I don't think would be irrelevant, at least not to those folks interested in running coreboot and shutting down the Intel ME.

Here is a talk by coreboot developer Peter Stuge at 30C3:
https://events.ccc.de/congress/2013/...ents/5529.html
https://media.ccc.de/browse/congress/...ter_stuge.html

He goes to great lengths to harden his laptop against targeted Evil Maid style attacks and also mentions Intel ME/AMT.

If your enemy has enough resources to discover a completely undocumented interface that appears only if you erase most of ME firmware on flash, and does that to target you specifically (as it's wildly unlikely to have any other audience).... you should not be using digital media at all even to watch cat videos, like Putin's Russia's crucial documents that are still written with typewriters for example.

The main issue with ME is malware exploiting the fact that these firmwares NEVER get any update to patch vulnerabilities, that means such malware can be deployed on a MASSIVE scale and run on ring -3 on most PCs of the planet to form botnets or worse. That is the bad shit this system prevents.

And ME/AMT are effectively disabled as their API does not function anymore after this hack.

As for ME never getting updated, for those to whom an adversary targetting them is the main threat, this is a good thing. That's because updates are a known vector of malicious replacements signed with the vendor's key. This has already been postulated for fake updates of Intel CPU firmware delivered over Windows by the NSA, assuming the NSA was the Intel keys. Either the NSA or the FBI(I forget which) has previously used fake iTunes updates to deliver malware.

On the other hand, the lack of updates makes botnets easier as said before, and if an adversary did not mind the risk of being found by network traffic analysis would make data-mining type bulk surveillance easier for a future attacker.

Not publicly documented, just available to the manufacturer and select business and government partners.

Or somewhat documented, but nobody notices for a year. Like the Skylake USB debugging interface.

The audience who would perform this erase are typically the high-profile targets.

1000 random computer users erasing ME -> not worth developing an exploit
1000 political activists, cybersecurity experts, high ranking government employees erasing ME -> now that gets interesting

That is an unsound argument.

The Q35 vulnerability used in the proof-of-concept AMT DMA-based keylogger was patched by Intel.

FTFY

Same thing as I said. Still very-fucking-high level enemies. If they could simply pay for a key or plant their men in Intel, that's still very fucking out of most people's league.

High-profile dumbfucks, yes. I already told you why most people is deleting it, safety from malware and ideological reasons.
If you have really juicy secrets, you should be taking far more precautions than this, as Luke always states every now and then (= not using hardware with such backdoors in the first place).

Please note, malware targeting high-profile targets also has to blow through their other (informatic or physical) defences, usually also fool them too, and of course target them specifically.

To infect random PCs you just need to infect servers and wait for unsuspecting prey to see them with a non-hardened browser (noscript and company) or send them stuff they click on. To target VIPs (actual VIPs, not dumb movie stars) you need quite a bit more effort than that. In many cases writing highly-advanced malware is not the best choice as you'd have to use so much manpower to plant it in their stuff that you're better off using more conventional old-school ways.

EDIT: not to mention the shitstorm that would cause the discovery of such malware. Many intelligence-gathering strategies are "fail-safe" so that even if they fail (not exactly unexpected) they can be easily denied, blamed to someone else, or simply not detected at all. If somenone detects an uber-malware cracking uber-keys pwning uber-systems everyone will know it wasn't done by amateurs, and that will be an issue.

Tell that to activists in Russia, China or North Korea, people not taking some precautions disappear easily there.

I'm not finding any evidence of that, also was this patch distributed to everyone automatically? Afaik most board-level stuff never gets updated unless the OEM releases a new version, and the OEM rarely gives a fuck.


The ME/AMT is disabled as it does not work anymore, what isn't disabled is the stuff running as ring -3 and loaded at board initialization to start the hardware. You can't have truly safe Intel board unless they release the sources for their firmwares, that's well-known.

I think you underestimate the abilities of criminals and private security contractors to get their hands at internal manufacturer documentation.
Such documentation is used in China to create cheap knock-offs of western products all the time. It is readily available there.

I wouldn't call Peter Stuge a dumbfuck, not even a high-profile one. I met him personally, he is very nice and smart.

Intel ME/AMT supports out of band network communication, undetectable to the host.

Your argument of the style "Do not take measure X or be concerned about Y because we are all going to die anyway" is still unsound. What people in Russia, China or North Korea have to do with I don't know.

Way to move the goalposts. Intel has updated the Q35 AMT firmware, and provided the update to its customers. The update is available as BIOS download for the hardware that the security researcher demonstrated the keylogger on.

It doesn't do most of the usual things that signal ME activity any more. There is one very obvious and intended difference to erasing ME firmware fully: The 30 second shutdown timer will not get triggered. What else is different we do not know. Hence I caution against stating what is highlighted as a fact.

I think these things are a slightly more carefully guarded secret than say Mediatek SDKs that can be easily found on panbaidu. Or Allwinner's full hardware docs that are on sunxi's download servers.

If it was so easy to get at such secrets, we would have much more malware that exploits ME, much more malware means that those usually fighting malware and botnets (there is a quite large amount of companies involved, MS included) will eventually figure out that it it's not a common rootkit, and Intel would be knee-deep in bad PR articles.

He might not be using his Intel hardware for truly secure stuff, I don't know. If you use Intel hardware (or relatively recent AMD hardware) for truly secure stuff you are a dumbfuck, period.

Still in plain sight for any other device in the same local network, host included if it is using another network controller to get the same packets in (if mirrored to it by the router/switch, for example). It's not like they send packets through telepathy, a router running LEDE/OpenWRT with a proper setup will be a pretty effective watchdog here.

No, my argument is that Intel hardware is unsafe from high-level enemies due to its design and only fully open-sourcing their firmwares is going to change that, while the ME/AMT interfaces are a relatively easy way in that even relatively more common crackers and criminals can use for much different reasons.

Still not seeing proof of these updates.
Anyway, I said "never gets any update" which is both "there is no official update" and "none actually updates the BIOS", so technically it's not moving goalposts. Maybe it's unclear, but not moving goalposts.

Unless Intel is auto-updating that part of the firmware (afaik they don't, imho they really fucking should), you can usually assume the exploit is still wide open in most devices like for any other firmware that is never updated unless the device has issues.

No, the ME/AMT that allows remote control over known interfaces with known exploits is disabled as the tools either don't work or segfault. That is more or less as safe as Intel stuff can get without opensourcing their firmwares.

The stuff running on ring -3 or even in the chipset's cores is in an entirely different ballpark.

However if we look deeper into details,
- If system has got bootguard enabled, this thing just does not works
- Even when it works, it does not really removes ME blobs completely, just some modules. ME still stays active and some modules are still running.

Needless to say running modules are still blobs and what they do isn't exactly known. So ME still stays quite evil, even after this PARTIAL deblob.

On other hand, Supermicro has been caught on BMC backdoor. Now EVERYONE could own Supermicro servers if they expose BMC to the net. That's what you get for your secretive backdoors. I wonder if some botnets own them in automatic ways already.

Its just technically challenging thing to do. However, there was "ring -3" rootkit PoC from infamous Joanna Rutkowska. Which did exactly that: it broken into ME, ran native ME code and it could do whatever it wants to the rest of system, being completely invisible to x86-side software.

Furthermore, there is plenty of powerful malware these days. Granted how powerful these techs are, they tend to be used only against most valuable targets. Some random cybercriminals either do not have appropriate expertise and/or prefer to pursue low-hanging fruits instead (needless to say there're plenty). Just because it gives them plenty of money without such a great efforts. So these techs are typically used against some valuable targets for long-term stealthy espionage and somesuch, dubbed by security-mided ppl as APT - Advanced Persistent Threat. That is it.

Granted Mirai (IoT enabled botnet) source has leaked and even made it to github, fighting botnets going to look pretty much like fighting windmills I guess. I could bet l33t script kiddies are setting up new botnets much faster than these botnets are shut down and their owners jailed. You see, eventually advanced techs could turn mainstream. Would it happen to ME backdoors? Who knows? It is quite possible Intel and MS are already largest botnet operators to the date, lol. Just a bit more picky so they do not use their high-profile tech to nuke each and every web site around so they attract much less attention. Which tells nothing on what powers they technically have. I'm pretty sure MS could own every windows PC at will and wouldnt be surprised to learn Intel could do the same, abusing AMT and somesuch. At least it seems it could happen on purely technical level, there is no souce and plenty of cases of firmware/ME/BIOS backdoors, it would be okay to assume worst "by default" unless proven otherwise. I can't imagine good reasons to put so much proprietary blobs "for your convenience".

There is fancy thing: this is most widespread HW around the globe. Being smarter? Possible, BUT not everyone could afford it. After all, it takes higher level of expertise, so you can't just go nearby shop and buy arbitrary PC/laptop/MB. Things are getting slightly more complicated.

Very valid point. Though I could imagine backdoors using side-channel signalling so even fairly efficient firewall could still allow some covert signalling. Its technically a stalemate. Rogue firmware in thing like ME got nearly infinite ways of doing covert exchange with outer world. OTOH there're infinte ways of breaking this as well, and firmware lacks a priory knowledge of this. So its no-win scenario. In sense some particular firmware could get past your defences. On other hand if you're aware of it you could always tweak your configuration the way it breaks and no longer works, so new way have to be invented. Which could be mitigated as well, obviously.

IIRC Joanna called its rootkit code ring -3 because x86 totally lacks any access to this code at all. There is no ring -3 in x86 cpu itself, however, ME + other system security cpu measures act pretty much like that new ring, running some code capable of changing system behavior no x86 software could access at all, since access to ME memory regions is denied to x86 on hardware level. Though Joanna has found way to get through. Which is quite an achievement for any security expert, btw. And so how do we know other MEs can't be hijacked like this, bringing super-stealth rootkits? Granted nature of such rootkits they are really difficult to spot, so there could be no even good way to know how mainstream this thing is.

There're some BIOSes where this option exists. What you think this option does? It asks ME firmware to get lost. Lol, its a bit like asking serial killer to stop being badass guy and behave. Do you honestly think its most realiable and safe way around? I wouldn't count on it.

And except ME there're also plenty of other "cool" uber-privileged or critical system-level stuff like SMM handler and so on. Which is also proprietary. Sure, there is Coreboot, etc. But it isn't Intel to thank for it, to begin with...