About forced BIOS updates in forced Windows updates on the one hand, and attacks on old Windows versions on the other hand: Both are defeated on non-networked machines, and both are defeated on machines on which Windows is removed and especially if it was never activated and never run.

For those of us who use only LInux, the main danger from Windows is efforts to hardware-lock machines to it, thus the importance of things like ME cleaner. Who cares if some future version of Windows 10 won't boot. So you need dedicated hardware if you really need that 4K netflix-so what? Keeping Trump's Gestapo from monitoring your communications or turning on cameras and microphones remotely is far more important.

Note that you don't get individual updates on previous Windows versions any longer, only cumulative updates.
So if they bundle a backdoor in the latest round of security fixes, you will be pwned through the backdoor if you install it. And if you don't install it you will be pwned through known public vulnerabilities.

Well the Skylake USB debugging gives us an example, or the existing ME rootkits. Most of your arguments have been addressed by SystemCrasher already, so I will not repeat those here.

So you say that his efforts are futile? I wonder why nobody of the thousands who were in the audience or watched the live stream pointed this out.

If you look at Patrick Stewin's talk (btw. another very nice and smart person), he implemented basically undetectable exfiltration through deliberately introducing packet jitter. Combine this with advertising networks' ability to target users by IP range, you don't even need to control anything on the ISP side of things.

Exploit doesn't work if you install latest BIOS. What kind of additional proof do you want?

First you say "these firmwares NEVER get any update to patch vulnerabilities",
then I pointed out that the ME firmware actually got an update,
then you claim that "the OEM rarely gives a fuck",
then I point out how this is fixed in the latest BIOS,
then you say the fix is not distributed to everyone automatically.

How is that not moving the goalposts?

Also note that since Windows 8, BIOS updates are distributed through Windows Update as long as vendors choose this path.
You want proof of that too? We know it because this already caused problems. One widely reported issue is with Minix-PC Z64W being updated by a Techvision UEFI firmware and bricked, because both manufacturers neglected to update the default OEM ID string in the AMI BIOS.

Yeah, after HP, Dell and others were caught with total bullshit running in their BMC's too. Old hat, everyone half-serious was already firewalling that.

You are blowing this a bit out of proportion. She made an exploit in 2009 against TPM and it involved also ME, that's a bit different than getting full control. I also didn't find any "ring -3" rootkit.

Botnets are handled by business-oriented criminals with skills and all, not by script kiddies. They are after money, not after random disruption. Script kiddies are in general out of serious hacking scene since at least decades.

As I said above, botnets are the IT equivalent of swarms of mooks, their traffic isn't exactly complex to detect, the issue is that their numbers are huge and you don't own their devices so you can't realistically shut them down or force a random chinese manufacturer to not fucking use "0000" as default root password on SSH.

If botnets were using ME, it would be found out pretty quickly that ME is involved, and shit would start flying for Intel.

I know the powers they wield, an admin with a ME/AMT management console can do pretty much all he wants on a target PC. And the providers of that stuff is Intel.
MS can push updates you can't avoid anymore on win10, that means they can insta-pwn all win10 devices if they so choose. With other OS they could just push updates, so they could still pwn your PC as long as you had your updates enabled.

Besides, any software company can do the same, they can push updates on your PC, and if you agree you give the updater root access anyway.

Note that I'm not saying they are necessarily using it for evil.

I can. Using blobs and secured shit with signatures and stuff isn't necessarily to hide evil intent. There is many people that still genuinely thinks that closed-source is safer, especially in companies.
Usually closed-source and proprietary blobs are used to hide half-assed features and copyright infringement from the eyes of experts that would call them out.

Broadly irrelevant, when you get caught by secret police these excuses are not going to save you.

Last time I checked "side-channel signalling" was EM interference generated by devices, which is kinda fucking short-ranged, so I'd say you are getting a bit carried away.

There're some BIOSes where this option exists. What you think this option does? It asks ME firmware to get lost. Lol, its a bit like asking serial killer to stop being badass guy and behave. Do you honestly think its most realiable and safe way around? I wouldn't count on it.

And except ME there're also plenty of other "cool" uber-privileged or critical system-level stuff like SMM handler and so on. Which is also proprietary. Sure, there is Coreboot, etc. But it isn't Intel to thank for it, to begin with...

On other hand, Supermicro has been caught on BMC backdoor. Now EVERYONE could own Supermicro servers if they expose BMC to the net. That's what you get for your secretive backdoors. I wonder if some botnets own them in automatic ways already.

Its just technically challenging thing to do. However, there was "ring -3" rootkit PoC from infamous Joanna Rutkowska. Which did exactly that: it broken into ME, ran native ME code and it could do whatever it wants to the rest of system, being completely invisible to x86-side software.

Furthermore, there is plenty of powerful malware these days. Granted how powerful these techs are, they tend to be used only against most valuable targets. Some random cybercriminals either do not have appropriate expertise and/or prefer to pursue low-hanging fruits instead (needless to say there're plenty). Just because it gives them plenty of money without such a great efforts. So these techs are typically used against some valuable targets for long-term stealthy espionage and somesuch, dubbed by security-mided ppl as APT - Advanced Persistent Threat. That is it.

Granted Mirai (IoT enabled botnet) source has leaked and even made it to github, fighting botnets going to look pretty much like fighting windmills I guess. I could bet l33t script kiddies are setting up new botnets much faster than these botnets are shut down and their owners jailed. You see, eventually advanced techs could turn mainstream. Would it happen to ME backdoors? Who knows? It is quite possible Intel and MS are already largest botnet operators to the date, lol. Just a bit more picky so they do not use their high-profile tech to nuke each and every web site around so they attract much less attention. Which tells nothing on what powers they technically have. I'm pretty sure MS could own every windows PC at will and wouldnt be surprised to learn Intel could do the same, abusing AMT and somesuch. At least it seems it could happen on purely technical level, there is no souce and plenty of cases of firmware/ME/BIOS backdoors, it would be okay to assume worst "by default" unless proven otherwise. I can't imagine good reasons to put so much proprietary blobs "for your convenience".

There is fancy thing: this is most widespread HW around the globe. Being smarter? Possible, BUT not everyone could afford it. After all, it takes higher level of expertise, so you can't just go nearby shop and buy arbitrary PC/laptop/MB. Things are getting slightly more complicated.

Very valid point. Though I could imagine backdoors using side-channel signalling so even fairly efficient firewall could still allow some covert signalling. Its technically a stalemate. Rogue firmware in thing like ME got nearly infinite ways of doing covert exchange with outer world. OTOH there're infinte ways of breaking this as well, and firmware lacks a priory knowledge of this. So its no-win scenario. In sense some particular firmware could get past your defences. On other hand if you're aware of it you could always tweak your configuration the way it breaks and no longer works, so new way have to be invented. Which could be mitigated as well, obviously.

IIRC Joanna called its rootkit code ring -3 because x86 totally lacks any access to this code at all. There is no ring -3 in x86 cpu itself, however, ME + other system security cpu measures act pretty much like that new ring, running some code capable of changing system behavior no x86 software could access at all, since access to ME memory regions is denied to x86 on hardware level. Though Joanna has found way to get through. Which is quite an achievement for any security expert, btw. And so how do we know other MEs can't be hijacked like this, bringing super-stealth rootkits? Granted nature of such rootkits they are really difficult to spot, so there could be no even good way to know how mainstream this thing is.

However if we look deeper into details,
- If system has got bootguard enabled, this thing just does not works
- Even when it works, it does not really removes ME blobs completely, just some modules. ME still stays active and some modules are still running.

Needless to say running modules are still blobs and what they do isn't exactly known. So ME still stays quite evil, even after this PARTIAL deblob.

I think these things are a slightly more carefully guarded secret than say Mediatek SDKs that can be easily found on panbaidu. Or Allwinner's full hardware docs that are on sunxi's download servers.

If it was so easy to get at such secrets, we would have much more malware that exploits ME, much more malware means that those usually fighting malware and botnets (there is a quite large amount of companies involved, MS included) will eventually figure out that it it's not a common rootkit, and Intel would be knee-deep in bad PR articles.

He might not be using his Intel hardware for truly secure stuff, I don't know. If you use Intel hardware (or relatively recent AMD hardware) for truly secure stuff you are a dumbfuck, period.

Still in plain sight for any other device in the same local network, host included if it is using another network controller to get the same packets in (if mirrored to it by the router/switch, for example). It's not like they send packets through telepathy, a router running LEDE/OpenWRT with a proper setup will be a pretty effective watchdog here.

No, my argument is that Intel hardware is unsafe from high-level enemies due to its design and only fully open-sourcing their firmwares is going to change that, while the ME/AMT interfaces are a relatively easy way in that even relatively more common crackers and criminals can use for much different reasons.

Still not seeing proof of these updates.
Anyway, I said "never gets any update" which is both "there is no official update" and "none actually updates the BIOS", so technically it's not moving goalposts. Maybe it's unclear, but not moving goalposts.

Unless Intel is auto-updating that part of the firmware (afaik they don't, imho they really fucking should), you can usually assume the exploit is still wide open in most devices like for any other firmware that is never updated unless the device has issues.

No, the ME/AMT that allows remote control over known interfaces with known exploits is disabled as the tools either don't work or segfault. That is more or less as safe as Intel stuff can get without opensourcing their firmwares.

The stuff running on ring -3 or even in the chipset's cores is in an entirely different ballpark.

I think you underestimate the abilities of criminals and private security contractors to get their hands at internal manufacturer documentation.
Such documentation is used in China to create cheap knock-offs of western products all the time. It is readily available there.

I wouldn't call Peter Stuge a dumbfuck, not even a high-profile one. I met him personally, he is very nice and smart.

Intel ME/AMT supports out of band network communication, undetectable to the host.

Your argument of the style "Do not take measure X or be concerned about Y because we are all going to die anyway" is still unsound. What people in Russia, China or North Korea have to do with I don't know.

Way to move the goalposts. Intel has updated the Q35 AMT firmware, and provided the update to its customers. The update is available as BIOS download for the hardware that the security researcher demonstrated the keylogger on.

It doesn't do most of the usual things that signal ME activity any more. There is one very obvious and intended difference to erasing ME firmware fully: The 30 second shutdown timer will not get triggered. What else is different we do not know. Hence I caution against stating what is highlighted as a fact.

Same thing as I said. Still very-fucking-high level enemies. If they could simply pay for a key or plant their men in Intel, that's still very fucking out of most people's league.

High-profile dumbfucks, yes. I already told you why most people is deleting it, safety from malware and ideological reasons.
If you have really juicy secrets, you should be taking far more precautions than this, as Luke always states every now and then (= not using hardware with such backdoors in the first place).

Please note, malware targeting high-profile targets also has to blow through their other (informatic or physical) defences, usually also fool them too, and of course target them specifically.

To infect random PCs you just need to infect servers and wait for unsuspecting prey to see them with a non-hardened browser (noscript and company) or send them stuff they click on. To target VIPs (actual VIPs, not dumb movie stars) you need quite a bit more effort than that. In many cases writing highly-advanced malware is not the best choice as you'd have to use so much manpower to plant it in their stuff that you're better off using more conventional old-school ways.

EDIT: not to mention the shitstorm that would cause the discovery of such malware. Many intelligence-gathering strategies are "fail-safe" so that even if they fail (not exactly unexpected) they can be easily denied, blamed to someone else, or simply not detected at all. If somenone detects an uber-malware cracking uber-keys pwning uber-systems everyone will know it wasn't done by amateurs, and that will be an issue.

Tell that to activists in Russia, China or North Korea, people not taking some precautions disappear easily there.

I'm not finding any evidence of that, also was this patch distributed to everyone automatically? Afaik most board-level stuff never gets updated unless the OEM releases a new version, and the OEM rarely gives a fuck.


The ME/AMT is disabled as it does not work anymore, what isn't disabled is the stuff running as ring -3 and loaded at board initialization to start the hardware. You can't have truly safe Intel board unless they release the sources for their firmwares, that's well-known.