Intel x86s hide another CPU that can take over your machine (you can't audit it)


#1

[Read the post]


#2

Does AMD also implement this nonsense?


#3

Sigh. When are we going to stop seeing this canard bandied about? Yes, I know, it’s an article of some people’s religious faith, but that doesn’t make it true. Heartbleed, shellshock, freak… The list of security flaws in open source software that went unnoticed for years, even decades, is long and getting longer.

Open source is no better than closed source at fixing security flaws. Arguably it is worse, to the extent that OSS is coded by volunteers, so there is nobody whose paycheck depends on finding and fixing flaws.

Millions of eyes have no effect on the depth of bugs because finding security flaws is hard, un-fun work, and nearly all those eyes are volunteers doing things they enjoy… Which does not include auditing code for security holes. Only security researchers and hackers do that kind of thing for fun, and there aren’t enough of them to audit all the code that needs auditing.

Security through obscurity is stupid, and Intel should know better. But creating a FOSS alternative will not help. It will, rather, hurt, because then there will be two bundles of software (intels and the OS alternative) that need to be checked for security holes by the too small community of security researchers, instead of one.


#4

Not with the same enthusiasm as Intel: Server motherboards, pretty much regardless of vendor, will have an IPMI-or-more implementation of…widely varying…quaility; but “Intel AMT” is widespread across desktops and laptops(it’s mostly a ‘business’ feature, so it’s often gimped or disabled in consumer gear; but that still means that the capability is widely present in non-server chipsets.)

This isn’t so much a matter of virtue on AMD’s part; but of tardiness: they’ve thrown in their lot with technology based on the ‘TrustZone’ stuff traditionally found in ARM cores; and are making a go of rolling out some similar capabilities. They just don’t have much leverage in the business-boxes market.

Speaking from my limited experience with Intel AMT(we don’t use it at work; but some of the hardware we have is capable of it so we’ve tested it), one can see why it would be an attractive IT management feature; but one can also see why it would make people nervous.

The capabilities depend both on firmware and on hardware(minor version bumps are usually doable with firmware; major version bumps occur when a new chipset is rolled out, wikipedia has a roundup of the versions).

At least with reasonably new AMT, the capabilities are quite sophisticated. The ARC(or, amusingly enough, SPARC in newer versions; who would have thought that Intel is probably one of the world’s leading SPARC vendors, by volume?) core remains active at all times when power is available(so all the time for desktops, most of the time for laptops) and has its own IP stack, so you can talk to it even if the main computer is powered off, has no OS, or even has all the RAM pulled. The AMT device can also(sometimes this requires cooperation with the guest OS, exactly when it does and doesn’t gets really tedious really quickly) establish VPN links back to HQ even if the device is on an external network.

One particularly impressive(if, equally, disconcerting) capability is the ability to act as an IP KVM: so long as the host computer is using intel graphics, you can connect through AMT and view the screen(including POST and boot stuff, prior to the OS loading) and use a virtual keyboard and mouse for remote control, as well as mounting ISOs over the network. It’s based on a slightly oddball implementation of VNC; but it’s a version of VNC that is baked into the hardware and works regardless of the state of the host OS.

The capabilities are pretty cute; but, as always, ‘pretty useful for the IT guys’ and ‘zOMG rootkit from hell!’ is less a technical difference than a difference in ownership and motive.


#5

So this gives anything running this a remote lights out connection like all the HP servers have? Well provided the device has power and network.
While I really enjoy this for servers (that are already behind firewalls and such, you aren’t putting your prod servers directly on the net are you?) cause I don’t have to do things like fly to Australia just to load the OS. This gives me concerns about workstations and laptops as an attack vector.


#6

IPMI? Start reading. Bring a change of pants. You’re gonna need it.


#7

this is most likely not the case anymore for the big projects, e.g. the majority of Linux kernel devolopers are employed or sponsored by software companies or similar organisations and do this as a day job


#8

Which, if we’re all living in a simulation, could be a very Bad Thing.

There is another theory which states that this has already happened. – Douglas Adams


#9

I am actually far more interested in what Qualcomm and Huawei are doing with ARM. Although phones, tablets and Chromebooks have their own problems, for the moment they are running less legacy code with fewer services on simpler systems. I have doubts as to whether it is realistically possible to secure any modern desktop.
What I would really like to see is Android Minimal Attack Vector - limited services, no bloat by default and a very limited app store (banking, payment, messaging.)


#10

Isn’t AMD Platform Security Processor also present on most modern AMD consumer / enthusiast CPUs and pretty much equivalent to Intel ME in capability?
P.S.:
https://libreboot.org/faq/#amd


#11

I think it’s a good place to plug Purism company’s petition to Intel for release of ME-less CPUs

Hope I’m not violating any rules by linking it :slight_smile:
https://puri.sm/posts/petition-for-intel-to-release-an-me-less-cpu-design/


#12

I don’t see why this would fall afoul of any spam rules.

You’re promoting a petition, not a product or a company, and the petition is directly opposing the behaviour that this article is critical of.

In short: you’re not gaining anything by it, so I don’t see what the problem would be.


#13

Jeez how hard is it to disable this? Cause I know where I work for another week anyway would do anything and everything possible to disable this in laptops. When I hear about security practices elsewhere I just boggle but then I work where just having admin access to servers hosting PII data means quarterly workstation audits, quarterly conformation of IS THIS THE DEVICE YOU USE and background checks every two years even though you do not have actual access to the data. So yeah I would expect enterprise environments to disable this or request the vendor to remove it.

ETA I see that HPs iLO is IPMI with extra doodads. Again on a server in a secure environment this is a really cool thing doubly so in today headless blade server world. I get woken up at 2am cause server is offline I can start my vpn and pull up a console and see ooh stuck on post cause a power supply is hosed. Lets bypass that and get a ticket out to the vendor. I don’t have to get dressed and waste up to an hour getting on site to check, though the data center is manned 24x7 so physical check can happen if needed.
Also this can be disabled in BIOS if you don’t want remote access this way.


#14

That is literally apples and oranges.

“Open Source” and “volunteers” have no fundamental connection between them.

Or are you telling us that projects like NodeJS or Microsoft’s .NET are being maintained by volunteers?


#15

I was under the impression that the ME is part of the chipset on the motherboard, not the CPU?
That said, I can’t think of any recent motherboards for Intel CPUs that haven’t used an Intel chipset.


#16

For servers it most certainly will be. Cause you are going to have multiple daughter boards with possible 2 CPUS per daughter board which would be a major PITA to manage.
I can’t see them doing it otherwise for a PC either.


#17

The holographic universe suggests that the simulation might use holographic memory, but then String Theory with its curled up dimensions suggests a multidimensional hard drive. Fine till there’s a head crash and your sun disappears.


#18

It’s conceptually pretty much the same; with some differences because it’s designed for devices that don’t have a dedicated management NIC and which may roam around(hence various features for piggibacking on the host’s NIC/wifi and being able to VPN back to the mothership); and because Intel didn’t do a total NIH job; but built AMT largely as they wanted it to be; not with the intention of being compliant with any particular standard or industry consensus(with the server stuff, your mileage can vary considerably but it is nominally standard in a many aspects).

It is definitely the case, though, that the AMT agent can quite plausibly show up on an open network(especially when built into laptops, which it is); so the security of the system cannot rely on a trusted management network or VLAN. There aren’t any (known) horror stories, which suggests that AMT is more competent than some vendor’s LOM firmware; but it’s not a terribly well known little subsystem; and if it were to be exploited it would be magnificently powerful, so it makes people a little nervous.


#19

Ok, so does this mean that P ≠ NP due to resource constraints of the host machine?


#20

I like your thinking.
The observable universe can’t be a complete Turing machine* because the number of particles isn’t infinite, so the infinite tape isn’t possible.

*Yes, I do mean “complete Turing machine”, not “Turing-complete”.