Jump to content
exile360

Intel ME Vulnerability - Time to patch...again :(

Recommended Posts

Posted (edited)

For a long time security experts have warned about the dangers of using insecure software and hardware.  They tell us to never use simple passwords, never to write down our passwords, never leave our devices unlocked, and to always change the default administrator password on our routers and other devices.  But what if there was a device inside your CPU, the central 'brain' of your computer that was always on, even when the system is powered off, and what if I told you this device was inside every computer built in the last 11 or so years and that it was so secret and its code so obscured that security researchers can't even audit its code for potential vulnerabilities and that it has full access to your network devices and storage devices in your system, has the ability to power on your system remotely, and even access your hardware and data when no operating system is installed or running?  You would probably tell me that it's time to get my tinfoil hat resized because it's on a little too tight, right?  Well unfortunately not only is this a reality, but it has already had vulnerabilities discovered that could exploit it.

What I am referring to is a piece of technology called IME or the Intel Management Engine.  It is a piece of code that runs inside a chip inside every Intel CPU and it was designed to allow remote control of every Intel based PC.  Unfortunately even if you're using an AMD processor you still have something like this, except they call it 'TrustZone' (a rather ironic name in my opinion :P).

Well, as has been a theme lately, a new vulnerability has been discovered in Intel's Management Engine and the only way to patch it is through a firmware update.  This can be done manually, but it isn't very straightforward, especially if your OEM/system manufacturer hasn't supplied a patch (most don't for these kinds of vulnerabilities unfortunately, especially for older systems).  For those who wish to attempt patching it on your own, you'll find all the tools and instructions required at the Win-Raid Forum here.  They have links to downloads for all of the required tools to check your ME version and the utilities from Intel to patch it along with the latest firmware versions.  That said, if you do intend to patch as I did, BE CAREFUL and read the instructions and information in that post very carefully as there is no one size fits all firmware and you could easily brick your system if you do the wrong thing; sadly the only alternative is to remain vulnerable to potential ME exploits.

I wish it could be disabled or removed somehow, but so far the only known method which is documented here is rather risky (even more than patching the ME firmware) but hopefully they or someone like them will come up with a more user friendly solution soon, especially now that they have a working proof of concept.

This isn't the first ME vulnerability to be discovered either.  Here are just a few examples from recent history:

https://www.tomshardware.com/news/intel-amt-vulnerability-me-dangerous,34300.html
https://www.tomshardware.com/news/intel-amt-bitlocker-bios-bypass,36321.html
https://www.tomshardware.com/news/intel-me-new-firmware-bugs,37492.html

Many have criticized Intel (and AMD) for including this tech in their chips and providing no straightforward way to disable it, and even the creator of MINIX, the operating system that runs on the ME chip.

Edited by exile360

Share this post


Link to post
Share on other sites

The sad part is this is a potentially dangerous update doing it manually on your own. The reply from Intel is just passing the buck. You know very well that almost no motherboard manufacturer is going to go back and update any BIOS/UEFI for anything over a couple of years old. So for the vast majority, this issue will never be fixed.

Quote

 Recommendations:

 Intel recommends that users of Intel® CSME, Intel® SPS, Intel® TXE, Intel® DAL, and Intel® AMT update to the latest version provided by the system manufacturer that addresses these issues.

1

My motherboard is only a couple years old from Asus and is a top of the line motherboard and it has no BIOS update since early last year and that is the "norm". Cheaper and older motherboards will have no updates period in many cases.

 

 

Share this post


Link to post
Share on other sites

Exactly, and what's so frustrating about all of this is that these vulnerabilities wouldn't even exist had Intel, AMD and whoever else has lead this initiative for these kinds of secretive technologies in CPUs hadn't pushed so hard to get this technology into every single chip they've made since the late 2000's.  I have my suspicions as to why they exist on such a large scale but there's no need to stir things up.  I'll just say that I believe it is a horrible mistake and that it is going to lead to severe consequences for everyone if and when the bad guys discover a method to deploy attacks remotely to these devices (assuming they have not already done so).  Intel's excuse has always been that this feature only exists for the sake of their business and enterprise customers for systems management, but then why does the ME exist in every single chip they have created, including those explicitly for gamers/enthusiasts as well as consumers?  If this were truly intended to be only for businesses then they would have deployed it sparingly only in the chips where it makes sense for those markets just like they did with technologies like vPro and VT, yet they went to the trouble and cost of putting this technology and the associated software into every single chip they made unlike those features.  It is obvious there must be another reason that they aren't anxious to expose publicly, which also explains why they have always been so secretive about the technology to begin with.

To be clear, an exploit that successfully infiltrates the ME can power on your system remotely even if the device is completely powered off, can run without booting the operating system, can run completely undetected by the operating system, and has full read and write access to every storage device, all of the system memory/RAM, and all networking components attached to the system and can utilize their functions completely unseen by the OS and any software running within the OS.  This means that no antivirus, software firewall, rootkit detection software, deep level forensics/monitoring software/tools can even see this activity much less do anything to prevent it or stop it once in progress.  I am far more concerned about the threat posed by the existence of the ME than I am any of the recently discovered side channel vulnerabilities such as Spectre and Meltdown.  What Intel and AMD have created in their chips is a bullet proof, invisible backdoor into every device that runs on one of their chips, and they aren't the only ones; the cell phones and other devices that use ARM chips have the same kinds of technology built into them as well.  Intel's ME just happens to be the one that gets the most attention due to Intel's notoriety, the popularity of their chips, and the fact that this was the first of these hidden components discovered and made public.

Besides all of that, what happens when the bad guys get access to AI that is capable of testing and developing new attack methods to unlock 0-day vulnerabilities that no one knows about and they then employ those newly discovered tactics in new weaponized malware?  No data will be safe neither will any government, public or infrastructural systems/devices that contain the vulnerable technology/chips.  Such an attack will make WannaCry look like a minuscule practical joke compared to the widespread devastation they could cause, especially since patching any vulnerability in the ME is so complex; it's not something Microsoft can just push out a patch for through Windows Update, and even the process of patching can brick a system completely, rendering it unbootable if anything goes wrong during the process.

Share this post


Link to post
Share on other sites

I'm sure Intel could make available code that would disable it but don't hold your breath on that. If Intel, AMD, and ARM devices all have this feature you can be sure it's probably some mandate at the government level. It's also been with us though for many years now.

 

Share this post


Link to post
Share on other sites
17 minutes ago, AdvancedSetup said:

I'm sure Intel could make available code that would disable it but don't hold your breath on that. If Intel, AMD, and ARM devices all have this feature you can be sure it's probably some mandate at the government level. It's also been with us though for many years now.

Precisely.  Yes, they could disable it (though it would likewise require flashing the chip), and while there is a way to disable the ME by effectively deleting all of its functions except for the very basic one that tells the CPU/BIOS that the ME is present (a requirement for the system to boot at all unfortunately), I don't think Intel or any other vendor is going to be anxious to provide a means of doing so any time soon.  It has been with us for quite some time now and I expect it to continue to be there for the foreseeable future and I believe it is there for a reason that extends far beyond the management of business devices in corporate environments.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.

×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.