Intel X86s Hide Another CPU That Can Take Over Your Machine

Megalith

Megalith

24-bit/48kHz
Staff member
Joined
Aug 20, 2006
Messages
13,000
This guy is on a mission to create an alternative for Intel’s Management Engine, which is claimed by some to be a huge security loophole and powerful rootkit mechanism. Being that it works independently, a compromised ME would be bad news because the rest of the system wouldn’t even know if it was even infected.

On systems newer than the Core2 series, the ME cannot be disabled. Intel systems that are designed to have ME but lack ME firmware (or whose ME firmware is corrupted) will refuse to boot, or will shut-down shortly after booting. There is no way for the x86 firmware or operating system to disable ME permanently. Intel keeps most details about ME absolutely secret. There is absolutely no way for the main CPU to tell if the ME on a system has been compromised, and no way to "heal" a compromised ME. There is also no way to know if malicious entities have been able to compromise ME and infect systems.
 
This started just after they bought tpm out on c2ds. Guess what my travel laptpp is powered by...
 
auntjemima said:
I knew right away this was a Megalith article.
Click to expand...
OK. I will bite. Why do you say that? Is it because Megalith posts articles that appear to FUD to you? Is he sleeping with your significant other? Is he an AMD fan? Are you lonely? These are all just uneducated guesses. Please tell us your thoughts.
 
Unless there's been a verified test case where this supposed "hidden cpu" has actually compromised a machine, it's a complete load of garbage.
 
Where is the link to the control software? Do I need a high dollar license key?
 
Maybe they made it so that it won't boot and can't be written to as a security measure? I can imagine it makes it a tad harder to compromise if the system won't boot if there's a change in the firmware (signature check) and can't be written to outside of the factory.

That would also explain why it's an Intel secret.
 
Does no one pay attention to anything? Intel hasn't done anything to obfuscate their management engine. It's been on the slides for every new Intel processor for 6 generations. Is it a potential security issue? Yes, but seeing as it's harder to exploit than the main CPU you're not likely to see that many exploits of it unless you're getting into espionage.
 
Now I hate to say this, but if there is no way to tell it is compromised or fix it, then I can only imagine compromising one is a ways off still.
 
viscountalpha said:
Unless there's been a verified test case where this supposed "hidden cpu" has actually compromised a machine, it's a complete load of garbage.
Click to expand...

I agree.

N4CR said:
This started just after they bought tpm out on c2ds. Guess what my travel laptpp is powered by...
Click to expand...

It's interesting that since the management engine has been around so long that people are just now starting to make a big deal about it.
 
Derfman said:
Now I hate to say this, but if there is no way to tell it is compromised or fix it, then I can only imagine compromising one is a ways off still.
Click to expand...

and if there's a gag order, there's no way for them to tell us it's been compromised.
 
Think using some sort of USB network device that isn't built into the motherboard and needs drivers to work would be enough to stop it from being accessible? or is it smart enough to still make connections? Just wondering if there's some super easy way to stop it for the paranoid.
 
Uhm, last I checked, the ME needs to be enabled in BIOS and the driver needs to be installed in the OS for it to have ANY effect.
 
buhbuhfet said:
there is no other logical purpose for this
Click to expand...
Maybe it is like some kind of KVM over network that can bring them out of power, change BIOS, etc. Just locked up tight unless u pay Intel the cashola and sign some magical papers.
 
thebeephaha said:
I agree.



It's interesting that since the management engine has been around so long that people are just now starting to make a big deal about it.
Click to expand...

Yeah it is weird about how people only just realized? I think most security experts would have been aware, or I'd hope so anyway.. We knew about it since mid 2000s as part of training courses I was in for Toshiba... I saw 'remote management' and all sorts of other pretty unusual things and realized this was a hardware backdoor...

Azrak said:
Fairy dust
Click to expand...
'It run on love'.. good old IGN 'praystation 3' article :D
 
DrLobotomy said:
OK. I will bite. Why do you say that? Is it because Megalith posts articles that appear to FUD to you? Is he sleeping with your significant other? Is he an AMD fan? Are you lonely? These are all just uneducated guesses. Please tell us your thoughts.
Click to expand...
I assume the clickbait title is the telltale sign.
 
DrLobotomy said:
OK. I will bite. Why do you say that? Is it because Megalith posts articles that appear to FUD to you? Is he sleeping with your significant other? Is he an AMD fan? Are you lonely? These are all just uneducated guesses. Please tell us your thoughts.
Click to expand...

If you don't know, I can't help you.
 
Well, ain't this a bag of dicks.

Or not. I don't know.
 
Well, this will be something I see if I can turn off in BIOS and go from there.
 
KazeoHin said:
Uhm, last I checked, the ME needs to be enabled in BIOS and the driver needs to be installed in the OS for it to have ANY effect.
Click to expand...

Correct, if you don' thave a vPro enabled system -- at least in my understanding.

DrLobotomy said:
Maybe it is like some kind of KVM over network that can bring them out of power, change BIOS, etc. Just locked up tight unless u pay Intel the cashola and sign some magical papers.
Click to expand...

AMT does enable a network KVM setup IF you have paid the extra for vPro to be enabled on an OEM machine (about $15 on a new Dell machine.. or if you get a new motherboard you have the choice to enabled it without paying anything extra) then it will have some remote management capabilities - look up AMT and vPro for more information. On custom built Intel systems, I am pretty sure that you should have vPro/AMT available by default.

But even with vPro/AMT, you have to already have access to the network, have remote management enabled in the BIOS, know the IP that the remote management is set to, and know the password.

And even then, the computer has to already have AMT configured for it to be accessible. So unless you already manually set it up, then nobody can even try to get in that way.

Back when it first came about, it did have some vulnerabilities which were patched, so unless you are running a really old unpatched core 2 setup, then you really have nothing to worry about.

Here are some links with information about it, how to set it up, how it works, and about the old vulnerabilities.

Intel® Active Management Technology (Intel® AMT)

Intel vPro - Wikipedia, the free encyclopedia

Intel Active Management Technology - Wikipedia, the free encyclopedia

Intel(R) AMT SDK Implementation and Reference Guide

How to Remotely Control Your PC (Even When it Crashes)

Intel AMT backdoor enabled by default - Lenovo Community
 
cyclone3d said:
There is really no way to compromise the ME unless you have physical access to the hardware anyway.
Click to expand...

It takes packets out of and injects packets into any Ethernet device connected to the computer. If it is doing this, there is at least the potential for a remote threat.

That being said with RSA 2048 encryption, it's going to be a challenge - to say the least - for anyone trying to compromise it.

The NSA has probably tried though (if they weren't responsible for working with Intel in order to put it there in the first place)
 
Not this again. What the management engine does is widely documented.

The management engine is in the chipset, not CPU. AMD uses a similar scheme for management. While there are reasons to be theoretically concerned about it, no security researcher has found it doing anything unusual or even cracked it yet (in order to hack it). Maybe in another decade the tin foil hat powers will kick in. :p
 
Last edited:
pxc said:
Not this again. What the management engine does is widely documented.

The management engine is in the chipset, not CPU. AMD uses a similar scheme for management. While there are reasons to be theoretically concerned about it, no security researcher has found it doing anything unusual or even cracked it yet (in order to hack it). Maybe in another decade the tin foil hat powers will kick in. :p
Click to expand...
Its what the Government uses to decipher what type of foil you use, aluminum or tin.

Outrageous!
 
pxc said:
Not this again. What the management engine does is widely documented.

The management engine is in the chipset, not CPU. AMD uses a similar scheme for management. While there are reasons to be theoretically concerned about it, no security researcher has found it doing anything unusual or even cracked it yet (in order to hack it). Maybe in another decade the tin foil hat powers will kick in. :p
Click to expand...

It goes without saying that it would be beyond stupid for someone who places a backdoor in such a thing to be using it broadly. In the case of Stuxnet, how much of the exploit activity that made up Stuxnet was seen in the wild before the Stuxnet payload was used?
 
LightningCrash said:
It goes without saying that it would be beyond stupid for someone who places a backdoor in such a thing to be using it broadly. In the case of Stuxnet, how much of the exploit activity that made up Stuxnet was seen in the wild before the Stuxnet payload was used?
Click to expand...
none?
 
You must log in or register to reply here.
Back
Top