11 replies to this topic

[alacran]

NOTE:

This is a very risky procedure, and you may brick your PC.

 

I have just found this, and I think you should read it:

 

Source: https://hothardware....1-thanks-to-nsa

 

Here's How To Disable Intel Management Engine And Slam Its Alleged Security Backdoor Shut

 

A team of researchers from Positive Technologies have dug into the innards of Intel Management Engine (ME) 11 and have found a way to turn the feature off. If you aren't familiar with ME, it's a separate processor that is tucked away inside Intel CPUs that allows companies to manage the computers on their networks. Essentially, it allows the IT team to get into your machine to fix issues or apply updates among other things. The catch is that ME 11 is essentially a backdoor leaving some concerned about potential security exploits and privacy concerns.

That fact has left many people who use Intel CPUs and have no need for that feature unhappy that a potential backdoor is in their system. This is where Positive Technologies comes in with its discovery of an undocumented mode (to partially disable ME) and the fact that it is connected with the High Assurance Platform (HAP) program. Positive Technologies does warn people that following these steps could damage your PC.

If you want to follow the steps anyway, the researchers put the utility needed on GitHub. Once that software is unpacked, you can begin the process or turning off ME 11 with another tool the team provides, called ME Cleaner. One bit of warning is that you cannot completely turn this off. ME is part of the boot process and required for launching of the main processor.

Positive Technologies wrote, "The disappointing fact is that on modern computers, it is impossible to completely disable ME. This is primarily due to the fact that this technology is responsible for initialization, power management, and launch of the main processor. Another complication lies in the fact that some data is hard-coded inside the PCH chip functioning as the southbridge on modern motherboards."

Intel provides motherboard makers with a tool so they can program some limited functionality for ME including a Flash Image Tool (FIT) and a Flash Programming Tool (FPT). While not provided to end users, they are said to be freely available on the internet. 

The full post by the researchers over at Positive Technologies is very technical and at it's core, the team found that there is a hidden switch in the firmware code for ME and when set to "1" it will turn off ME after the computer is booted up and the ME component in the boot sequence are no longer needed. The bit is called "reserve_hap" and is described in the code as "High Assurance Platform" (HAP) enabled, reports BleepingComputer.

The bit was reportedly added at the request of the NSA for PCs running in highly secure environments. Intel did confirm the kill switch for ME, telling the researchers, "In response to requests from customers with specialized requirements we sometimes explore the modification or disabling of certain features. In this case, the modifications were made at the request of equipment manufacturers in support of their customer’s evaluation of the US government’s 'High Assurance Platform'program. These modifications underwent a limited validation cycle and are not an officially supported configuration."

 

alacran

[Wonko the Sane]

 

The full post by the researchers over at Positive Technologies is very technical and at it's core, the team found that there is a hidden switch in the firmware code for ME and when set to "1" it will turn off ME after the computer is booted up and the ME component in the boot sequence are no longer needed. 

 

Which is here:

http://blog.ptsecuri...g-intel-me.html

(already posted yesterday, just for the record):

http://reboot.pro/to...ix-os/?p=204765

 

Wonko

[Wonko the Sane]

Some fresh news (INTEL-SA-00086):

 

https://security-cen...anguageid=en-fr

 

 

 

 Description: 

In response to issues identified by external researchers, Intel has performed an in-depth comprehensive security review of its Intel® Management Engine (ME), Intel® Trusted Execution Engine (TXE), and Intel® Server Platform Services (SPS) with the objective of enhancing firmware resilience.

As a result, Intel has identified several security vulnerabilities that could potentially place impacted platforms at risk. Systems using ME Firmware versions 11.0/11.5/11.6/11.7/11.10/11.20, SPS Firmware version 4.0, and TXE version 3.0 are impacted.

 

Place to keep an eye on:

https://www.cs.cmu.e.../bad_thing.html

 

Wonko

[Brito]

Thanks for sharing. Really interesting material, kind of beats down the whole argument of "It can't work without it".

 

[Wonko the Sane]

Thanks for sharing. Really interesting material, kind of beats down the whole argument of "It can't work without it".

 

Yep, but the other news are that not only it is a largely undocumented and likely suitable to infection/bad use subsystem, it is also not (at the moment) usable for (legit) purposes.

 

Once seen how the new UEFi paradigm (that notwithstanding the utter stupidity of its implementation had some potentialities) is seemingly deemed to be an unused for practical purposes added layer of complexity as no programmer (with the exception of Akeo  ) is seemingly interested in writing native, useful programs for the UEFI environment, the IME could be a possible target since after all it runs Minix

http://hexus.net/tec...uns-minix-3-os/

https://www.networkw...s-to-intel.html

 

and, being in Ring-3, has access to "everything", and of course porting to minix tools developed for *nix/Lunux should be a breeze, and the (good) Google guys are trying to do exactly that, see the linked to .pdf:

https://schd.ws/host... with Linux.pdf

 

Having available "natively" a shell and common commands with access to the hardware with the code independent from mass storage devices would represent a very useful solution for - besides multibooting - every kind of recovery processes without the *need* of booting from external media, and also an "instant on" OS of sorts...

 

Wonko 

[Brito]

MECleaner doesn't interact with the partition, it builds a modified partition from a given image that you have acquired and then you still have to flash back the image by yourself.

 

More details: https://github.com/c...w-does-it-work?

 

It could be interesting to run these secret UEFI partitions inside an emulator, to them make them talk with the network and check if the other CPU/OS could detect the network activity (or not). Otherwise it is a perfect stealth way to check what you are doing that no security product can reach from within the main OS.

 

[Brito]

The purpose of the emulator is like one of those sand farms for ants where you can see the internals in full detail.

Otherwise with real hardware you are merely looking at where the ants enter/exit.

 

 

The UEFI partition is merely containing the hidden files for the Minix OS.

 

I'm doubting that only the standard TCP/IP format is used for communication over that "friendly" CPU, we might be discovering even more as this topic takes the spotlight in security. Let's see.

[Wonko the Sane]

No, the "hidden UEFI partition" is in some parts of the flash memory where the Minix is "embedded", it is a "partition on chip" (indexed through a slightly differently partition table structure than usual):

 

https://github.com/c...w-does-it-work?

 

http://me.bios.io/ME...ion_descriptors

 

Wonko