74
Root
5y

I'm getting ridiculously pissed off at Intel's Management Engine (etc.), yet again. I'm learning new terrifying things it does, and about more exploits. Anything this nefarious and overreaching and untouchable is evil by its very nature.

(tl;dr at the bottom.)

I also learned that -- as I suspected -- AMD has their own version of the bloody thing. Apparently theirs is a bit less scary than Intel's since you can ostensibly disable it, but i don't believe that because spy agencies exist and people are power-hungry and corrupt as hell when they get it.

For those who don't know what the IME is, it's hardware godmode. It's a black box running obfuscated code on a coprocessor that's built into Intel cpus (all Intell cpus from 2008 on). It runs code continuously, even when the system is in S3 mode or powered off. As long as the psu is supplying current, it's running. It has its own mac and IP address, transmits out-of-band (so the OS can't see its traffic), some chips can even communicate via 3g, and it can accept remote commands, too. It has complete and unfettered access to everything, completely invisible to the OS. It can turn your computer on or off, use all hardware, access and change all data in ram and storage, etc. And all of this is completely transparent: when the IME interrupts, the cpu stores its state, pauses, runs the SMM (system management mode) code, restores the state, and resumes normal operation. Its memory always returns 0xff when read by the os, and all writes fail. So everything about it is completely hidden from the OS, though the OS can trigger the IME/SMM to run various functions through interrupts, too. But this system is also required for the CPU to even function, so killing it bricks your CPU. Which, ofc, you can do via exploits. Or install ring-2 keyloggers. or do fucking anything else you want to.

tl;dr IME is a hardware godmode, and if someone compromises this (and there have been many exploits), their code runs at ring-2 permissions (above kernel (0), above hypervisor (-1)). They can do anything and everything on/to your system, completely invisibly, and can even install persistent malware that lives inside your bloody cpu. And guess who has keys for this? Go on, guess. you're probably right. Are they completely trustworthy? No? You're probably right again.

There is absolutely no reason for this sort of thing to exist, and its existence can only makes things worse. It enables spying of literally all kinds, it enables cpu-resident malware, bricking your physical cpu, reading/modifying anything anywhere, taking control of your hardware, etc. Literal godmode. and some of it cannot be patched, meaning more than a few exploits require replacing your cpu to protect against.

And why does this exist?
Ostensibly to allow sysadmins to remote-manage fleets of computers, which it does. But it allows fucking everything else, too. and keys to it exist. and people are absolutely not trustworthy. especially those in power -- who are most likely to have access to said keys.

The only reason this exists is because fucking power-hungry doucherockets exist.

Comments
  • 8
    I knew about the exploits but what in the fuck!

    Got a source, Or you going to make me look for it?

    Never mind, I got that sick feeling just reading this.

    ---
    It is normally not possible for the user to disable the ME. Some undocumented methods to do so were discovered, however.[39] These methods are not supported by Intel. The ME's security architecture is designed to prevent disabling, and thus its possibility is considered by Intel to be a security vulnerability.

    Strictly speaking, none of the known methods disables the ME completely, since it is required for booting the main CPU.
    ---

    Can't turn it off even if I wanted too, the fucker won't boot without it on.
  • 5
    @C0D4 Just closed them out of disgust.

    But they're easy to find; it's even on wikipedia under "Intel Management Engine" and "Ring -3 keylogger." Other search terms include "Trust Zone" and "AMD Platform Security Processor"

    Also one from Phoenix technologies on uefi.org -- it talks about the SMM a little. I still have that one open: https://uefi.org/sites/default/...
  • 4
    @Root yea I went digging for an off switch... that ended quickly.
  • 9
    @C0D4 There's an "HAP bit" that enables a stealth mode for NSA agents, which turns off most of the IME features. It's supposed to only exist on chips for e.g. government orders, but it seems to exist on all chips, or did at least.

    Apparently the Libre line (and System76's laptops) have this enabled! Yay, some good news!
  • 4
    Also of interest:

    Description: https://it.slashdot.org/comments.pl...

    Disabling/'Removal': https://github.com/corna/...
  • 7
    @Root the more I read the more I want to throw my cpu in the bin.
  • 0
    @C0D4 Yep. 😕
  • 4
    @Root but then I can't go to AMD, it has the same problems 🤷‍♂️fuck this world some days.
  • 3
    It gets even funnier.
    1. There are more "engines": A "feature engine" exists on Intel processors as well, and nothing is known about it (besides it providing "features", duh!).
    2. The ME is well known compared to the AMD equivalent.
  • 3
    The new Pixel 4 phones have something very similar, too -- the Titan M "security chip." Running Google code, of course. It's the very reason I didnt buy the phone.
  • 3
    Disturbing..
  • 2
    @Root, @C0D4 & @sbiewald

    You think we can evade the very state intelligence backbone?
    ='D

    The very cause of our intentions to do so, these were invented.
    And they're way deep in all architecture. Just watch the RSA and randomization algorithms tinkered by' patent industry' and state agencies.

    The more we try to evade 'em, the more we grow suspicious and are ranked weak for investions-, consumer- & social scales.

    Such would be ok to me. But for the individual, its just tiresome.
    Really really tiresome.
  • 7
    Just to add:

    intel ME is a unix-based processor's OS. It slices a bit of RAM and operates in encrypted mode [if I recall it correctly], which rules necrodigging DIMMS useless.
    And IMO it is a good thing that user's OS does not have access to it. Otherwise it would be an open invitation for invisible RATs.

    I cannot comment whether I see it as a good or a bad thing as I don't know what it does. Proprietary code...
    If it is helpful to patch cpus' bugs - sure, why not. Tho IDK why does it need its own network stack...

    On the other hand, even with separate stack it still has to obey networking protocols, at least ethernet and IP. I have not seen any new devices in my router's log since '16. And my router's soft preserves once-seen entries.
  • 1
    @netikras It's MINIX, Tanenbaum's Microkernel OS. I heard he was surprised as Intel did not tell him.

    Wouldn't it be even better if ME did not exist at all, especially since it only seems to provide a benefit for enterprise customers?
    The microcode patches could be installed w/o ME (as people have stripped most of it).
  • 0
    @sbiewald idk.. Would it be better if the GRGDO organization did not exist?
  • 1
    @C0D4 If you disable the ME completely (besides the initial "start CPU"), the CPU will automatically shutdown after 30 minutes because it cannot reach the management engine.
  • 0
    Do you know if a similar thing exists on ARM?
    The rise of ARM and RISC V is in progress... maybe it's worth to move the platform soon.
  • 2
    Well, time to build our own cpus...
  • 2
    @PonySlaystation OK, apparently on ARM it's called TrustZone, but it is only on some chips or embedded in the firmware.
    Fuck this shit. I'm moving to RISC V.
  • 1
    @sbiewald yea, spotted that when looking at me_cleaner

    https://github.com/corna/...

    This may work if someone wants to attempt not bricking there cpu.
  • 3
    And this, among many other reasons, is why prime factorization has to be broken.

    Break all the things.
  • 4
    The IME accepts code signed with a trusted Intel key. Find the key, and you can overwrite all but the boot sequence with noops.

    Help us, @Wisecrack!
    You are our only hope!
  • 2
    Huh, I just got linked a bunch of slides on this in one of the discords I'm part of. Fun times...
  • 2
    @Root

    Shit, I hope not, we're probably doomed!
  • 1
    Top tier fear mongering
  • 1
    @Khepu Truth though.
Add Comment