[coreboot] how effective is neutralizing Intel ME/AMT/vPro?

Daniel Pocock daniel at pocock.pro
Wed Aug 2 22:39:02 CEST 2017 

On 02/08/17 20:43, ron minnich wrote:
>
>
> On Wed, Aug 2, 2017 at 11:48 AM Daniel Pocock <daniel at pocock.pro
> <mailto:daniel at pocock.pro>> wrote:
>
>     I understand that with LibreBoot and one of their supported laptops it
>     is possible to completely eliminate the risk by removing 100% of
>     proprietary/hidden code.
>
>
> I'm glad they did this but ... you need to understand that the laptop
> in that case is 10 years old (or is there a newer one I missed?).
> There is a core set of functionality the ME provides on newer chipsets
> that as far as we know, can not be removed :-(
>
>  
For some purposes, a 10 year old laptop is quite OK

If you want a secure environment to manage your PGP master keys, for
example, that may be a good choice (see the PGP/PKI clean room Debian
Live image)

>
>     However, for people who choose Coreboot, ME_Cleaner, a Purism
>     laptop or
>     some other compromise, leaving in place around 90kb of the Intel code,
>     is there a concise way to explain the attack vectors that they
>     eliminate
>     and the attack vectors that remain?
>
>
> well, as purism has pointed out, due to a bug, they only check signing
> on 1/4 of that ME code (IIRC). So, if you want, you could embed your
> exploits in the other 3/4. That's about 65K. 
>
> What could you do? I am guessing a lot.
>
> And, further, if such exploits can be done, and have been possible for
> at least 10 years, it's reasonably to assume they HAVE been done and
> are out there now. Bummer.

Just as it is never too late to give up smoking, it is never too late to
escape from mass surveillance.

As a Linux user I get away with using a laptop until it is quite old but
many other people have become well and truly dependent on newer hardware
and software that has this massive backdoor in it.

>  
>
>
>     For example, I've read that Purism doesn't use vPro-compatible wifi
>     hardware, so my impression is they eliminate random attacks coming in
>     through the network and spontaneously activating Intel ME, but if
>     malicious code does get into Intel ME by some other means (such as a
>     malicious email attachment) it may still be able to hide there
>     indefinitely and use any network device on the machine to call home?
>
>
> Can it get in via malicious email attachment? What's the path for
> that?  Seems hard but I'm willing to believe anything nowadays after
> reading about all these sideband attacks.
>

I assume some email attachment may be a stepping stone for a privilege
escalation attack that eventually gets into the BIOS or HDD firmware.

There is also the QR-code of death.  It is like the ping of death but it
is designed for the firmware of the built-in webcam in your laptop.

Regards,

Daniel

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.coreboot.org/pipermail/coreboot/attachments/20170802/824e7460/attachment.html>

More information about the coreboot mailing list