On 04.10.21 22:17, Hendra wrote:
hi Nico,
"they" refers to the adversary.
huh? that's the first time you bring that up, IIRC. Your original question, how it is connected to the internet, does not imply any malicious intention. If you assume that, all bets are off. I don't think the quotes from Wikipedia apply in this case.
For instance, if you consider the potential of some malware running on the ME, there is no need to reason about IP addresses or credentials anymore. It could just trace or spoof anything. Just whatever a root-kit in your host OS could do too, basically.
so, in conclusion:
- ME has its own MAC and IP address
No, and no, IIRC. Regarding the IP all bets are off if you consider malware.
- ME can access the internet by using the OS's configured network
connection, without the OS ever noticing
- ME can record network credentials to persistent storage, while the
main OS is running.
- ME can use the recorded network credentials for internet access, while
the main OS is not running.
- ME cannot access the internet without Laptop's networking device (
WLAN / WIFI card, WWAN card, bluetooth, wimax, ethernet )
- a secret / hidden independent networking device, would probably look
suspicious under a microscope, nobody has seen something like that in Intel's chipsets.
- ME without AMT firmware couldn't do out of band management, but may
still be networking capable.
- ME could set up an ad-hoc wireless network, with other iME chips in
the local area, then connected to the internet through other iME chips.
Btw. all this `can` and `could` is also true about any other DMA capable controller in your PC (there are many) that is not sandboxed via IOMMU.
How about an ultrasonic transmitter / receiver ? Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because:
- wwan card / wimax / ethernet are rarely being used by Laptop, so maybe
this option can be eliminated.
- I think bluetooth could not be used for internet access, and it would
be easily detected by bluetooth scanning, so maybe this option can be eliminated.
- I assume, wireless WLAN Wifi card, is the most possible way, for ME to
access the internet, but also I think wireshark can scan and capture all traffic in the Wifi hotspot router, and so far, nobody report any capture of ME traffic in the Wifi hotspot router, so maybe this option also can be eliminated.
- So what else ? I am not sure. Maybe an ultrasonic transmitter /
receiver ?
- Or maybe an ad-hoc wireless network with other iME chips ?
- Or maybe all Wifi hotspot routers have iME similar chips that can
communicate hidden traffic with iME chips ?
I do wonder now if your questions are about the Intel ME at all? All such covert channel ideas are not limited to the ME. Maybe this would be a better topic for this thread: How could malicious hardware/software communicate with the internet?
I guess this is the wrong mailing list for such questions though. It's not about firmware anymore. And the moment you make it about the Intel ME for no technical reason, it becomes FUD.
Nico