Hi,
Seeing that many of you know a lot about Intel's ME I wanted to ask a couple of things if its ok.
* Is the ME network accessible on all Intel chips or only the vPro ones with AMT?
* I saw an interesting take on this in the link below, instead of the usual FUD surrounding this topic whenever its mentioned. What is your take on what he says?
https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_...
(The only correction to what he says: there is no need for a BMC card to use AMT because its network capable out of the box)
Thanks.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/23/2016 02:13 PM, bancfc@openmailbox.org wrote:
Hi,
Seeing that many of you know a lot about Intel's ME I wanted to ask a couple of things if its ok.
- Is the ME network accessible on all Intel chips or only the vPro ones
with AMT?
- I saw an interesting take on this in the link below, instead of the
usual FUD surrounding this topic whenever its mentioned. What is your take on what he says?
https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_...
Honestly I'd be far more concerned about the claim that the signing keys are not only known, but actively traded among criminals. That means that we are no longer just looking at state-level attacks on ME-enabled systems, and we have a much larger problem than first assumed by the majority of the security community.
- -- Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com
Interesting question... Really! We know that ME is one, crucial (has influence over protocol stack) for network to work with INTEL CORE families. Not sure about INTEL ATOM, since they're more simplistic, many of them (I should say most of them, exception is certainly Broxton/BXT) are ordered CPUs (I am sure BXT is OOO (Out Of Order) pipeline design, thus, considerably faster).
Now... In regards what here is said, TOR browser (I have one installed on my PC/notebook - Tor Browser 6.0.8) is very secure, I should say. But, there is always possibility that bare basic ME will do something very nasty to your computer/to you. INTEL is NOT to be TRUSTED (my extensive experience with INTEL)! For example, send some unwanted IP messages to somebody else you do NOT want these messages to be sent/seen (NSA, for sake of argument).
Let us think about the given scenario. You open TOR browser, then start sending/posting messages. ME is copying them, also sending with other destination address. If it happens immediately, it also will go via the same service... But, also, ME CAN change socket layer info, I do agree. It MUST have for this a lot embedded logic in itself, thus unpacking enveloped info from IP headers deeper in the message. It can understand that this is intended for TOR, but also it needs to have thousands of TOR network addresses somehow embedded to conclude this, which is impossible in real time. So, it might send EVERY message somewhere else simply changing socket layer service. I agree.
Now, even if you do NOT know anything about this, one billion ME driven PCs World Wide will do that, sending roughly billion of messages to NSA servers every second. This is something NSA needs to process very fast. These are gazillion/zettabytes to be processed every day... :-)))
If you know about networking services, you can, for sake of security, simply add small HW device (firewall) between your PC and WiFi router, which will target ONLY wanted by you external net addresses (after you configure it).
If this is NOT enough, The Best solution, very soon, is coming to the theater near you: WIN10 ARM based mobile and server PCs (they have NOTHING lookalike ME magic, so none of this above will come to play). ;-)
Zoran
On Fri, Dec 23, 2016 at 9:36 PM, Timothy Pearson < tpearson@raptorengineering.com> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 12/23/2016 02:13 PM, bancfc@openmailbox.org wrote:
Hi,
Seeing that many of you know a lot about Intel's ME I wanted to ask a couple of things if its ok.
- Is the ME network accessible on all Intel chips or only the vPro ones
with AMT?
- I saw an interesting take on this in the link below, instead of the
usual FUD surrounding this topic whenever its mentioned. What is your take on what he says?
the_nsafbi_use_intel_me_to_defeat_tor_on_95/
Honestly I'd be far more concerned about the claim that the signing keys are not only known, but actively traded among criminals. That means that we are no longer just looking at state-level attacks on ME-enabled systems, and we have a much larger problem than first assumed by the majority of the security community.
Timothy Pearson Raptor Engineering +1 (415) 727-8645 (direct line) +1 (512) 690-0200 (switchboard) https://www.raptorengineering.com -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJYXYrQAAoJEK+E3vEXDOFbJZYIAKLSm/XRly1MJ9vj7Uhrhl4a N32atZlU+9yluH7D3qqmDKAlmTp/vp2xIfEas9HPRE6XvR9p/Dohrfqw5reu36Fr /u3YD0RZT7hqugDO+eoeDQU1H0gbd//5d4m1PMkEPcVkBUeno1oeOjVl/3D22n9B Dcfu1d0fHkgVY2dJFBGiSS+OPhLlvGwa4wP7oRGzQ/Yq5MGAkhI1+nFRRToKIg6d 3QaFyGysoNO73dWqDdgnrE8BDRydXuib3IF6fAB5y0ZzejB8EZRmKDB9GPWv1vTU rZ/nh0XaqdjU09R+voSI+9YACLzMK/Xug40U9/DIUovT/mn96BHd9DV1VGbJB2Y= =Ekoa -----END PGP SIGNATURE-----
-- coreboot mailing list: coreboot@coreboot.org https://www.coreboot.org/mailman/listinfo/coreboot
Hello bancfc,
Friday, December 23, 2016, 9:13:16 PM, you wrote:
boo> Hi,
boo> Seeing that many of you know a lot about Intel's ME I wanted to ask a boo> couple of things if its ok.
boo> * Is the ME network accessible on all Intel chips or only the vPro ones boo> with AMT?
IIRC there were some mobile variants which had access to the wireless 3G chip (for Anti-Theft) but AFAIK this functionality has been dropped. From what I've seen in the common firmwares, only the corporate/AMT (5MB) firmwares include the networking stack.
boo> * I saw an interesting take on this in the link below, instead of the boo> usual FUD surrounding this topic whenever its mentioned. What is your boo> take on what he says?
boo> https://www.reddit.com/r/onions/comments/5i6qa3/can_the_nsafbi_use_intel_me_...
I call FUD on the "keys being traded underground". I highly doubt that even Intel is careless enough to expose the ME signing keys in the clear. Most likely they use a HSM for signing firmwares and the actual keys never leave it. What I *could* buy (but doubt it happened) is that they may have signed some specific firmwares "on special request". In any case, the NSA etc. do not need ME to achieve their goals - there are plenty of other low-hanging fruits starting with good old phishing/social engineering and multitude of OS/application bugs.
Thank you Igor.
For the uninitiated, he has done some excellent RE work on it.
On 12/23/2016 03:13 PM, bancfc@openmailbox.org wrote:
Seeing that many of you know a lot about Intel's ME I wanted to ask a couple of things if its ok.
- Is the ME network accessible on all Intel chips or only the vPro
ones with AMT?
- I saw an interesting take on this in the link below, instead of the
usual FUD surrounding this topic whenever its mentioned. What is your take on what he says?
- Every intel system from around 2008 on has ME. vPro is a module loaded in to ME to provide various corporate manageability features but every chipset is technically network accessible. I don't really deal with desktop hardware anymore but AFAIK on intel's consumer chipset (not Q/B) motherboards there are several network basic manageability features that do not require vPro. - I will investigate this and get back to you.
"You value your privacy, so you run on a system with Core 2 Duo, complete with all the errata? NX-disabling bugs, cache-attacks that work from JavaScript, no SMEP, probably no VT-d, so say goodbye to DMAR and any chance of DMA attack resistance (or VT-d without interrupt remapping, so all but useless even if it is present). You'll also be without AES-NI so side-channel attacks will be much easier (AES has huge S-boxes), and without RDRAND, so early boot will see crappy entropy (please don't bring up the RDRAND is evil myth)."
- I have a KGPE-D16 which has all those great features and 100% libre firmware, you can even play the latest games on it with max settings if you desire and the 62xx cpu works without microcode.
- There is a world beyond x86 https://www.crowdsupply.com/raptor-computing-systems/talos-secure-workstatio... or buy a POWER server from IBM and stick in a graphics card - very high performance and available now.
* He never figured that maybe AES-NI has some kind of fatal problem and that's why "they" let us have it, physical access is FATAL and if you are so concerned about side channel attacks you will build some kind of shielding; besides any good crypto libs have obfuscation. * An elite hacker.....who wastes time posting on public forums (If I had the level of skill he claims to have I sure as shit wouldn't be writing this email) and who uses machines that have ME, sure sure but he uses version 11 so it is OK. * ME has the technical ability to be used to access your data remotely, without a BMC addon (has he never heard of AMT iKVM? or the remote ISO loading tools?) * He assumes that when he dumps and dis-assembles the firmware he is receiving an honest version and not a "special" version with the backdoor removed which could easily be done on a subverted system.
"Intel wouldn't do this because it would be bad for optics" Every criminal thinks that they're going to get away with it.
----------- ME isn't a backdoor directly (remotebackdoor.exe), it is simply a great framework for a backdoor. The idea is that either you can simply use a one time exploit in the operating system to root ME and gain an undetectable perma rootkit, even if we assume intel has out best intentions at heart it is still a massive vulnerability, or that there is a secret exploit (intentional or unintentional) in ME to activate it via network and load a special module, OR that with physical access you already have a great backdoor hardware ready to go all you need is to re-write the firmware.
Paranoia: I believe that there is a "magic" network accessible ME backdoor intentional or otherwise as it is a silver bullet for any intel agency or criminal organization so it makes sense for them to try to do it even if it isn't there by default there isn't anything stopping a well funded group from subverting an OEM and adding an incredibly subtle flaw in the networking controllers for special customers such as the logistics division of a foreign military (no fuel + no food = no army) Having ME onboard makes it much easier to do that, instead of having to create from scratch a remote access ability you simply subvert ME.
Some other will chime in and elaborate on this but bottom line - it is dangerous to have on your computer, it exists to take away control from the user for DRM (PAVP) and someday soon intel will patch the nerfing ability. By the way AMD ZEN/FM2 has PSP and some ARM has TrustZone.
-
bancfc@openmailbox.org -
Igor Skochinsky -
Taiidan@gmx.com -
Timothy Pearson -
Zoran Stojsavljevic