User Controls
Intel's Management Engine
-
2017-05-19 at 5:43 AM UTCSHORT VERSION:
Intel's Management Engine, or Active Management Technology, depending on where you look is a low-level subsystem that's attached to every Intel chip produced after 2008 (I believe). It runs whenever the chip is powered (even if the computer itself is switched off), and it's purpose is to 'provide trust' that the processor isn't compromised. It's completely invisible to the user, but has complete access to the processor as well as access to power up or down the machine, interfere with the boot process, send/receive TCP network traffic through it's own independent MAC forwarded by the network adapter and run arbitrary code locally. Efforts to dump it's code and understand it's workings, potentially leading to an exploit are underway but due to the way the core firmware is compressed and obfuscated, as well as peripheral functions being stored on ROM chips, makes progress very difficult.
When it's exploited, if it hasn't been already, every machine running a recent Intel chip will be outfitted with a rootkit that can't be disabled (breaking or disabling the ME coprocessor forces the computer to shut down on a timer). Don't think switching to AMD will make much of a difference either... They have a very similar system (TrustZone) that's implemented via an on-chip ARM coprocessor.
TECHNICAL:
The AMT unit itself is a separate on-chip coprocessor that has several supporting components such as ROM and RAM for firmware and temporary data storage as well as a 'DMA engine' that allows it unfettered access to memory in use by the user-installed operating system, meaning it can potentially subvert the program flow of Windows, Lunix or whatever OS you're using without any warning or indication. It also has it's own simple TCP stack which has been demonstrated to be insecure in the past; it has a hardcoded MAC address different to the standard NIC and is essentially able to relay through the NIC to forward requests to the internet or LAN. The ME engine itself is composed of the core firmware which is compressed, encrypted and obfuscated, only decoded on the fly to run commands, and modules and components stored on ROM chips, which cannot be dumped or accessed directly.
The original purpose of the AMT was to provide trust for the CPU itself; you may compile applications from source because you want to be able to see what it does before you 'trust' it enough to compile, but you then also need to be able to trust the compiler that builds it, and dependencies that get linked in and anything that runs below the application, ie. the operating system, drivers used and the like. You can continually move down the chain, checking source or watching applications' behaviour to verify they're working as advertised, but once you get to hardware, specifically the processor in this case, it's a black box - there's no way to directly view the source, so the only way to 'trust' that it's not compromised is through a third-party that can verify such. This begs the question of how you can verify that the third-party is trustworthy - you can't. One of it's popular uses now is to facilitate remote installations and administration functionality on behalf of sysadmins.
OTHER:
It would surprise me if some of the betabet agencies don't already have access to this - it may have even be among the exploits stolen from the NSA's archives, but hasn't been released because whoever released them publicly knew of it's value. Much of the system's code is stored on ROM chips and untouchable; it cannot be reflashed or updated meaning that if an exploit exists in it, there is nothing users can do to protect themselves - they'd literally need to buy a new processor once Intel gets around to patching or rewriting the AMT codebase.
Manufacturers have ostensibly worked with NSA contractors in the past, specifically in the case of harrdrive firmware exploits used to cache and transmit data - without co-operation from the major harddrive manufacturers, such an exploit would take years to develop per manufacturer, and there are around 10 of them.
COUNTERMEASURES:
At the moment, there's very little that can be done to mitigate your risk of being exploited because even if no exploit exists today, it will. Disabling the AMT platform causes the computer to shut down after a countdown, but it's been observed that if chunks of the WMT's firmware are erased or overwritten, it stays in the 'running' state but stops responding
You may be able to sniff TCP data to/from the platform by enhancementing by MAC address, but I'm not sure how possible it is to mask those requests.The following users say it would be alright if the author of this post didn't die in a fire! -
2017-05-19 at 7:48 AM UTCScary stuff. The NSA likely has and exploits for both Intel and AMD, along with HD exploits.
Considering that they spy on citizens so much, I wouldn't doubt it if most people are already infected. Maybe just something to sleep and locally monitor so that if they need to, they show up and extract whatever they need. -
2017-05-19 at 11:28 AM UTCVery interesting. I read a post on Twitter about a ROM fuzzer recently. Although i am not sure how relevant it would be to what you wrote in the OP, also i can't seem to find it anymore for soem reason. I know very little about the low level stuff though, but i would imagine if anyone has pulled this off i'm sure it would be an agency like the NSA.
Talk about nation-state exploits though. Do you know if there is any source code available from the Vault7 leaks? In this case CIA hacking tools were reportedly leaked. What also may be interesting to note but a little bit off topic, is that according to Wkileaks the CIA has a malware framework that has functionality to "spoof" attribution. So what it would do for instance is translate all comments to Russian and add some signatures observed in the malware used by whoever they wanted to put the blame on. Then it would make it appear as though some anti-forensic measures were run in order to conceal that the comments were in Russian etc. Pretty interesting, especially considering the whole Russia hacked the election narrative. -
2017-05-19 at 11:33 AM UTCThis is one of the reasons I use old software/hardware. I use a Pentium4 3gHz (2005) dual core CPU.
-
2017-05-19 at 12:01 PM UTCI heard about this and it's one of the reasons I've held off on putting together another gaming computer. If the computer is never connected to the internet, would it be safe from any exploits that may be found?
-
2017-05-19 at 3:50 PM UTCif you have nothing to hide, you have nothing to fear.
-
2017-05-19 at 4:45 PM UTCI bought my computer in 2009 am I safe? I've got a lot of kiddie porn that I don't want anyone finding out about. How hard is it to get past a BIOS password?
-
2017-05-19 at 6:19 PM UTC
-
2017-05-19 at 6:38 PM UTCNo Internet connection required, even if no power, or no hard drive.
Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.
The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range.
We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.
Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass enhancementing in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.
http://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
https://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
http://www.infoworld.com/article/2891692/security/does-the-latest-nsa-hack-prove-badbios-was-real.htmlThe following users say it would be alright if the author of this post didn't die in a fire! -
2017-05-19 at 6:42 PM UTCalso, you're dumb if you don't believe there's a radio on your motherboard.
-
2017-05-19 at 6:43 PM UTCuntraceable is not unobservable, and unobservable is not unrecordable.
-
2017-05-19 at 8:06 PM UTC
Originally posted by Kolokol-1 I heard about this and it's one of the reasons I've held off on putting together another gaming computer. If the computer is never connected to the internet, would it be safe from any exploits that may be found?
Depends.
Does it have other connectivity methods(Wi-Fi, Bluetooth, NFC)?
What types of devices will you connect to it?
What type of media will you run on it and how safe is the media?
Does anyone else have access to it and how secure is the location it's in? -
2017-05-26 at 3:06 AM UTC
Originally posted by -SpectraL No Internet connection required, even if no power, or no hard drive.
Covert channels can be used to circumvent system and network policies by establishing communications that have not been considered in the design of the computing system. We construct a covert channel between different computing systems that utilises audio modulation/demodulation to exchange data between the computing systems over the air medium.
The underlying network stack is based on a communication system that was originally designed for robust underwater communication. We adapt the communication system to implement covert and stealthy communications by utilizing the near ultrasonic frequency range.
We further demonstrate how the scenario of covert acoustical communication over the air medium can be extended to multi-hop communications and even to wireless mesh networks. A covert acoustical mesh network can be conceived as a botnet or malnet that is accessible via near-field audio communications.
Different applications of covert acoustical mesh networks are presented, including the use for remote keylogging over multiple hops. It is shown that the concept of a covert acoustical mesh network renders many conventional security concepts useless, as acoustical communications are usually not considered. Finally, countermeasures against covert acoustical mesh networks are discussed, including the use of lowpass enhancementing in computing systems and a host-based intrusion detection system for analyzing audio input and output in order to detect any irregularities.
http://www.theregister.co.uk/2013/12/05/airgap_chatting_malware/
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf
https://arstechnica.com/security/2013/10/meet-badbios-the-mysterious-mac-and-pc-malware-that-jumps-airgaps/
http://www.infoworld.com/article/2891692/security/does-the-latest-nsa-hack-prove-badbios-was-real.html
it's pretty much accepted now that the air-gap bit was made up - nobody else has ever observed the behaviour, nor has anyone found anything related to audio injection in the malware's code -
2017-05-26 at 3:44 AM UTC
Originally posted by aldra it's pretty much accepted now that the air-gap bit was made up - nobody else has ever observed the behaviour, nor has anyone found anything related to audio injection in the malware's code
It's been reported. No doubt, it is real.
https://en.wikipedia.org/wiki/BadBIOS
http://blog.erratasec.com/2013/10/badbios-features-explained.html
http://www.jocm.us/uploadfile/2013/1125/20131125103803901.pdf -
2017-05-26 at 3:45 AM UTC
-
2017-05-26 at 3:56 AM UTCyeah, I just skimmed those articles and none of them indicate that they've proven BadBios to use audio to transmit itself.
the first few deal with the possibility of modulating data and sending it via audio/speakers in the same vein as old dialup modems, the last one is pretty much a bluetooth radio that runs at a much lower frequency (audible range) -
2017-05-26 at 4:30 AM UTCthere are radio emitters and receivers on every motherboard, obviously. they can be made smaller than a fucking quinoa.
Himmler's Wewelsburg castle is the point or apex of the actual representation of the spear of destiny.. from a birds eye perspective the entire complex looks very much like the human brain.. Stranger still the eye of Horus or the eye of the moon also fits nicely into this map.. implying that Horus, Jesus, and other sun gods were representations of the psychedelic experience discovered through DMT pathways in the crystalline covered hallways of the Pineal gland.. This is also the eye you see atop the pyramid on the dollar bill.. the one true Stargate and 'inner' messiah. The magic Psilocybe mushroom being the manna or 'his' flesh.. Catholics so ignorantly take in wafer form at communion.
In Indian Jones and the Last Crusade Sean Connery is held captive in a castle modeled after Wewelsburg.. bringing it full circle Shia La Beouf, our Optimus Christ Cube guardian, stars alongside our Matrix messiah Keanu Reeves in Constantine a story about the spear of destiny, and will also star counter our Stargate invoking Harrison Ford in the much anticipated finale of the Indiana Jones franchise: Indiana Jones and the Kingdom of the Crystal Skull.
Seek the Mysteries. -
2017-07-21 at 8:10 AM UTC
Originally posted by aldra COUNTERMEASURES:
At the moment, there's very little that can be done to mitigate your risk of being exploited because even if no exploit exists today, it will. Disabling the AMT platform causes the computer to shut down after a countdown, but it's been observed that if chunks of the WMT's firmware are erased or overwritten, it stays in the 'running' state but stops responding
You may be able to sniff TCP data to/from the platform by enhancementing by MAC address, but I'm not sure how possible it is to mask those requests.
if you have a computer whose cpu is no older than the 4th intel core generation, then your computer doesn't have the intel boot guard which is the firmware feature that verifies the boot process and prevents the intel management engine from being modified\disabled, so there are few workarounds to mitigate its threat. for instance, i remember a python script that partially deblobs the ME, if interested I can send a link. personally, when I need some serious privacy I use my lovely thinkpad 200 where the BIOS has been replaced by the full FOSS firmware libreboot, so I don't really have to worry about backdoors in my hardware -
2017-07-22 at 2:12 AM UTCWhat would a bloke have to do to get the US government to place a hardware backdoor on his/her machine?
-
2017-07-22 at 2:16 AM UTC
