platform Security Processor (PSP). Thank you, jacquesm!
Is it a free proxy? Some asshole may have been using the proxy to scrape or ddos the website perhaps? Or perhaps someone did various other nefarious things such as spam comments or harass people.
[+] [-] oneplane|8 years ago|reply
You can exfil data and even do practival bi-directional communication over: SOL, IPMI, ASF, MT's ARC CPU via injected firmware and then via TCP/IP. Any of them will work. Add vendor-specific firmware addons on top of that (i.e. Broadcom tends to have exploitable firmware in their NIC controllers)
Most of them are in a vulnerable state by default because the technology was supposed to be 'easy' and 'user friendly', but 'users' don't even know what they are, and most deployments are done by the WinTel horde that doesn't actually know anything outside the Microsoft framework. (and thus leave the defaults as-is)
I probably posted something similar on https://news.ycombinator.com/item?id=11913379
Is it bad? Yes. Is it new? No. Is it ever reported on correctly? Also no.
[+] [-] julian_1|8 years ago|reply
[+] [-] mycall|8 years ago|reply
[+] [-] zkms|8 years ago|reply
AMT/ME being used by malware created by well-resourced adversaries is no surprise, and is why Intel needed to give an irreversible and verifiable way of completely disabling it.
[+] [-] rufugee|8 years ago|reply
The article said it comes disabled by default. Isn't this a verifiable way, or is the article incorrect?
[+] [-] endymi0n|8 years ago|reply
> When contacted by Microsoft, Intel said the PLATINUM group wasn't using any vulnerability in the Intel AMT SOL interface, but this was another classic case of bad guys using a technology developed for legitimate purposes to do bad things.
Worst excuse ever. "Look guys, at least it's not a backdoor we left on purpose!!!"
m(
[+] [-] annnnd|8 years ago|reply
Does anyone know about similar AMD vulnerabilities?
[+] [-] hellbanner|8 years ago|reply
How can the consumer stop someone from exploiting this hack?
[+] [-] ccrush|8 years ago|reply
[+] [-] johncolanduoni|8 years ago|reply
In fact, SGX is probably the only way to get some semblance of a defense against compromised ME and SMM code. There's even a number of open source projects that use it (e.g. [0]). To be even more dramatic, not every acronym Intel comes up with is Pure Evil.
[0]: https://github.com/ayeks/TresorSGX
[+] [-] MichaelGG|8 years ago|reply
If it does only get locked to a few code authors, that would be a tremendous shame.
[+] [-] noja|8 years ago|reply
[+] [-] Paul-ish|8 years ago|reply
[+] [-] dom0|8 years ago|reply
[+] [-] siegecraft|8 years ago|reply
[+] [-] userbinator|8 years ago|reply
"Intel AMT SOL technology" - a most ironic acronym for this situation...
[+] [-] dmix|8 years ago|reply
So they exposed millions of consumer and business computers in order to satisfy a niche enterprise usecase? Why is this not something that has to be manually turned on?
Intel ME has always sounded like a glaring security risk. Another operating system running in the background that can run it's own network stack? This is 100% being exploited by intel agencies.
[+] [-] JordanFrankfurt|8 years ago|reply
[+] [-] darksim905|8 years ago|reply
[+] [-] mental_|8 years ago|reply
[+] [-] kbart|8 years ago|reply
[+] [-] godmodus|8 years ago|reply
[+] [-] userbinator|8 years ago|reply
The former, probably not.
The latter probably have something similar --- and they're even less publicly documented than Intel ME/AMT or AMD's equivalent.
[+] [-] khedoros1|8 years ago|reply
[+] [-] Cieplak|8 years ago|reply
[+] [-] mtgx|8 years ago|reply
[+] [-] kakarot|8 years ago|reply
AMT and AMD's equivalent (don't remember the name) has been a holy grail for security researchers and malware authors alike for many years. People have been begging Intel for a very long time to make business-tier chips without remote access capabilities.
For personal computing, at least we have enthusiast chips. For example, my i7 K model lacks the technology.
EDIT: AMD's remote tech is called Platform Security Processor (PSP). Thank you, jacquesm!
[+] [-] ComodoHacker|8 years ago|reply
[+] [-] krylon|8 years ago|reply
[+] [-] opportune|8 years ago|reply
[+] [-] goosh453|8 years ago|reply