On 02/08/17 20:43, ron minnich wrote:
On Wed, Aug 2, 2017 at 11:48 AM Daniel Pocock <daniel@pocock.pro mailto:daniel@pocock.pro> wrote:
I understand that with LibreBoot and one of their supported laptops it is possible to completely eliminate the risk by removing 100% of proprietary/hidden code.
I'm glad they did this but ... you need to understand that the laptop in that case is 10 years old (or is there a newer one I missed?). There is a core set of functionality the ME provides on newer chipsets that as far as we know, can not be removed :-(
For some purposes, a 10 year old laptop is quite OK
If you want a secure environment to manage your PGP master keys, for example, that may be a good choice (see the PGP/PKI clean room Debian Live image)
However, for people who choose Coreboot, ME_Cleaner, a Purism laptop or some other compromise, leaving in place around 90kb of the Intel code, is there a concise way to explain the attack vectors that they eliminate and the attack vectors that remain?
well, as purism has pointed out, due to a bug, they only check signing on 1/4 of that ME code (IIRC). So, if you want, you could embed your exploits in the other 3/4. That's about 65K.
What could you do? I am guessing a lot.
And, further, if such exploits can be done, and have been possible for at least 10 years, it's reasonably to assume they HAVE been done and are out there now. Bummer.
Just as it is never too late to give up smoking, it is never too late to escape from mass surveillance.
As a Linux user I get away with using a laptop until it is quite old but many other people have become well and truly dependent on newer hardware and software that has this massive backdoor in it.
For example, I've read that Purism doesn't use vPro-compatible wifi hardware, so my impression is they eliminate random attacks coming in through the network and spontaneously activating Intel ME, but if malicious code does get into Intel ME by some other means (such as a malicious email attachment) it may still be able to hide there indefinitely and use any network device on the machine to call home?
Can it get in via malicious email attachment? What's the path for that? Seems hard but I'm willing to believe anything nowadays after reading about all these sideband attacks.
I assume some email attachment may be a stepping stone for a privilege escalation attack that eventually gets into the BIOS or HDD firmware.
There is also the QR-code of death. It is like the ping of death but it is designed for the firmware of the built-in webcam in your laptop.
Regards,
Daniel