Massive Intel data leak - why use the term 'backdoors' for firmware APIs?

[exile360]

I've been pretty vocal in my disdain for technologies like the black box CPU known as the Intel Management Engine built into every Intel CPU for the past several years as a potential risk for abuse by hackers, governments and companies who have either been granted access by Intel through documenting the backdoors and how to exploit them, or through reverse engineering efforts by rogue actors exploiting flaws in these technologies (or simply discovering that it's super easy to do, as with the recently patched IME vulnerability which allowed remote access and control using a blank password), so when I heard that this huge leak of Intel internal documents occurred and that people were finding tons of references to 'backdoors' in internal Intel firmware source code, I was more than a little miffed.

Is it possible that these references to 'backdoors' are just benign and unfortunate phrasing for something completely unrelated to undisclosed remote access and control by outside parties (i.e. government agencies and/or corporations etc.)?  Certainly, and I truly hope this is the case and that it's just unfortunate wording, however, given all the heat and negative press Intel has taken over the years for their IME technology, I would think their developers would be more sensitive and cautious about avoiding anything even remotely resembling anything malicious or related to any sort of 'backdoor' (although one could make the argument that it might just be one or more of Intel's developers deliberately trolling to make light of the subject because they know the technology is harmless), but it still raises eyebrows either way, and does not inspire confidence.

Bear in mind that it isn't just Intel that has this kind of tech baked into their chips; AMD CPUs include a similar piece of technology that they call Trust Zone which runs inside an ARM CPU inside every AMD CPU which they refer to as their Platform Security Processor, so if Intel is working with the NSA (or anyone else) to provide backdoors for unauthorized remote access to others' systems, AMD is likely doing the very same thing because all the pieces are there to potentially allow it and pretty much every CPU in any computing device since around 2012 or so has included it (yes, including your smart phone; ARM was AMD's partner in developing their PSP/Trust Zone platform).

Let's hope that my fears are unfounded and that our chips are secure (or at least as secure as they can be with all the very real security vulnerabilities they contain being discovered and published in headlines all the time), but I am anxious to see what further information comes from these leaks.  The original leaker has apparently promised much more to come, claiming it's even 'juicier' than the initial leak, so we'll see.  Hopefully it just ends up being about Intel's internal knowledge that their 10NM process was a loser and that they were likely to get smoked by AMD for a while, or that they knew about some of the vulnerabilities like Spectre and Meltdown but hoped no one would discover them (not a great look, but at least it's not quite deliberately malicious), but I fear there may be more to these mentions of backdoors in Intel's firmware.

We will just have to wait to hear from educated developers, tech analysts and researchers to know for sure.

In the meantime, you can head over to Bleeping Computer to see what's been learned so far.

Honestly, this only highlights more than ever the need for us, as individuals, to do all we can to protect our privacy, but we can't do it alone.  If the companies running the websites and servers, collecting information for any reason (whether it be legal/legitimate or not) aren't responsible with securing that data, then it doesn't matter whether their uses are legal and acceptable, because there is always the potential for that same data to fall into the wrong hands if improperly secured, which is why this Intel leak occurred in the first place, because it was discovered on the open web residing on an unsecured CDN server.  Who needs a backdoor when all the information is right there in an easily accessible server from some company like Intel, Microsoft, Google, or even your phone company or ISP?  The information poses a risk regardless of how it was obtained.

I spoke not long ago with another forum member about the issue of privacy and we agreed that a major component for things to improve would have to be strong legislation from leaders in government to help protect the privacy of their citizens, and no matter what technology might or might not be built into our CPUs, if we can at least hold governments and corporations responsible for properly handling that data and seeking (rather than assuming) consent to harvest it in the first place, things could actually get better.  I'm glad to see the Data Accountability and Transparency Act being proposed by a US senator which, according to the Malwarebytes Labs blog article:

Quote

Broadly, the bill attempts to wrangle better data privacy protections in three ways. First, it grants now-commonly proposed data privacy rights to Americans, including the rights of data access, portability, transparency, deletion, and accuracy and correction. Second, it places new restrictions on how companies and organizations can collect, store, share, and sell Americans’ personal data. The bill’s restrictions are tighter than many other bills, and they include strict rules on how long a company can keep a person’s data. Finally, the bill would create a new data privacy agency that would enforce the rules of the bill and manage consumer complaints.

Buried deeper into the bill though are two proposals that are less common. The bill proposes an outright ban on facial recognition technology, and it extends what is called a “private right of action” to the American public, meaning that, if a company were to violate the data privacy rights of an everyday consumer, that consumer could, on their own, bring legal action against the company.

Edited August 10, 2020 by exile360

[AdvancedSetup]

I'm not sure there is a true back door but with regards to privacy in general you'd think that with the advent of repeated disclosure of personal data that was supposed to be "protected" would certainly show that neither Private Corporations or Government can adequately safe guard and protect data. That alone should be reason to heavily work on enacting laws that make it impossible for companies and government both to stop collecting data via randomly monitoring computers and phones either directly or via tapping of networks via ISP, etc. For legal law enforcement data it should have security increased greatly and if some location is lacking in security and data is leaked then someone should be held liable with consequences and not just a slap on the wrist or ignored.

Though that would be nice, I seriously doubt any such improvements will happen in my lifetime. We are on a quest to gather data and ruin people disguised in various well meaning laws, bills, and corporate greed for money.