Am I right in understanding that ALL Intel based computers are now a huge security risk?
It's really puzzling that Intel would risk the entire company to include features like this. Even if the NSA said "we demand it", surely this is possibly the end of Intel being a trustable computing platform?
The deeper question being, how can any cloud based program know that it is running on a computer safe from such snooping? Is there any possible way or do we just need to give up on that idea forever and assume that what runs on someone elses computer might be monitored and nothing can be done about it.
My experience with JTAG (and it's been a little while since I've used it) is that the device clock must be stopped before you can read the instrumented flip-flops. This is because they're serialized together, meaning you shift them out of the device one at a time using a special JTAG clock signal. You can use JTAG to essentially get a view of the device's state at the moment you stop the clock, but if you keep the clock running you get a trashed device state as you shift the flop values through the serialized chain. (You can also shift values back in and restart the clock, but this may or may not work depending on how many flops you can access via the JTAG chain.)
In other words, I'm not sure how you can use this to modify running devices without being able to stop the clock first. Is this something that JTAG supports now?
I expect a message from Intel that it was bad idea to place ME in the CPU and that in the future Intel would not do such things ... but that would be only a PR bullshit.
First thing Intel would do is to implement/create new ME-like thing, maybe on other arch like ARK before and hide it little more.
Then finally someone would find it anyway in a few years and let others know about it ...
I hope somebody dumps all the code from CSME and reverse engineers it to a higher level language next. I'm sure few more surprises can be expected to be found.
It's a very common way for such "hacking" events. Finally getting through PlayStation X, iPhone Y or whatever security is often shown through a screen shot like this. Proper explanation and details come later.
Regarding Intel ME/AMT: how does it work when the computer is powered off? On a wired network, I imagine some system which stores the nearest switch's port connected to that machine, and you could send some sort of signal which powers things up. But even that seems, impossible? I guess it's not unlike hitting the power button; you're just sending an electrical signal to the computer which makes it start. The path of that signal is unimportant.
Regardless of AMT there is standard protocol to remotely wake computers over ethernet (since mid-90's or so). NIC that supports it can be powered from 5Vsb and in that mode listens for specially formatted ethernet frame (format is somewhat configurable, but by default it consists of several repetitions of NIC's MAC in payload, actual destination MAC is unimportant as long as the frame passes through configured receive filters) which causes it to pull down wire going into motherboard's power management logic (and thus causing the same thing as pressing power button). This usually has to be enabled by BIOS and thus does not work in S0 (as is the case for almost all wakeup sources except physical power button, which is usually wired such that it unconditionally shorts PSU's PS_ON wire to ground and does not need any software configuration to cause wakeup). Probably all onboard NICs support this and for PCI cards this requires additional cable between NIC and motherboard, PCIe includes required wires as pins B10 and B11 (with 3.3V instead of 5V and with active detection that inserted card is actually capable of generating wakeup events).
If I correctly understand how AMT works then it implements it's own mechanism with similar purpose inside ME firmware, which with AMT enabled remains active even in S5.
which acces does it have? is it a tty to minix with root login? or did intel at least protected it for whichever is the agency that requested that with a "zero day" local privileged escalation? ;)
We see full read access to the hidden and protected 0xf008 pages, so you can dump the kernel and all running minix processes. The kernel is not interesting, but the processes are.
[+] [-] hoodoof|8 years ago|reply
It's really puzzling that Intel would risk the entire company to include features like this. Even if the NSA said "we demand it", surely this is possibly the end of Intel being a trustable computing platform?
The deeper question being, how can any cloud based program know that it is running on a computer safe from such snooping? Is there any possible way or do we just need to give up on that idea forever and assume that what runs on someone elses computer might be monitored and nothing can be done about it.
[+] [-] _pmf_|8 years ago|reply
Intel's large scale customers wanted this feature. To Intel, it has been a net asset instead of a liability, and maybe this will still hold up.
[+] [-] brians|8 years ago|reply
[+] [-] spchampion2|8 years ago|reply
In other words, I'm not sure how you can use this to modify running devices without being able to stop the clock first. Is this something that JTAG supports now?
[+] [-] ericseppanen|8 years ago|reply
Even though it's run over the same wires, it's a separate protocol from the hardware JTAG probe you describe.
[+] [-] vermaden|8 years ago|reply
First thing Intel would do is to implement/create new ME-like thing, maybe on other arch like ARK before and hide it little more.
Then finally someone would find it anyway in a few years and let others know about it ...
"History does not repeat itself, but it rhymes."
[+] [-] tux1968|8 years ago|reply
https://www.digitaltrends.com/computing/intel-kaby-lake-skyl...
[+] [-] anitil|8 years ago|reply
[+] [-] hoodoof|8 years ago|reply
[+] [-] tty7|8 years ago|reply
[+] [-] rasz|8 years ago|reply
http://www.tomshardware.com/news/mantistek-gk2-collects-type...
but invisible and undetectable
[+] [-] kbart|8 years ago|reply
[+] [-] m0d0nne11|8 years ago|reply
[+] [-] nolok|8 years ago|reply
[+] [-] snake_plissken|8 years ago|reply
[+] [-] dfox|8 years ago|reply
If I correctly understand how AMT works then it implements it's own mechanism with similar purpose inside ME firmware, which with AMT enabled remains active even in S5.
[+] [-] wmf|8 years ago|reply
[+] [-] myself248|8 years ago|reply
[+] [-] codedokode|8 years ago|reply
The article doesn't have many details though.
[+] [-] pedro84|8 years ago|reply
[+] [-] frabbit|8 years ago|reply
[+] [-] vsviridov|8 years ago|reply
[+] [-] exikyut|8 years ago|reply
I can see use-cases for it, but good luck convincing the W3C.
[+] [-] amiga-workbench|8 years ago|reply
[+] [-] zeep|8 years ago|reply
[+] [-] mkempe|8 years ago|reply
Intel has put CSME and DCI in all (?) their chips since 2015. Skylake was announced in 2014, launched in 2015.
[+] [-] monochromatic|8 years ago|reply
[+] [-] yo-code-sucks|8 years ago|reply
[deleted]
[+] [-] gcb0|8 years ago|reply
[+] [-] rurban|8 years ago|reply
[+] [-] 69yeeboi69|8 years ago|reply
[deleted]