17

And also as an everyday user who mostly just surfs the web, are these risks a huge concern for me?

Edit: Also on the similar note, are there any substantial evidences of Intel or AMD purposely adding malware to their SMMs either for themselves or for the NSA?

APPLEBEES CINNAMON
  • 281
  • 2
  • 9
  • Related: [a very nice answer](https://security.stackexchange.com/a/129103/32746) (IMO) about ring levels which mentions Intel's IME and AMD's PSP. – WhiteWinterWolf Jul 04 '16 at 20:15

2 Answers2

7

The new Intel Core vPro processors contain a remote access feature that allows full remote access to a PC at any time, even if when the computer is turned off. As long as the power supply is available, the system can be woken up by the Core vPro processor, which is able to quietly turn individual hardware components on and access anything on them.

According to Mr Jonathan Brossard, a leading Security Research Engineer, "this is a feature that is documented and well understood" [...] There is absolutely no reason to believe this is being misused by NSA or whoever. So practically, the only thing preventing the usage of such 'features' is morality, which is proved multiple times to be lacking on the mentioned organization & Co.

Secret 3G Radio in Every Intel vPro CPU Could Steal Your Ideas at Any Time

Intel's 'Sandy Bridge' Chip to Include vPro Business Features

For the normal web user, there should be no problem, but it is highly likely that certain keywords will trigger events that will cause the listing of the system under 'to be investigated' category.

techraf
  • 9,141
  • 11
  • 44
  • 62
Overmind
  • 8,779
  • 3
  • 19
  • 28
  • 1
    Putting official organizations aside, vPro is a well documented 'feature' and parts of it, specifically intels TXT/TPM were proven to be bypass-able several times (i.e. blackhat2009, Invisible Labs: http://invisiblethingslab.com/resources/2011/Attacking_Intel_TXT_via_SINIT_hijacking.pdf ), in ways that had little to do directly with TXT. That means that we cannot exclude that other than the 'valid' parties may gain access to intel's ME completely. – Overmind Jun 29 '16 at 12:34
  • @Overmind Does Intel Management system and Intel Active Management Technology _only_ resides in vPro technologies? [WIkipedia says that it is so:](https://en.wikipedia.org/wiki/Intel_Active_Management_Technology]) "AMT is part of the Intel Management Engine, which is built into PCs with Intel vPro technology." But I can't open the source link for some reason. – APPLEBEES CINNAMON Jul 02 '16 at 04:01
  • Okay I don't mean that WIkipedia article really said that but It sounded to me that way... – APPLEBEES CINNAMON Jul 02 '16 at 04:12
  • Hello Samuel. Take a look here: http://www.tomshardware.com/reviews/vpro-amt-management-kvm,3003-6.html (pages 6-12). That should explain it. Basically, everything is part of what they call vPro. – Overmind Jul 04 '16 at 05:53
  • "*For the normal web user, there should be no problem, but it is highly likely that certain keywords will trigger events that will cause the listing of the system under 'to be investigated' category.*" -- The first part of this sentence seems to imply that IME isn't being used to monitor systems, while the second part of it seems to imply the opposite. Am I misunderstanding something? – Dolda2000 May 01 '17 at 15:37
  • The sub-system could be set up just like the old DOS interrupt. When an interrupt occurs, something happens. It can work by a similar manner with key words as interrupts. Makes sense ? – Overmind May 02 '17 at 09:23
4

As a complimentary answer, in terms of Intel, nobody really knows because, for one, thus far no one has been able to figure out the custom compression algorithm that's used for packing portions of the underlying on-die and on-board binaries used to drive this feature.

Compound that with the fact that attempts to dump shared libraries for the code, including some elusive binary that implements core functions such as memcpy and such yields nothing when you try, and we're all completely blind and in the dark. It's there, but not when you to try to get at it.

Here are some quotes from this article:

With a trusted processor connected directly to the memory, network, and BIOS of a computer, the ME could be like a rootkit on steroids in the wrong hands. Thus, an exploit for the ME is what all the balaclava-wearing hackers want, but so far it seems that they’ve all come up empty.

With regards to who's working on it, and problems faced:

The best efforts that we know of again come from [Igor Skochinsky]. After finding a few confidential Intel documents a company left on an FTP server, he was able to take a look at some of the code for the ME that isn’t in the on-chip ROM and isn’t compressed by an unknown algorithm. It uses the JEFF file format, a standard from the defunct J Consortium that is basically un-Googlable. (You can blame Jeff for that.) To break the Management Engine, though, this code will have to be reverse engineered, and figuring out the custom compression scheme that’s used in the firmware remains an unsolved problem.

Another quote that points out the fact that since we cannot see the code, we have true idea of just how bad this could be:

There are many researchers trying to unlock the secrets of Intel’s Management Engine, and for good reason: it’s a microcontroller that has direct access to everything in a computer. Every computer with an Intel chip made in the last few years has one, and if you’re looking for the perfect vector for an attack, you won’t find anything better than the ME. It is the scariest thing in your computer, and this fear is compounded by our ignorance: no one knows what the ME can actually do. And without being able to audit the code running on the ME, no one knows exactly what will happen when it is broken open.

Emphasis mine.

There are websites set up for people who want to work on the problem of figuring out the unknown compression algorithm. One such example is http://io.netgarage.org/me/.

Your best bet for finding tools that enable you to start getting your hands on at least portions of the firmware will be to Google "Igor Skochinsky". You can view his Github account to find what he has published.

All that said, I'm going to try and find my old dual pentium III system and go back to the stone age I guess. :)

Edit

The GNU LibreBoot project also has an extensive write up about the Intel ME as well here. It's worth a read. Here's a snippet that sums up their views:

The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can't be ignored.

For completeness, the LibreBoot project also has a write up about AMD Platform Security Processor, the AMD branded back-door version of Intel's ME. You can find that here. Again, a quote summarizing their opinions on the matter:

In theory any malicious entity with access to the AMD signing key would be able to install persistent malware that could not be eradicated without an external flasher and a known good PSP image. Furthermore, multiple security vulnerabilities have been demonstrated in AMD firmware in the past, and there is every reason to assume one or more zero day vulnerabilities are lurking in the PSP firmware. Given the extreme privilege level (ring -2 or ring -3) of the PSP, said vulnerabilities would have the ability to remotely monitor and control any PSP enabled machine. completely outside of the user's knowledge.

  • 1
    @WhiteWinterWolf I believe AMD has a similar feature, just not sure if they went so far as to embed a secret 3G chip on-die. –  Jun 30 '16 at 17:22
  • @WhiteWinterWolf updated answer to include more resources, specifically about AMD. –  Jun 30 '16 at 17:26
  • *"The widespread availability of 3G and emerging 4G cellular-based wireless broadband networks enables digital signage to be deployed virtually anywhere"*, it can used by *"technicians who monitor and manage displays centrally from a remote console [...] even when the operating system is down [...] Intel AMT includes a feature called KVM redirection over Internet Protocol (IP), permitting the keyboard-video-mouse (KVM) for an IT console to control and display the graphical user interface (GUI) of signage systems in the field. No additional hardware is required."* – WhiteWinterWolf Jul 01 '16 at 08:45
  • 1
    This is not FUD, trolling or rumors, this is directly extracted from an official [white paper from Intel itself](http://www.intel.com/content/dam/doc/white-paper/digital-signage-vpro-amt-3g-paper.pdf)... – WhiteWinterWolf Jul 01 '16 at 08:46
  • @WhiteWinterWolf yeah it's pretty amazing. I was somewhat aware of it before, but after researching all of this and telling a long time friend about it the other day, I mentioned how I probably sound as if I've lost my mind, gone crazy with paranoia. Unfortunately not, this is very true and very real. I was kidding but not really kidding when I insinuated that I'm looking to toss out my current computers and replace them with something else. –  Jul 01 '16 at 10:16
  • @WhiteWinterWolf It's clear from Figure 2 of the linked white paper that it is not talking about 3G on-chip, but rather 3G via an external modem. (This doesn't exclude the possibility that there may be a remotely accessible backdoor, and personally I don't trust that AMT thingy as far as I can throw it, but the paper does not provide any direct evidence of such.) – Daira Hopwood May 02 '17 at 21:12