On Tue, Oct 05, 2021 at 03:17:13AM +0700, Hendra wrote:
[..] so, in conclusion:
- ME has its own MAC and IP address
No.
NICs have MACs.
NICs *may* have IP addresses.
- ME can access the internet by using the OS's configured network
connection,
Or perhaps a network connection configured in BIOS or UEFI.
without the OS ever noticing
Yes, that's how OOB management works. ME/AMT is a bit like iLO or IPMI, but implemented via CPU's coprocessor.
- ME can record network credentials to persistent storage, while
the main OS is running.
*Maybe*.
- ME can use the recorded network credentials for internet access,
while the main OS is not running.
*Maybe*.
- ME cannot access the internet without Laptop's networking device
Almost certainly correct. Also, the NIC has to be compatible: the ME does not, AFAIK, have drivers for all NICs.
- a secret / hidden independent networking device,
A networking device other than the PC's obvious/legitimate NICs?
would probably look suspicious under a microscope,
Uncertain.
First of all, you can't tell for sure what a chip does just by looking at it with a microscope:
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
Secondly, even if you know what a chip is for, and that it isn't a NIC, and that it hasn't been tampered with, and that it isn't necessarily even physically connected to circuitry outside the PC, that doesn't mean it can't be used to exfiltrate data. So "networking devices" (in the loosest sense) could be hiding in plain sight. E.g. some GPUs can be used to exfiltrate data wirelessly: https://arxiv.org/abs/1411.0237
AFAIK, there's no evidence existing ME versions contain code for intentional side-channel data exfiltration.
nobody has seen something like that in Intel's chipsets.
Again, not clear what you mean. Marginally relevant reading:
https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/
https://hackaday.com/2019/05/14/what-happened-with-supermicro/
- ME without AMT firmware couldn't do out of band management, but
may still be networking capable.
Uncertain. Cf. "Lojack for laptops" - IIRC this did not require AMT.
- ME could set up an ad-hoc wireless network, with other iME chips
in the local area, then connected to the internet through other iME chips.
*Maybe.*
For each PC involved, ME would need PC to have a compatible NIC.
A transport medium would need to be present between those devices: if WiFi, they'd have to be within range; if ethernet, they'd have to be plugged in and on a suitable topology.
That's just to make a mesh.
And AFAIK, there's no evidence existing ME versions contain mesh networking code.
To gain internet access, then in addition to the above, one of the devices on the mesh would need internet access, e.g. via cached credentials or credential-free.
How about an ultrasonic transmitter / receiver ?
There's no shortage of techniques for exfiltrating data over air gaps:
https://thehackernews.com/2020/02/hacking-air-gapped-computers.html
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-u...
https://en.wikipedia.org/wiki/TEMPEST
And no reason why control of the CPU can't provide an acoustic exfiltration channel. (After all, that's effectively how acoustic cryptanalysis works.)
But that doesn't mean existing ME versions have code for this, or that the ME can access the internet that way.
Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
*Maybe*.
Most routers don't have audio transducers (speakers/microphones), so can't detect ultrasonic sound in a traditional way.
Even without audio transducers, wifi routers can in principle be programmed to convert some kinds of Wifi signal fluctuation into audio: https://www.theatlantic.com/technology/archive/2016/08/wi-fi-surveillance/49...
But AFAIK this has been achieved only with fluctuations caused by macroscopic movement - not with the much smaller fluctuations caused by ultrasonic sound sources.
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because: [...]
Unlikely.
- Or maybe all Wifi hotspot routers have iME similar chips that can
communicate hidden traffic with iME chips ?
Most wifi routers don't use x86 architecture or Intel CPUs, but some router chipsets do have coprocessors. OpenWRT and related projects maintain databases of router chipsets, if you're interested.
Even if a router's chipset has a coprocessor, though, that doesn't mean it can or does "communicate hidden traffic with iME chips".