update: from FSF: Dana Morgenstein: If there is an event at your university or in your community addressing the Intel chip bugs, we urge you to distribute printed copies of our report on the Intel ME by Denis GNUtoo Carikli, with the following foreword by Free Software Foundation president Richard Stallman:
Meltdown and Spectre are errors. Grave errors, to be sure, but not evidently malicious. Everyone makes mistakes.
Intel has done far worse with its CPUs than make a mistake. It has built in an intentional back door called the Management Engine.
Important as these bugs are, don’t let Intel’s mistakes distract you from Intel’s deliberate attack!
Intel ME closed source encrypted firmware hidden backdoor crap or „How to Hack a Turned-Off Computer“
the worst: if you have intel ME on your motherboard activated – accessing it is possible without knowing the password!
port scan your network for intel me webserver ports 16992 16993
nmap -v -p 16992-16993 -sS 192.168.0.0/24
BSI warns about Intel ME: https://www.bsi.bund.de/SharedDocs/Warnmeldungen/DE/CB/2017/11/warnmeldung_cb-k17-2012.html
Linux tool to check if your system has Intel ME: https://github.com/mjg59/mei-amt-check
( you will have to install the drivers from your hardware vendor first https://downloadcenter.intel.com/download/26127/Intel-Management-Engine-Consumer-Driver-for-Intel-NUC-Kit-NUC6i3SY-NUC6i5SY-NUC6i7KYK https://downloadcenter.intel.com/download/24892/Intel-Trusted-Execution-Engine-Driver-for-Intel-NUC-Kit-NUC5CPYH-NUC5PPYH-NUC5PGYH)
This script allows you to dump and extract Intel ME fimrware images. Supported formats:
- Full SPI flash image with descriptor (signature 5A A5 F0 0F)
- Full ME region image (signature ‚$FPT‘)
- individual ME code partitions and update images (signature $MN2/$MAN)
Supported ME versions: 2.x – 9.x for desktop, 1.x-3.x for SpS, 1.x for TXE/SEC.
This script allows you to send HECI (MEI) messages to the ME. The script currently runs only under Windows and requires the ME drivers to be installed. You need to run it with admin privileges as it needs access to the driver.
„For the record, I would like to state that when Intel contacted me, they didn’t say what they were working on. Companies rarely talk about future products without NDAs. I figured it was a new Ethernet chip or graphics chip or something like that. If I had suspected they might be building a spy engine, I certainly wouldn’t have cooperated […] „
Even Google is pissed that much at Intel that they would like to replace BIOS and UEFI with Linux.
How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine
Maxim Goryachy | Security researcher, Positive Technologies
Location: ICC Capital Suite, Level 3, Room B
Date: Wednesday, December 6 | 3:30pm-4:30pm
Format: 50-Minute Briefings
Tracks: Platform Security, Hardware/Embedded
Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such „God mode“ capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.
Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics.
In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.
holy holy cow of surveillance – Intel Management Engine (ME)
or: why governments need to cooperate and invest into the development free (100% transparent) hardware and software – and share the research results and CAD-plans with the rest of mankind…
or: Why Putin does not use mobile phones… while Merkel believes in her old beloved Nokia phone… which you can be sure – is also targeted by multiple intelligence agencies – despite the lack of internet and WhatsApp. (Alternative: Signal – works good and same functionality and usability)
the story is getting worse by the day – all the i3 i5 i7 processors are based on the Intel-Sandy-Bridge-Mikroarchitektur
which could include something called Anti-Theft 3.0 CPU KILL SWITCH (src).
Developed primarily by the Israel branch of Intel, the codename was originally „Gesher“ (meaning „bridge“ in Hebrew). The name was changed to avoid being associated with the defunct Gesher (probably right-wing zionist) political party; (src)
Meaning – if you missbehave – we simply kill your IT infrastructure – with the flip of an switch.
Call me paranoid – but why do i get the feeling to be cheated and manipulated in every possible way – at every possible moment?
After all a BRIDGE BUILT WITH SAND is not very stable – is it?
„Intel’s new Sandy Bridge processors have a new feature that the chip giant is calling Anti-Theft 3.0. The processor can be disabled even if the computer has no Internet connection or isn’t even turned on, over a 3G network. With Intel anti-theft technology built into Sandy Bridge, David Allen, director of distribution sales at Intel North America, told ITBusiness that users have the option to set up their processor so that if their computer is lost or stolen, it can be shut down remotely.
For those who want to protect their computers from thieves, the ability to remotely disable them sounds great. We’re not sure the CPU is the component that should be targeted though. While a given stolen netbook, laptop, or desktop can no longer be turned on if Intel’s new kill switch is flipped, there’s nothing stopping the thief from taking out the HDD and putting it in another computer. As a result, you’ve only slightly slowed the criminal down and haven’t really managed to ensure your sensitive data is protected.
Furthermore, those wearing tin foil hats will want to know if users have complete control over the feature. Is it enabled by default? If not, could someone else turn it on? Can anyone but the owner of the processor disable it remotely? Those might seem like paranoid questions, but nonetheless Intel needs to guarantee that the answer to all three is a resounding no.“
Even more terrifying – hardware vendors place backdoors / security holes on purpose – which also can be used – if found – by hackers (the good ones) and crackers (the evil ones). It is just not fun – paying BitCoin ransome to recover your holiday-pictures 🙁
Welcome to the reality of digital information processing – and targeting of people and organizations as if we were still in the ColdWar era. Snowden calls the NSA – the biggest hacking organization in the world – biggest employee of mathematicians.
Introduced in June 2006 in Intel’s 965 Express Chipset Family of (Graphics and) Memory Controller Hubs, or (G)MCHs, and the ICH8 I/O Controller Family, the Intel Management Engine (ME) is a separate computing environment physically located in the (G)MCH chip. In Q3 2009, the first generation of Intel Core i3/i5/i7 (Nehalem) CPUs and the 5 Series Chipset family of Platform Controller Hubs, or PCHs, brought a more tightly integrated ME (now at version 6.0) inside the PCH chip, which itself replaced the ICH. Thus, the ME is present on all Intel desktop, mobile (laptop), and server systems since mid 2006.
The ME consists of an ARC processor core (replaced with other processor cores in later generations of the ME), code and data caches, a timer, and a secure internal bus to which additional devices are connected, including a cryptography engine, internal ROM and RAM, memory controllers, and a direct memory access (DMA) engine to access the host operating system’s memory as well as to reserve a region of protected external memory to supplement the ME’s limited internal RAM. The ME also has network access with its own MAC address through an Intel Gigabit Ethernet Controller. Its boot program, stored on the internal ROM, loads a firmware “manifest” from the PC’s SPI flash chip. This manifest is signed with a strong cryptographic key, which differs between versions of the ME firmware. If the manifest isn’t signed by a specific Intel key, the boot ROM won’t load and execute the firmware and the ME processor core will be halted.
The ME firmware is compressed and consists of modules that are listed in the manifest along with secure cryptographic hashes of their contents. One module is the operating system kernel, which is based on a proprietary real-time operating system (RTOS) kernel called “ThreadX”. The developer, Express Logic, sells licenses and source code for ThreadX. Customers such as Intel are forbidden from disclosing or sublicensing the ThreadX source code. Another module is the Dynamic Application Loader (DAL), which consists of a Java virtual machine and set of preinstalled Java classes for cryptography, secure storage, etc. The DAL module can load and execute additional ME modules from the PC’s HDD or SSD. The ME firmware also includes a number of native application modules within its flash memory space, including Intel Active Management Technology (AMT), an implementation of a Trusted Platform Module (TPM), Intel Boot Guard, and audio and video DRM systems.
The Active Management Technology (AMT) application, part of the Intel “vPro” brand, is a Web server and application code that enables remote users to power on, power off, view information about, and otherwise manage the PC. It can be used remotely even while the PC is powered off (via Wake-on-Lan). Traffic is encrypted using SSL/TLS libraries, but recall that all of the major SSL/TLS implementations have had highly publicized vulnerabilities. The AMT application itself has known vulnerabilities, which have been exploited to develop rootkits and keyloggers and covertly gain encrypted access to the management features of a PC. Remember that the ME has full access to the PC’s RAM. This means that an attacker exploiting any of these vulnerabilities may gain access to everything on the PC as it runs: all open files, all running applications, all keys pressed, and more.
Intel Boot Guard is an ME application introduced in Q2 2013 with ME firmware version 9.0 on 4th Generation Intel Core i3/i5/i7 (Haswell) CPUs. It allows a PC OEM to generate an asymmetric cryptographic keypair, install the public key in the CPU, and prevent the CPU from executing boot firmware that isn’t signed with their private key. This means that coreboot and libreboot are impossible to port to such PCs, without the OEM’s private signing key. Note that systems assembled from separately purchased mainboard and CPU parts are unaffected, since the vendor of the mainboard (on which the boot firmware is stored) can’t possibly affect the public key stored on the CPU.
ME firmware versions 4.0 and later (Intel 4 Series and later chipsets) include an ME application for audio and video DRM called “Protected Audio Video Path” (PAVP). The ME receives from the host operating system an encrypted media stream and encrypted key, decrypts the key, and sends the encrypted media decrypted key to the GPU, which then decrypts the media. PAVP is also used by another ME application to draw an authentication PIN pad directly onto the screen. In this usage, the PAVP application directly controls the graphics that appear on the PC’s screen in a way that the host OS cannot detect. ME firmware version 7.0 on PCHs with 2nd Generation Intel Core i3/i5/i7 (Sandy Bridge) CPUs replaces PAVP with a similar DRM application called “Intel Insider”. Like the AMT application, these DRM applications, which in themselves are defective by design, demonstrate the omnipotent capabilities of the ME: this hardware and its proprietary firmware can access and control everything that is in RAM and even everything that is shown on the screen.
The Intel Management Engine with its proprietary firmware has complete access to and control over the PC: it can power on or shut down the PC, read all open files, examine all running applications, track all keys pressed and mouse movements, and even capture or display images on the screen. And it has a network interface that is demonstrably insecure, which can allow an attacker on the network to inject rootkits that completely compromise the PC and can report to the attacker all activities performed on the PC. It is a threat to freedom, security, and privacy that can’t be ignored.
Before version 6.0 (that is, on systems from 2008/2009 and earlier), the ME can be disabled by setting a couple of values in the SPI flash memory. The ME firmware can then be removed entirely from the flash memory space. libreboot does this on the Intel 4 Series systems that it supports, such as the Libreboot X200 and Libreboot T400. ME firmware versions 6.0 and later, which are found on all systems with an Intel Core i3/i5/i7 CPU and a PCH, include “ME Ignition” firmware that performs some hardware initialization and power management. If the ME’s boot ROM does not find in the SPI flash memory an ME firmware manifest with a valid Intel signature, the whole PC will shut down after 30 minutes.
Due to the signature verification, developing free replacement firmware for the ME is basically impossible. The only entity capable of replacing the ME firmware is Intel. As previously stated, the ME firmware includes proprietary code licensed from third parties, so Intel couldn’t release the source code even if they wanted to. And even if they developed completely new ME firmware without third-party proprietary code and released its source code, the ME’s boot ROM would reject any modified firmware that isn’t signed by Intel. Thus, the ME firmware is both hopelessly proprietary and “tivoized”.
In summary, the Intel Management Engine and its applications are a backdoor with total access to and control over the rest of the PC. The ME is a threat to freedom, security, and privacy, and the libreboot project strongly recommends avoiding it entirely. Since recent versions of it can’t be removed, this means avoiding all recent generations of Intel hardware.
More information about the Management Engine can be found on various Web sites, including me.bios.io, unhuffme, coreboot wiki, and Wikipedia. The book Platform Embedded Security Technology Revealed describes in great detail the ME’s hardware architecture and firmware application modules.
If you’re stuck with the ME (non-libreboot system), you might find this interesting: http://hardenedlinux.org/firmware/2016/11/17/neutralize_ME_firmware_on_sandybridge_and_ivybridge.html
Also see (effort to disable the ME): https://www.coreboot.org/pipermail/coreboot/2016-November/082331.html – look at the whole thread
Many of you already have expressed your displeasure over Intel’s Active Management Technology (AMT) and Management Engine (ME) for various reasons in the past and now it’s been disclosed that for years there has been a vulnerability in this business-oriented feature that could open your Intel systems up to attackers.
Intel Active Management Technology, Intel Small Business Technology, and Intel Standard Manageability are subject to a hole allowing an unprivileged attacker to gain control of the management features for these products. The issue was made public today via INTEL-SA-00075.
For those with AMT enabled on their systems, it can affect supported processors going back to 2008 when AMT6 debuted — thus the vulnerability covers from Nehalem to Kabylake CPUs.
„Closed source custom Java ME and ThreadX blob probably maintained by interns, running all the time with unfettered access to every resource in the system even when the machine is turned off, integrated into almost every enterprise computer network in the world.
What could possibly go wrong. „
Step 1: Unprovisioning clients
When configured, Intel® AMT and ISM automatically listen for management traffic over your computer network. Systems that
are vulnerable to the known privilege escalation issue should be unprovisioned using the tools used to initially configure them to prevent unauthorized access to manageability features.
As an example, the Intel® AMT Configuration Utility (ACUConfig) from the Intel® Setup and Configuration Software (Intel® SCS) download can be used from a command line to unconfigure systems.
Example unconfigure commands (note these will need to be executed with OS administrative rights):
Unconfiguring a system in CCM:
Unconfiguring a system in ACM without RCS integration:
ACUConfig.exe UnConfigure /AdminPassword
Unconfiguring a system with RCS integration :
ACUConfig.exe UnConfigure /RCSaddress <RCSaddress> /Full
See section 6.1 4, Unconfiguring Intel AMT systems , of the Intel® SCS user guide for additional details.
You can download a copy.
What is LMS Intel® Management and Security Application Local Management Service (LMS) is a service that enables local applications running on Intel® AMT, Intel® SBA or Intel® Standard Manageability supported devices to use common SOAP and WS
It listens to the Inte l® Manageability Engine (ME) ports (16992, 16993, 16994, 16995, 623, and 664) and routes the traffic to the firmware through the
Intel® MEI driver.
Process to disable LMS Note: Th e following commands utilize the Windows built in command line program SC for communicating with the Service
Control Manager and services.
An Active Directory Group Policy Object (GPO) can also be leveraged to scale disabling LMS. Run the following com mand from a command prompt with
sc config LMS start=disabled
Process to remove LMS Run the following command from a command prompt with administrative rights:
sc delete LMS
Note: This command removes LMS from Windows services. To fully remove LMS from the system, you need to also delete the executable
If you are not sure what the path is, you can find it using the following command from a command prompt:
sc qc LMS