hi coreboot,
I read in Wikipedia that Intel ME has an independent internet connection. But what does "independent" mean ?
Is it an independent internet connection from the OS ?
or is it an independent internet connection from the network related devices ? such as: wwan card, wlan card, bluetooth module, wimax card
or maybe it has its own secret/hidden independent networking device, so it can connect to the internet, without depending on Laptop's networking device, such as: wwan card, wlan card, bluetooth module, wimax card ?
regards,
Hendra wrote:
I read in Wikipedia that Intel ME has an independent internet connection. But what does "independent" mean ?
Is it an independent internet connection from the OS ?
Yes. The ME is inside the CPU or chipset and can use all hardware devices in the system. It can use any network connection configured by the OS without the OS ever noticing.
or maybe it has its own secret/hidden independent networking device, so it can connect to the internet, without depending on Laptop's networking device, such as: wwan card, wlan card, bluetooth module, wimax card ?
I guess no, but only Intel really knows. Antennas would be tricky though.
I highly recommend reading this book by Intel to learn more about the ME:
http://www.apress.com/9781430265719
My favorite quote is on p.165, first page of the "Trust Computing" chapter:
"The owner of a platform is not always the one to protect."
Kind regards
//Peter
Hi Hendra,
On 01.10.21 17:43, Hendra wrote:
I read in Wikipedia that Intel ME has an independent internet connection. But what does "independent" mean ?
I don't think that's true. Maybe one could twist the word "independent" enough so it makes sense, but I wouldn't call it that. I would say a shared internet connection.
It can use the same internet connection, without your OS knowing. But that doesn't mean you wouldn't be able to know it. If you have the machine at hand, and it's not protected by some BIOS password voodoo, you can just look into the ME settings.
Is it an independent internet connection from the OS ?
Close. The ME firmware (another OS on another core) can use the same network controllers as your OS. I'm not sure about the details, but I assume it filters TCP ports to offer its own services. So I'd say it uses independent TCP ports? *shrug*
A quick search for "intel amt configure ip" led me here [1]. It seems there was a time when one could configure individual IP addresses for ME and host OS's, but that ended about 10 years ago.
AMT is the name of the networking software that runs on the ME btw. Many ME firmware packages don't have AMT at all. So officially, these couldn't do networking. Absence of a piece of software is hard to prove, though. And they could plausibly deny having put it there on purpose, as they could just say they mixed the packages up. That's my biggest concern about the ME. Intel makes it very hard to see what software is installed and allowed to run.
AIUI, but I'm not 100% sure, computers with AMT should be tagged "vPro".
or is it an independent internet connection from the network related devices ? such as: wwan card, wlan card, bluetooth module, wimax card
No, it would use one of those.
or maybe it has its own secret/hidden independent networking device, so it can connect to the internet, without depending on Laptop's networking device, such as: wwan card, wlan card, bluetooth module, wimax card ?
Very unlikely. And only if they had hidden it very well and implemented it additionally to the publicly documented networking stuff. If you suspect a silicon vendor to do that, any of them could. No ME needed. But it would probably look suspicious under a microscope. FWIW, nobody has seen something like that in Intel's chipsets. OTOH, usually when somebody talks about microscope pictures, it's about the CPU and not the PCH (where the ME resides). So I'm not sure if people actually look at it.
[1] https://software.intel.com/sites/manageability/AMT_Implementation_and_Refere...
Nico
On Fri, 1 Oct 2021 20:58:14 +0200, Nico Huber wrote:
A quick search for "intel amt configure ip" led me here [1]. It seems there was a time when one could configure individual IP addresses for ME and host OS's, but that ended about 10 years ago.
And the ME also had (has?) its own MAC address: "The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, [...]."
According to: https://en.wikipedia.org/wiki/Intel_Management_Engine#Hardware ... which in turn references: http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-...
That's from 2012, but still updated this year.
AMT is the name of the networking software that runs on the ME btw. Many ME firmware packages don't have AMT at all. So officially, these couldn't do networking.
Well, devices without AMT firmware couldn't do the advertised out-of-band management etc. which is implemented by AMT, but these devices may still have network-capable ME firmware, maybe for AntiTheft technology (apparently discontinued in 2015) or whatever...
Regards,
On 02.10.21 16:11, Merlin Büge wrote:
On Fri, 1 Oct 2021 20:58:14 +0200, Nico Huber wrote:
A quick search for "intel amt configure ip" led me here [1]. It seems there was a time when one could configure individual IP addresses for ME and host OS's, but that ended about 10 years ago.
And the ME also had (has?) its own MAC address: "The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, [...]."
According to: https://en.wikipedia.org/wiki/Intel_Management_Engine#Hardware ... which in turn references: http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-...
That's from 2012, but still updated this year.
Hmmm, interesting. But this datasheet describes the capabilities of a discrete NIC and not the ME. Chapter 10 details manageability features. These may be used by the ME but could also be used by other controllers, e.g. a less integrated BMC. And the additional MAC address is optional.
However, that's actually simple to figure out. One can just enable things and check the DHCP server's logs. Or in the worst case, trace all traffic.
Nico
thanks Merlin,
Let's say we don't use Ethernet LAN cable, but only use Wifi card to connect to the Wifi router, and the Wifi router requires password and the password is set in the OS, So how can ME be connected to the Wifi router without knowing the password ?
On Sat, Oct 2, 2021 at 9:11 PM Merlin Büge toni@bluenox07.de wrote:
On Fri, 1 Oct 2021 20:58:14 +0200, Nico Huber wrote:
A quick search for "intel amt configure ip" led me here [1]. It seems there was a time when one could configure individual IP addresses for ME and host OS's, but that ended about 10 years ago.
And the ME also had (has?) its own MAC address: "The ME has its own MAC and IP address for the out-of-band interface, with direct access to the Ethernet controller; one portion of the Ethernet traffic is diverted to the ME even before reaching the host's operating system, [...]."
According to: https://en.wikipedia.org/wiki/Intel_Management_Engine#Hardware ... which in turn references:
http://www.intel.com/content/dam/www/public/us/en/documents/datasheets/i210-...
That's from 2012, but still updated this year.
AMT is the name of the networking software that runs on the ME btw. Many ME firmware packages don't have AMT at all. So officially, these couldn't do networking.
Well, devices without AMT firmware couldn't do the advertised out-of-band management etc. which is implemented by AMT, but these devices may still have network-capable ME firmware, maybe for AntiTheft technology (apparently discontinued in 2015) or whatever...
Regards,
-- Merlin Büge
thanks Peter and Nico for the information, it is really helpful.
I also agree with the assumption that ME is connected to the internet through the same network card we use.
But then, there is a familiar statement on the internet, that ME is still running and connected to the internet, even when the computer is off, as long as it has a battery.
Let's say, we only use WIFI WLAN cards for internet connection, and the WIFI router requires a password for access, how ME is still running when the computer is off, and connected to the Wifi router without password ?
On Sat, Oct 2, 2021 at 1:58 AM Nico Huber nico.h@gmx.de wrote:
Hi Hendra,
On 01.10.21 17:43, Hendra wrote:
I read in Wikipedia that Intel ME has an independent internet connection. But what does "independent" mean ?
I don't think that's true. Maybe one could twist the word "independent" enough so it makes sense, but I wouldn't call it that. I would say a shared internet connection.
It can use the same internet connection, without your OS knowing. But that doesn't mean you wouldn't be able to know it. If you have the machine at hand, and it's not protected by some BIOS password voodoo, you can just look into the ME settings.
Is it an independent internet connection from the OS ?
Close. The ME firmware (another OS on another core) can use the same network controllers as your OS. I'm not sure about the details, but I assume it filters TCP ports to offer its own services. So I'd say it uses independent TCP ports? *shrug*
A quick search for "intel amt configure ip" led me here [1]. It seems there was a time when one could configure individual IP addresses for ME and host OS's, but that ended about 10 years ago.
AMT is the name of the networking software that runs on the ME btw. Many ME firmware packages don't have AMT at all. So officially, these couldn't do networking. Absence of a piece of software is hard to prove, though. And they could plausibly deny having put it there on purpose, as they could just say they mixed the packages up. That's my biggest concern about the ME. Intel makes it very hard to see what software is installed and allowed to run.
AIUI, but I'm not 100% sure, computers with AMT should be tagged "vPro".
or is it an independent internet connection from the network related devices ? such as: wwan card, wlan card, bluetooth module, wimax card
No, it would use one of those.
or maybe it has its own secret/hidden independent networking device, so it can connect to the internet, without depending on Laptop's networking device, such as: wwan card, wlan card, bluetooth module, wimax card ?
Very unlikely. And only if they had hidden it very well and implemented it additionally to the publicly documented networking stuff. If you suspect a silicon vendor to do that, any of them could. No ME needed. But it would probably look suspicious under a microscope. FWIW, nobody has seen something like that in Intel's chipsets. OTOH, usually when somebody talks about microscope pictures, it's about the CPU and not the PCH (where the ME resides). So I'm not sure if people actually look at it.
[1]
https://software.intel.com/sites/manageability/AMT_Implementation_and_Refere...
Nico
Hi,
On 03.10.21 07:13, Hendra wrote:
But then, there is a familiar statement on the internet, that ME is still running and connected to the internet, even when the computer is off, as long as it has a battery.
Let's say, we only use WIFI WLAN cards for internet connection, and the WIFI router requires a password for access, how ME is still running when the computer is off, and connected to the Wifi router without password ?
why without password? I would assume that you have to configure the password in the ME settings. You have to assume the usual environment where AMT is used: The device proprietor has a fleet of them in their office; they configure AMT once so its able to access their network; from then on, they can manage the devices remotely. That's the basic idea and I don't see why one wouldn't be able to set a WiFi password.
Maybe that's the point of confusion: That things are hidden from the host OS doesn't mean that they are hidden from the device' adminis- trator.
Nico
in my understanding,
in their office, they know the password of their internet connection, therefore they can setup the password in the AMT, so they can access the devices remotely,
but after the products being distributed all over the world, then each are connected to different wifi router with different passwords, therefore they need to set up another wifi password to the AMT, in order for the AMT to be connected with the internet, so that they can access it remotely,
but then how do they know the password ? also how do they access it remotely to re-setup the password ?
On Sun, Oct 3, 2021 at 5:01 PM Nico Huber nico.h@gmx.de wrote:
Hi,
On 03.10.21 07:13, Hendra wrote:
But then, there is a familiar statement on the internet, that ME is still running and connected to the internet, even when the computer is off, as long as it has a battery.
Let's say, we only use WIFI WLAN cards for internet connection, and the WIFI router requires a password for access, how ME is still running when the computer is off, and connected to the
Wifi
router without password ?
why without password? I would assume that you have to configure the password in the ME settings. You have to assume the usual environment where AMT is used: The device proprietor has a fleet of them in their office; they configure AMT once so its able to access their network; from then on, they can manage the devices remotely. That's the basic idea and I don't see why one wouldn't be able to set a WiFi password.
Maybe that's the point of confusion: That things are hidden from the host OS doesn't mean that they are hidden from the device' adminis- trator.
Nico
On 03.10.21 12:43, Hendra wrote:
in my understanding,
in their office, they know the password of their internet connection, therefore they can setup the password in the AMT, so they can access the devices remotely,
but after the products being distributed all over the world, then each are connected to different wifi router with different passwords, therefore they need to set up another wifi password to the AMT, in order for the AMT to be connected with the internet, so that they can access it remotely,
Who is "they" in your scenario? Usually it's the one who paid for the device or somebody working for them who sets things up. AMT is a product *for* the customer. People ask for it, people pay for it. That's why it exists.
There may be other ME related products where maybe the OEM or Intel keeps some remote control. But that's nothing you can say generally about the ME. If you want to reason about such a case, I suggest to focus on a specific product.
Nico
On Sun, Oct 03, 2021 at 05:43:38PM +0700, Hendra wrote:
in my understanding,
in their office, they know the password of their internet connection, therefore they can setup the password in the AMT, so they can access the devices remotely,
but after the products being distributed all over the world, then each are connected to different wifi router with different passwords, therefore they need to set up another wifi password to the AMT, in order for the AMT to be connected with the internet, so that they can access it remotely,
but then how do they know the password ? also how do they access it remotely to re-setup the password ?
A while since I last looked into this, but IIRC:
- Important to distinguish between ME OS (a Minix derivative) and "main" OS (typically Windows, macOS, GNU/Linux, ...)
- ME can, while main OS is running, view some/all CPU registers, RAM, and (in the case of *compatible* NICs), some NIC registers.
- ME can therefore (in principle, at least) record network credentials to persistent storage.
That raises questions including the following:
- Does ME in fact extract network credentials from the main OS when latter is running? (IIRC, Snowden indicated the answer is yes - at least in some cases.)
- If so, which part(s) of which versions of the ME are responsible? (A binary search like the one Trammell Hudson - I think - used to work out how to neutralise the ME might reveal this.)
- Which other variables affect whether the answer is "yes"?
- Does ME in fact store credentials persistently, to give itself network access even if main OS is not running? (IIRC, Snowden indicated the answer is yes - at least in some cases.)
- If so, then where do which versions of the ME store those credentials? (Do they use persistent storage on the NICs? BIOS/UEFI? HDD/SSD? Or somewhere sneakier like in the HDD/SSD controllers? Maybe some combination or fallback of all these?)
- Which other variables affect whether the answer is "yes"?
Someone (a PhD student, maybe?) should make these questions the subject of a research project. Perhaps it has already been done. As I say, I'm a bit out of the loop just now.
On Sunday, October 3rd, 2021 at 12:23 PM, Sam Kuper sampablokuper@uclmail.net wrote:
Someone (a PhD student, maybe?) should make these questions the subject of a research project. Perhaps it has already been done. As I say, I'm a bit out of the loop just now.
I'm highly recommend this thesis about ME: https://depositonce.tu-berlin.de/bitstream/11303/4494/1/stewin_patrick.pdf
More info about Intel CSME: https://github.com/hardenedlinux/firmware-anatomy/blob/master/hack_ME/me_inf...
Risk assessment from enterprise security perspective: https://hardenedvault.net/2021/07/16/ciso-seceng_csme.html
regards Shawn
That raises questions including the following:
- Does ME in fact extract network credentials from the main OS when latter is running? (IIRC, Snowden indicated the answer is yes - at least in some cases.)
Technically it wouldn't need to since it controls the networking hardware it could set up an ad-hoc wireless network to communicate with other IntelME chips in the local area until it finds one with a wired connection and route traffic through that.
hi all,
Thanks for the information.
hi Brian,
That's mind blowing, never think about that before.
hi Shawn / Peter,
Thanks for the pdf and link, I'm gonna find some time to read them.
hi Nico,
"they" refers to the adversary.
so, in conclusion:
- ME has its own MAC and IP address - ME can access the internet by using the OS's configured network connection, without the OS ever noticing - ME can record network credentials to persistent storage, while the main OS is running. - ME can use the recorded network credentials for internet access, while the main OS is not running. - ME cannot access the internet without Laptop's networking device ( WLAN / WIFI card, WWAN card, bluetooth, wimax, ethernet ) - a secret / hidden independent networking device, would probably look suspicious under a microscope, nobody has seen something like that in Intel's chipsets. - ME without AMT firmware couldn't do out of band management, but may still be networking capable. - ME could set up an ad-hoc wireless network, with other iME chips in the local area, then connected to the internet through other iME chips.
How about an ultrasonic transmitter / receiver ? Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because:
- wwan card / wimax / ethernet are rarely being used by Laptop, so maybe this option can be eliminated. - I think bluetooth could not be used for internet access, and it would be easily detected by bluetooth scanning, so maybe this option can be eliminated. - I assume, wireless WLAN Wifi card, is the most possible way, for ME to access the internet, but also I think wireshark can scan and capture all traffic in the Wifi hotspot router, and so far, nobody report any capture of ME traffic in the Wifi hotspot router, so maybe this option also can be eliminated. - So what else ? I am not sure. Maybe an ultrasonic transmitter / receiver ? - Or maybe an ad-hoc wireless network with other iME chips ? - Or maybe all Wifi hotspot routers have iME similar chips that can communicate hidden traffic with iME chips ?
On Mon, Oct 4, 2021 at 9:49 PM Brian Milliron brian.milliron@foresite.com wrote:
That raises questions including the following:
- Does ME in fact extract network credentials from the main OS when latter is running? (IIRC, Snowden indicated the answer is yes - at least in some cases.)
Technically it wouldn't need to since it controls the networking hardware it could set up an ad-hoc wireless network to communicate with other IntelME chips in the local area until it finds one with a wired connection and route traffic through that. _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
On 04.10.21 22:17, Hendra wrote:
hi Nico,
"they" refers to the adversary.
huh? that's the first time you bring that up, IIRC. Your original question, how it is connected to the internet, does not imply any malicious intention. If you assume that, all bets are off. I don't think the quotes from Wikipedia apply in this case.
For instance, if you consider the potential of some malware running on the ME, there is no need to reason about IP addresses or credentials anymore. It could just trace or spoof anything. Just whatever a root-kit in your host OS could do too, basically.
so, in conclusion:
- ME has its own MAC and IP address
No, and no, IIRC. Regarding the IP all bets are off if you consider malware.
- ME can access the internet by using the OS's configured network
connection, without the OS ever noticing
- ME can record network credentials to persistent storage, while the
main OS is running.
- ME can use the recorded network credentials for internet access, while
the main OS is not running.
- ME cannot access the internet without Laptop's networking device (
WLAN / WIFI card, WWAN card, bluetooth, wimax, ethernet )
- a secret / hidden independent networking device, would probably look
suspicious under a microscope, nobody has seen something like that in Intel's chipsets.
- ME without AMT firmware couldn't do out of band management, but may
still be networking capable.
- ME could set up an ad-hoc wireless network, with other iME chips in
the local area, then connected to the internet through other iME chips.
Btw. all this `can` and `could` is also true about any other DMA capable controller in your PC (there are many) that is not sandboxed via IOMMU.
How about an ultrasonic transmitter / receiver ? Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because:
- wwan card / wimax / ethernet are rarely being used by Laptop, so maybe
this option can be eliminated.
- I think bluetooth could not be used for internet access, and it would
be easily detected by bluetooth scanning, so maybe this option can be eliminated.
- I assume, wireless WLAN Wifi card, is the most possible way, for ME to
access the internet, but also I think wireshark can scan and capture all traffic in the Wifi hotspot router, and so far, nobody report any capture of ME traffic in the Wifi hotspot router, so maybe this option also can be eliminated.
- So what else ? I am not sure. Maybe an ultrasonic transmitter /
receiver ?
- Or maybe an ad-hoc wireless network with other iME chips ?
- Or maybe all Wifi hotspot routers have iME similar chips that can
communicate hidden traffic with iME chips ?
I do wonder now if your questions are about the Intel ME at all? All such covert channel ideas are not limited to the ME. Maybe this would be a better topic for this thread: How could malicious hardware/software communicate with the internet?
I guess this is the wrong mailing list for such questions though. It's not about firmware anymore. And the moment you make it about the Intel ME for no technical reason, it becomes FUD.
Nico
On Tue, Oct 05, 2021 at 03:17:13AM +0700, Hendra wrote:
[..] so, in conclusion:
- ME has its own MAC and IP address
No.
NICs have MACs.
NICs *may* have IP addresses.
- ME can access the internet by using the OS's configured network
connection,
Or perhaps a network connection configured in BIOS or UEFI.
without the OS ever noticing
Yes, that's how OOB management works. ME/AMT is a bit like iLO or IPMI, but implemented via CPU's coprocessor.
- ME can record network credentials to persistent storage, while
the main OS is running.
*Maybe*.
- ME can use the recorded network credentials for internet access,
while the main OS is not running.
*Maybe*.
- ME cannot access the internet without Laptop's networking device
Almost certainly correct. Also, the NIC has to be compatible: the ME does not, AFAIK, have drivers for all NICs.
- a secret / hidden independent networking device,
A networking device other than the PC's obvious/legitimate NICs?
would probably look suspicious under a microscope,
Uncertain.
First of all, you can't tell for sure what a chip does just by looking at it with a microscope:
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
Secondly, even if you know what a chip is for, and that it isn't a NIC, and that it hasn't been tampered with, and that it isn't necessarily even physically connected to circuitry outside the PC, that doesn't mean it can't be used to exfiltrate data. So "networking devices" (in the loosest sense) could be hiding in plain sight. E.g. some GPUs can be used to exfiltrate data wirelessly: https://arxiv.org/abs/1411.0237
AFAIK, there's no evidence existing ME versions contain code for intentional side-channel data exfiltration.
nobody has seen something like that in Intel's chipsets.
Again, not clear what you mean. Marginally relevant reading:
https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/
https://hackaday.com/2019/05/14/what-happened-with-supermicro/
- ME without AMT firmware couldn't do out of band management, but
may still be networking capable.
Uncertain. Cf. "Lojack for laptops" - IIRC this did not require AMT.
- ME could set up an ad-hoc wireless network, with other iME chips
in the local area, then connected to the internet through other iME chips.
*Maybe.*
For each PC involved, ME would need PC to have a compatible NIC.
A transport medium would need to be present between those devices: if WiFi, they'd have to be within range; if ethernet, they'd have to be plugged in and on a suitable topology.
That's just to make a mesh.
And AFAIK, there's no evidence existing ME versions contain mesh networking code.
To gain internet access, then in addition to the above, one of the devices on the mesh would need internet access, e.g. via cached credentials or credential-free.
How about an ultrasonic transmitter / receiver ?
There's no shortage of techniques for exfiltrating data over air gaps:
https://thehackernews.com/2020/02/hacking-air-gapped-computers.html
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-u...
https://en.wikipedia.org/wiki/TEMPEST
And no reason why control of the CPU can't provide an acoustic exfiltration channel. (After all, that's effectively how acoustic cryptanalysis works.)
But that doesn't mean existing ME versions have code for this, or that the ME can access the internet that way.
Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
*Maybe*.
Most routers don't have audio transducers (speakers/microphones), so can't detect ultrasonic sound in a traditional way.
Even without audio transducers, wifi routers can in principle be programmed to convert some kinds of Wifi signal fluctuation into audio: https://www.theatlantic.com/technology/archive/2016/08/wi-fi-surveillance/49...
But AFAIK this has been achieved only with fluctuations caused by macroscopic movement - not with the much smaller fluctuations caused by ultrasonic sound sources.
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because: [...]
Unlikely.
- Or maybe all Wifi hotspot routers have iME similar chips that can
communicate hidden traffic with iME chips ?
Most wifi routers don't use x86 architecture or Intel CPUs, but some router chipsets do have coprocessors. OpenWRT and related projects maintain databases of router chipsets, if you're interested.
Even if a router's chipset has a coprocessor, though, that doesn't mean it can or does "communicate hidden traffic with iME chips".
Hello! Regarding the Intel ME, there's a good selection of articles on Hack A Day. For starters: https://hackaday.com/2017/12/11/what-you-need-to-know-about-the-intel-manage...
And then: https://hackaday.com/tag/management-engine/ There you'll find five separate ones covering much of what you would need.
No I don't write for them, or whatnot, I just support them. ----- Gregg C Levine gregg.drwho8@gmail.com "This signature fought the Time Wars, time and again."
On Mon, Oct 4, 2021 at 8:40 PM Sam Kuper sam.kuper@uclmail.net wrote:
On Tue, Oct 05, 2021 at 03:17:13AM +0700, Hendra wrote:
[..] so, in conclusion:
- ME has its own MAC and IP address
No.
NICs have MACs.
NICs *may* have IP addresses.
- ME can access the internet by using the OS's configured network
connection,
Or perhaps a network connection configured in BIOS or UEFI.
without the OS ever noticing
Yes, that's how OOB management works. ME/AMT is a bit like iLO or IPMI, but implemented via CPU's coprocessor.
- ME can record network credentials to persistent storage, while
the main OS is running.
*Maybe*.
- ME can use the recorded network credentials for internet access,
while the main OS is not running.
*Maybe*.
- ME cannot access the internet without Laptop's networking device
Almost certainly correct. Also, the NIC has to be compatible: the ME does not, AFAIK, have drivers for all NICs.
- a secret / hidden independent networking device,
A networking device other than the PC's obvious/legitimate NICs?
would probably look suspicious under a microscope,
Uncertain.
First of all, you can't tell for sure what a chip does just by looking at it with a microscope:
https://www.schneier.com/blog/archives/2013/09/surreptitiously.html
Secondly, even if you know what a chip is for, and that it isn't a NIC, and that it hasn't been tampered with, and that it isn't necessarily even physically connected to circuitry outside the PC, that doesn't mean it can't be used to exfiltrate data. So "networking devices" (in the loosest sense) could be hiding in plain sight. E.g. some GPUs can be used to exfiltrate data wirelessly: https://arxiv.org/abs/1411.0237
AFAIK, there's no evidence existing ME versions contain code for intentional side-channel data exfiltration.
nobody has seen something like that in Intel's chipsets.
Again, not clear what you mean. Marginally relevant reading:
https://www.theregister.com/2021/02/12/supermicro_bloomberg_spying/
https://hackaday.com/2019/05/14/what-happened-with-supermicro/
- ME without AMT firmware couldn't do out of band management, but
may still be networking capable.
Uncertain. Cf. "Lojack for laptops" - IIRC this did not require AMT.
- ME could set up an ad-hoc wireless network, with other iME chips
in the local area, then connected to the internet through other iME chips.
*Maybe.*
For each PC involved, ME would need PC to have a compatible NIC.
A transport medium would need to be present between those devices: if WiFi, they'd have to be within range; if ethernet, they'd have to be plugged in and on a suitable topology.
That's just to make a mesh.
And AFAIK, there's no evidence existing ME versions contain mesh networking code.
To gain internet access, then in addition to the above, one of the devices on the mesh would need internet access, e.g. via cached credentials or credential-free.
How about an ultrasonic transmitter / receiver ?
There's no shortage of techniques for exfiltrating data over air gaps:
https://thehackernews.com/2020/02/hacking-air-gapped-computers.html
https://www.zdnet.com/article/academics-steal-data-from-air-gapped-systems-u...
https://en.wikipedia.org/wiki/TEMPEST
And no reason why control of the CPU can't provide an acoustic exfiltration channel. (After all, that's effectively how acoustic cryptanalysis works.)
But that doesn't mean existing ME versions have code for this, or that the ME can access the internet that way.
Can iME communicate with the internet or other nearby iME chips or WIFI hotspot through ultrasonic sound ?
*Maybe*.
Most routers don't have audio transducers (speakers/microphones), so can't detect ultrasonic sound in a traditional way.
Even without audio transducers, wifi routers can in principle be programmed to convert some kinds of Wifi signal fluctuation into audio: https://www.theatlantic.com/technology/archive/2016/08/wi-fi-surveillance/49...
But AFAIK this has been achieved only with fluctuations caused by macroscopic movement - not with the much smaller fluctuations caused by ultrasonic sound sources.
Somehow, I'm not sure, but sometimes I have assumption (maybe wrong assumption), that ME still can connect to the internet, without using any of these networking devices ( WIFI card / Wwan card / bluetooth / wimax / ethernet ) , because: [...]
Unlikely.
- Or maybe all Wifi hotspot routers have iME similar chips that can
communicate hidden traffic with iME chips ?
Most wifi routers don't use x86 architecture or Intel CPUs, but some router chipsets do have coprocessors. OpenWRT and related projects maintain databases of router chipsets, if you're interested.
Even if a router's chipset has a coprocessor, though, that doesn't mean it can or does "communicate hidden traffic with iME chips". _______________________________________________ coreboot mailing list -- coreboot@coreboot.org To unsubscribe send an email to coreboot-leave@coreboot.org
-
Brian Milliron -
Gregg Levine -
Hendra -
Merlin Büge -
Nico Huber -
Peter Stuge -
Sam Kuper -
Sam Kuper -
Shawn C