back to article Researchers promise demo of 'God-mode' pwnage of Intel mobos

Security researchers say they've found a way to exploit Intel's accident-prone Management Engine, and will reveal the problem at Black Hat Europe in December. Positive Technologies researchers say the exploit “allows an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard via Skylake …

  1. whitepines
    FAIL

    Keep hearing more and more of this. AMD likely has similar issues waiting in the wings once the PSP (AMD's ME analogue) comes under scrutiny.

    Wonder what it'll take before people not stuck using Windows finally switch to something other than the x86 duopoly?

    1. Anonymous Coward
      Anonymous Coward

      How is this an x86 problem? Corporate users demand this sort of "lights off" remote management capability, and if they were using ARM PCs that provided the same features there's nothing special about ARM that would prevent the same problems.

      It is down to poorly written software, but even well written and highly audited software sometimes has security issues found in it. Programmers only have to screw up once to leave a hole open.

      Complain to your vendor if they don't offer a way to disable the functionality in EFI.

      1. whitepines
        Flame

        It becomes an x86 problem because the two x86 vendors:

        * Made its use mandatory (i.e. it can't be completely turned off or even have its firmware replaced outside of an official update from Intel/AMD).

        * Gave it the highest possible privilege level in the system.

        Furthermore, in a more general sense, both of these vendors misled consumers about "Disable" (hint: it's integral to both the platform and various DRM schemes). "Disabled" in the EFI interface just means "running in the background without advertising itself to the OS". There is no way to disable it on x86 platforms, whereas e.g. ARM allows an individual with proper access to disable / replace the TrustZone firmware and platforms like OpenPOWER keep the BMC as a separate, open-source compatible component without an elevated system privilege level.

        Like it or not, this is an x86 specific problem, and it all comes down to both sides of the duopoly deciding that DRM was more important than your security. This probably won't even make a dent in their consumer sales, so from a business POV it's a smart move.

        1. Anonymous Coward
          Anonymous Coward

          trusted computing platform

          "it all comes down to both sides of the duopoly deciding that DRM was more important than your security. "

          Yep. That's what "trusted computing" has meant in recent years. It didn't mean that the apparent 'owners' and 'users' of the system could trust it to not misbehave. It did mean that the DRM-dependent 'high value content rights owners' and their friends/puppets, whose interests are diametrically opposite to those of the the people who *thought* they owned and controlled their own computer systems, thought they could trust that their high value content was safe.

          1. whitepines

            Re: trusted computing platform

            Exactly! What really surprises me though is people that should know better that just keep on going for the most convenient thing, even though it means loss of privacy and more expense later on to buy new "fixed" hardware that'll even then only be reasonably secure for another year or two.

            Then again, the number of people that apparently don't care about W10's maximum telemetry setting enough to actually change it is quite unsettling....

        2. Steve K Silver badge

          Asus?

          For my server board (Asus Z10PA-D8) this note is published on AMT.

          They say "ASUS server product is not featured with Intel Active Management Technology(AMT)."

          Does this mean that Asus have already disabled/blocked it in Firmware - or is their statement not strictly correct?

          1. whitepines

            Re: Asus?

            Intel AMT is an optional module that runs on the ME. You still have the ME, but dodged a bullet with your current hardware because it's an older ME version that doesn't (yet) have a public "God-mode" exploit.

            1. Steve K Silver badge

              Re: Asus?

              Thanks

        3. Phil Endecott

          > ARM allows an individual with proper access to disable / replace the

          > TrustZone firmwar

          Could you give a practical exmple of that? I have numerous ARM systems, and all of the modern ones seem to include some signed binary blobs in the boot process.

          1. whitepines

            Applied Micro X-Gene, NXP QoriQ, Raspberry Pi 3, etc. Not everything is a phone...

            The difference is that, unlike x86, you can choose to purchase hardware where you are actually in control. It's not a magic guarantee that all ARM hardware puts you in control, just that options exist.

            1. Phil Endecott

              > Applied Micro X-Gene

              I have one of those in a Gigabyte motherboard, and it has at least three poorly-documented auxilliary processors running code that I don't have source for.

              I don't have a QoriQ or a RPi3 so I can't comment on those.

              1. whitepines

                Good to know. The X-Gene was recommended by a colleague but I've never actually tested one. The Qoriq I can vouch for though; built the firmware for it from source (i.e. with the proprietary network controller disabled).

    2. whitepines

      Why all the downvotes? Lots of Intel employees / shareholders on this forum? :-S

      Before downvoting, why don't you take a deeper look into the ME and the PSP. You might not like what you see (even the "disable switch" linked earlier doesn't prevent this new attack, BTW)...

  2. MrDamage

    Cue the DMCA gag order/lawsuit

    In 5, 4, 3, 2, 1....

  3. Anonymous Coward
    Anonymous Coward

    well, it does look pretty serious ...

    Para. 3 rendered thus ...

    Intel Management Engine (ME), a microcontroller that handles much of the communication between the processor and external devices, hit the headlines in May 2017 due to a target="_blank" rel="nofollow" href="https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/">security concerns regarding the Active Management Technology (AMT) that runs on top of the engine.

    or maybe that's just /my/ internet connection playing down again ...

  4. Anonymous Coward
    Big Brother

    Attacker could login with an empty password field

    "It later emerged that AMT had a simple authentication error: an attacker could login with an empty password field."

    By any chance, did the NSA help them write the code?

    1. Anonymous Coward
      Anonymous Coward

      Re: Attacker could login with an empty password field

      nope, even they wouldn't make it that bloody obvious and easy.

  5. TrumpSlurp the Troll
    Linux

    On the motherboard

    Independent from the OS and present in different forms for AMD and Intel.

    So even the Magic Penguin (other anthropomorphic OS icons are available, just not here) cannot save us!

    Hang on, the bad stuff on the bad processor is being run by Penguins (or close relatives). Woes!

  6. Anonymous South African Coward Silver badge

    Am I naive to think that if you stick said (vulnerable) server behind a firewall, you should be OK until the ne'er-do-well gain physical access to your LAN and start gefingerpoken your servers then?

    1. whitepines

      Does your firewall have known backdoors (cisco, et al)? Does it, perchance, use an x86 processor with a vulnerable ME (i.e. more firewalls than you might think)? Do you use Windows (especially W10)?

      If you can answer no to all of those questions, you might have a chance so long as no other box on the internal network is ever hacked. In all honesty though, if this is as big as it could be, it's time to get new hardware. Think long and hard as to whether you need x86 (or modern x86) when replacing it...

  7. MacroRodent Silver badge

    Actually, it is standing on a turtle

    > when Intel switched Management Engine to a modified Minix operating system, it introduced a vulnerability in an unspecified subsystem.

    This is where it goes seriously pear-shaped. They are treating the ME like yet another general purpose computer, running a general-purpose OS, with general-purpose bugs... Pretty soon it will have a sub-ME of its own (it's ME's all the the way down).

    Whereas it should have had a minimal OS, with minimal applications, reviewed, tested and static-analyzed to hell and back, like some space probe controller software.

    1. Roo
      Windows

      Re: Actually, it is standing on a turtle

      "This is where it goes seriously pear-shaped. They are treating the ME like yet another general purpose computer, running a general-purpose OS, with general-purpose bugs..."

      The 'console' being a fully fledged machine running it's own OS has been a thing for many decades now (common on big iron), sometimes it was a very handy thing to have. IMO it went pair shaped when that 'console' widget got hooked up to cables carrying random traffic.

      It would be nice if Intel had all the bootstrap for that console widget on a physically replaceable flash device - so customers could actually have control over their own machines for a change. :)

      1. whitepines

        Re: Actually, it is standing on a turtle

        Well, technically it is on a replaceable Flash device, the problem is that the CPU / PCH requires the firmware stored on that Flash device to carry a valid Intel cryptographic signature. Furthermore, you can't just delete the firmware since it's integral to system boot (the x86 CPU literally won't come out of reset without it).

        If you want this level of control, the new POWER9 systems that are being released this year use essentially the proposed scheme. There might be a couple of ARM systems too, not sure. If you need x86 though, you're kind of stuck just living with the security problems -- rumor has it that even Google couldn't get Intel to provide chips without mandatory signed ME firmware....

        1. Roo
          Windows

          Re: Actually, it is standing on a turtle

          "Well, technically it is on a replaceable Flash device, the problem is that the CPU / PCH requires the firmware stored on that Flash device to carry a valid Intel cryptographic signature"

          That rather misses the point, the point is to reduce the complexity and return full control of what boots back to the customer. It's about having a choice - and not having to put blind faith in a very complex setup that is known to be vulnerable until the day you decide to re-purpose that box as a boat anchor.

          Ideally all the bootstrap would do is load a few bytes off the flash and execute them. The customer, if they chose, could then put some signature verification code in for bootstrapping the main CPU.

          There is nothing stopping Intel et al from providing a flash drive with their current crapware installed gratis. That would give the folks who give a toss a chance to fix the hardware - and of course for Intel it gives them an easy out should they ship broken by design bootstraps in the future.

          1. whitepines

            Re: Actually, it is standing on a turtle

            Yeah, I was being pedantic on purpose. Agree pretty much 100% with the rest of this. Intel and AMD will never allow it though since by the design of their systems allowing this level of control would make their DRM basically ineffective.

            I assume you've seen Talos II? That machine does all of this but it's not x86...

            1. Roo
              Windows

              Re: Actually, it is standing on a turtle

              "I assume you've seen Talos II? That machine does all of this but it's not x86..."

              That's news to me, but as fun as POWER boxes are ... I just want vendors to wind back the clock to the 70s and give us machines that don't have a billion lines of crapware baked into the bootstrap. :)

  8. StargateSg7

    THIS IS WHY my company and ME! runs our custom-designed and burned hardware!

    We do ALL the chipbuilding OURSELVES! including custom CPU/GPU/DSP/MCU hardware!

    Our own motherboards, our own network chips and IP4/IP6/Ethernet/ATM/SONET stacks,

    our own driver controller chips, own drivers, own BIOSes, own comms protocols,

    own firewall/gateway/router hardware/software systems and custom built

    anti-virus/anti-malware hardware and software own NON-LINUX-based

    operating systems and custom file systems that are high-bit-length

    Shor's Algorithm resistant encrypted! We even have our own SQL

    engines and JAVA/HTML/PYTHON interpreters and Assemblers

    and Compilers ! There is NOTHING that is third party! We even

    make our OWN power supplies, small and large capacitors and

    other micro-circuitry! YES! we are NOT a normal company and

    NO ONE ELSE could do what we do because they DO NOT HAVE

    our COMPLETE AND ALL IN-HOUSE expertise in LOW-LEVEL

    hardware and software design and manufacturing!

    ...BUT... we aren't normal people to begin with! We are BEYOND paranoid!

    Sucks to be You!

    1. Mindfart

      Bet you always knew you were special, with all those people telling you.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021