On The Management Engine And The Reality Of Cryptochips

Been reading through the Q-post threads these last few months trying to catch up on them. A lot of fascinating material being highlighted by this mysterious q poster and his trail of breadcrumbs. If you haven't had a look at it, I recommend you do so. There's a lot of interesting dirt flying around in those threads, and any conspiracy minded researcher looking to educate themselves on the realities of government and institutional corruption could do a lot worse than to have a look at the material presented there in my opinion. I would like to briefly thank those members who have toiled within those threads to help share this information with the rest of us.

An interesting post in part one of this series caught my eye:
www.abovetopsecret.com...

The post contains a screen shot from some image board where the author of the screenshot post claims to have worked in the management engine department of a computer manufacturer. Said author claims that the management engine set of components in a personal computer's chip set is a hardware level cryptochip system. That the management engine system of components works below the level of the pc's cpu and has access to all of the machine's functions. This Hackaday article is also quoted in the referenced ATS post, verifying the reality of the technology discussed in the poster's claims:
hackaday.com...

Quoting the Hackaday article, here are a few eye openers for you:

Over the last decade, Intel has been including a tiny little microcontroller inside their CPUs. This microcontroller is connected to everything, and can shuttle data between your hard drive and your network adapter. It’s always on, even when the rest of your computer is off, and with the right software, you can wake it up over a network connection. Parts of this spy chip were included in the silicon at the behest of the NSA.(emphasis mine-badcabbie) In short, if you were designing a piece of hardware to spy on everyone using an Intel-branded computer, you would come up with something like the Intel Managment Engine.

Last week, researchers [Mark Ermolov] and [Maxim Goryachy] presented an exploit at BlackHat Europe allowing for arbitrary code execution on the Intel ME platform. This is only a local attack, one that requires physical access to a machine. The cat is out of the bag, though, and this is the exploit we’ve all been expecting. This is the exploit that forces Intel and OEMs to consider the security implications of the Intel Management Engine. What does this actually mean?

What the Management Engine Is and Does:

Intel’s Management Engine is only a small part of a collection of tools, hardware, and software hidden deep inside some the latest Intel CPUs. These chips and software first appeared in the early 2000s as Trusted Platform Modules. These small crypto chips formed the root of ‘trust’ on a computer. If the TPM could be trusted, the entire computer could be trusted. Then came Active Management Technology, a set of embedded processors for Ethernet controllers. The idea behind this system was to allow for provisioning of laptops in corporate environments. Over the years, a few more bits of hardware were added to CPUs. This was the Intel Management Engine, a small system that was connected to every peripheral in a computer. The Intel ME is connected to the network interface, and it’s connected to storage. The Intel ME is still on, even when your computer is off. Theoretically, if you type on a keyboard connected to a powered-down computer, the Intel ME can send those keypresses off to servers unknown.

Pretty disgusting and a little scary if you ask me, though not really too surprising to those of us who have been paying attention to information technology trends as they have developed in modern times. Not a question of if...More like when and how. More from the article:

For several years now, researchers have been investigating the set of chips Intel has included in their latest CPUs. Unfortunately, Intel decided that closed-source was the way to go, and with that security researchers had an idea of what the Intel ME could do, but had no idea how that was done, and whether or not there were any security holes. This week, that wall was breached. Now anyone can execute arbitrary code on the Intel ME with a USB stick.

This last bit should also be noted:

Consider this Stage One. The ultimate exploit for the ME is one over the network interface. With that, anyone can own an ME-equipped computer from anywhere on the planet. This exploit does not exist yet, and we know this by the fact there isn’t a new, massive botnet mining Bitcoin.

Until that day comes, we’re only left with the realization that yes, the nerds were right. The idea of the NSA putting hardware in every computer sounds absurd, until you realize it actually happened.(emphasis mine-badcabbie)

Over the last few decades, the general population has been dragged kicking and screaming in the world of information security. In the 80s, it was as simple as not writing your password down on a Post-It note. In a few years, we’ll get to the conversation about how Alexas and Google Homes are an Orwellian nightmare. Until then, we’ll have to use the Intel ME exploit as another example of how important security is, and how vital it is to listen to the people telling you, “this is bad”. Code that can’t be audited is code that can’t be trusted.

I have plenty of additional strong opinions I'd like to share, but I shall refrain from doing so in this opening post for the sake of encouraging you to consider the facts of the matter as they are in beginning this discussion. Any posters wishing to debunk this information might first endeavor to perform a web search of the phrase "management engine", where they will find a wealth of articles confirming the accuracy of Hackaday's reporting, unless they are using a censored search engine. Discuss.

Q Thread where the linked post was made(part 1): www.abovetopsecret.com...
Latest Q Thread(part Q): www.abovetopsecret.com...

I used to work for a top 3 OEM.

This device is only as exposed as you let it be.

Security starts outside the PC, and ends outside of the PC.

Connecting to this management chip remotely, requires open ports on the network that the engine uses for communication.

If your network is secured properly, this isn't anything to worry about.

If your network has open exposed ports, that allow for remote access? That's easier to resolve than you would imagine.

Not a big deal, really. Most of your information is correct. TPM's were the start, and this chip has low level access to hardware resources on the PC's system board.

These types of chips are not just on corporate client level computers. These types of engines can be found on modern rack servers as well, and will allow for remote management, remote restarting, and remote diagnostics.

Yes, they can be exploited, but if you secure your network, it can make up for local issues.

a reply to: Archivalist

JavaScript programmer here.

So, it's pretty much like anything else in programming? A tool, basically? With its associated security protocols?

I am thinking crossdomain attacks and such.

Information on this predate this Q person so not a lot of magic there.

a reply to: TheBadCabbie

I have been following this situation for some time but it has gotten more concerning lately. With all the router hacks plus thus exploit it is possible, read likely, that a hacker could broadcast and inject code to turn off medical devices. In the case of pacemakers, that could kill 20million plus people in a half a dozen minutes and overwhelm the health care system. This is just one example of exposed critical systems on a personal level that could do massive damage. Step it up to energy infrastructure 15 minutes later and you have a potentially unrecoverable global crisis.

Cheers - Dave

a reply to: Archivalist

That's interesting. Tell me more please. What should a non-expert pc user like myself do to secure my ports, and/or what other security measures would you recommend?

I thought I'd add a couple more general information links on the management engine with this post.
en.wikipedia.org...
www.howtogeek.com...
Here's a quote from the second link:

Can You Disable It?

You can’t disable the Intel ME. Even if you disable Intel AMT features in your system’s BIOS, the Intel ME coprocessor and software is still active and running. At this point, it’s included on all systems with Intel CPUs and Intel provides no way to disable it.

While Intel provides no way to disable the Intel ME, other people have experimented with disabling it. It isn’t as simple as flicking a switch, though. Enterprising hackers have managed to disable the Intel ME with quite some effort, and Purism now offers laptops (based on older Intel hardware) with the Intel Management Engine disabled by default. Intel likely isn’t happy about these efforts, and will make it even more difficult to disable the Intel ME in the future.

But, for the average user, disabling the Intel ME is basically impossible—and that’s by design.

Here are a few more links that I dug up on the Management Engine.
This first one is Intel's security update page for the ME. Not sure how much we should trust Intel to fix any security flaws. I mean, the updates may fix some vulnerabilities, but I am skeptical that they would close any actual backdoors that spy agencies might use to bypass security measures. The link:
www.intel.com...

This next one is a link to Dell's community support forum where a user's question is answered regarding the ME. Not sure how much we should trust Dell in general, but I think the post is worth a look:
www.dell.com...

This third link is to a Youtube vid where the host interviews some System76 employees about their approach to dealing with the management engine:
www.youtube.com...
I thought I'd quote part of the video's description:

Last week, System76 announced that it is working to disable IME (Intel Management Engine) across their product line. Not just on new machines, but on laptops (etc) already shipped. I bring on one of their engineers, along with their head honcho, to talk about exactly how they're doing it and what it means.

This last link is to Purism's website. Purism is apparently a motherboard manufacturer, and this page describes in part their approach to dealing with the management engine problem.
puri.sm...
Here's a quote from that page:

Why Purism has the uncommon ability to run a freed ME

The reason the Intel ME is so impenetrable is that you have to combine hardware selection, hardware configuration, hardware fuses, and firmware, which requires to push into the manufacturing and fabrication process. There is no other way to do it consistently over time. This is one of the many reasons Purism started as an organization: to solve really hard problems by manufacturing hardware that can fully respect users freedoms in the future. As mentioned in Purism Business Model and Vision, the model of “buy hardware, install free software” is aging, due primarily to the fact that there is a growing cryptographic bond between proprietary non-free signed binaries and the hardware that they run on. This bond renders it mathematically impossible to give each user control. Cryptography is superb when in the hands and control of each user, but it is nasty when it strips the users’ control.

Purism learned through the supply chain (and the provided manufacturing documentation) that we, as the motherboard fabricator, have a lot more control than the end-user does with regard to the Multichip Package (MCP). Choosing Purism as the manufacturer gives each user freedom, privacy, and security because Purism believes in giving users freedom, privacy, and security. These options would probably never see the light of day otherwise.

Hey, thank k you for dropping off this gem. I will go over it in more detail when I have time. I have pretty much expected this capability was in existence in the early 2000's based on some books I read back then. It is also probably how th government takes down dissenters that can actually threaten them by remotely downloading illegal compromising content and facilitating arrests. Thank you for your vigilance and contribution on these matters.
a reply to: TheBadCabbie

Here's an article referencing one possible method of making your computer a little safer from management engine shenanigans:
www.csoonline.com...
From the article:

Disable Intel ME thanks to the NSA

Here comes the good news. As Positive Technologies researchers Mark Ermolov and Maxim Goryachy poked into the firmware, they discovered an undocumented HAP field. HAP, which stands for the High Assurance Platform (pdf) program, was developed by the NSA. The framework was for the “development of the ‘next generation’ of secure computing platforms.”

The researchers discovered an undocumented field called “reserve-hap” and that HAP could be set to “1” for true. Apparently, the NSA wanted to ensure the agency could close off any possible security risk by disabling Intel ME. The researchers wrote, “We believe that this mechanism is designed to meet a typical requirement of government agencies, which want to reduce the possibility of side-channel leaks.”

If you want to disable Intel ME, you should first read the in-depth technical explanation about the researchers finding “an undocumented PCH strap that can be used to switch on a special mode disabling the main Intel ME functionality at an early stage.” Positive Technologies also made its Intel ME 11.x firmware image unpacker utility available on GitHub. Use at your own risk; the methods to disable Intel ME were described as “risky and may damage or destroy your computer.”(emphasis mine-badcabbie)

a reply to: worldstarcountry

You're welcome!

Here's a zdnet article about the ME and how the industry is responding to it. The conclusion is noteworthy, but there are a number of links to related info throughout the article as well.

www.zdnet.com...

Intel does not recommend these options. In a statement, an Intel spokesperson said, "The ME provides important functionality our users care about, including features such as secure boot, two-factor authentication, system recovery, and enterprise device management. Since the described configuration necessarily removes functionality required in most mainstream products, Intel does not support such configurations."

Is it worth it? Well, if I was concerned about security, I wouldn't want my hardware running a set of black box programs on a mystery operating system that's operated beneath any level of local control. But, hey, that's just me. That said, since Intel won't support these configurations, your company may not want to chance using them.

The ideal solution would be for Intel to open-source its programs and its customized Minix so sysadmins could know exactly what it is that's running on their PCs, tablets, and servers. I don't think that's too much to ask for.

Failing that, Intel should give vendors and customers an easy option to disable these chip-level programs.

Here's a page on it from a site called coreboot. Some interesting thoughts on the ME there (yikes!)
www.coreboot.org...

Freedom and security issues

The code that is running inside the management engine is proprietary and signed. Therefore, it cannot easily be audited, tested, or replaced, except by those people with access to the relevant private keys, i.e. a handful of Intel staff (and possibly government agents).
The ME has access to a lot of things, see "physical capabilities" column below for more details.
In addition to obvious attack vectors (the ME could be used by an adversary to spy on the PC user, tamper with their documents, etc)-emphasis mine-badcabbie-, it could also potentially be used to alter the contents of the motherboard's BIOS flash chip, thereby polluting Coreboot builds based upon extracting the contents of that flash chip.

I thought I'd post another reply here, give this thread a bump, since other similar topics are presently being discussed.

a reply to: TheBadCabbie

* BOMP *



Great thread, Cabbie.

Cheers