About forced BIOS updates in forced Windows updates on the one hand, and attacks on old Windows versions on the other hand: Both are defeated on non-networked machines, and both are defeated on machines on which Windows is removed and especially if it was never activated and never run.
For those of us who use only LInux, the main danger from Windows is efforts to hardware-lock machines to it, thus the importance of things like ME cleaner. Who cares if some future version of Windows 10 won't boot. So you need dedicated hardware if you really need that 4K netflix-so what? Keeping Trump's Gestapo from monitoring your communications or turning on cameras and microphones remotely is far more important.
Announcement
Collapse
No announcement yet.
It's Now Possible To Disable & Strip Down Intel's ME Blob
Collapse
X
-
Originally posted by starshipeleven View PostI know the powers they wield, an admin with a ME/AMT management console can do pretty much all he wants on a target PC. And the providers of that stuff is Intel.
MS can push updates you can't avoid anymore on win10, that means they can insta-pwn all win10 devices if they so choose. With other OS they could just push updates, so they could still pwn your PC as long as you had your updates enabled.
So if they bundle a backdoor in the latest round of security fixes, you will be pwned through the backdoor if you install it. And if you don't install it you will be pwned through known public vulnerabilities.
Leave a comment:
-
Originally posted by starshipeleven View PostI think these things are a slightly more carefully guarded secret than say Mediatek SDKs that can be easily found on panbaidu. Or Allwinner's full hardware docs that are on sunxi's download servers.
Originally posted by starshipeleven View PostHe might not be using his Intel hardware for truly secure stuff, I don't know. If you use Intel hardware (or relatively recent AMD hardware) for truly secure stuff you are a dumbfuck, period.
Originally posted by starshipeleven View PostStill in plain sight for any other device in the same local network, host included if it is using another network controller to get the same packets in (if mirrored to it by the router/switch, for example). It's not like they send packets through telepathy, a router running LEDE/OpenWRT with a proper setup will be a pretty effective watchdog here.
Originally posted by starshipeleven View PostStill not seeing proof of these updates.
Originally posted by starshipeleven View PostAnyway, I said "never gets any update" which is both "there is no official update" and "none actually updates the BIOS", so technically it's not moving goalposts. Maybe it's unclear, but not moving goalposts.
then I pointed out that the ME firmware actually got an update,
then you claim that "the OEM rarely gives a fuck",
then I point out how this is fixed in the latest BIOS,
then you say the fix is not distributed to everyone automatically.
How is that not moving the goalposts?
Also note that since Windows 8, BIOS updates are distributed through Windows Update as long as vendors choose this path.
You want proof of that too? We know it because this already caused problems. One widely reported issue is with Minix-PC Z64W being updated by a Techvision UEFI firmware and bricked, because both manufacturers neglected to update the default OEM ID string in the AMI BIOS.
Leave a comment:
-
Originally posted by SystemCrasher View PostOn other hand, Supermicro has been caught on BMC backdoor.
Its just technically challenging thing to do. However, there was "ring -3" rootkit PoC from infamous Joanna Rutkowska. Which did exactly that: it broken into ME, ran native ME code and it could do whatever it wants to the rest of system, being completely invisible to x86-side software.
Granted Mirai (IoT enabled botnet) source has leaked and even made it to github, fighting botnets going to look pretty much like fighting windmills I guess. I could bet l33t script kiddies are setting up new botnets much faster than these botnets are shut down and their owners jailed.
Would it happen to ME backdoors?
If botnets were using ME, it would be found out pretty quickly that ME is involved, and shit would start flying for Intel.
Which tells nothing on what powers they technically have.
MS can push updates you can't avoid anymore on win10, that means they can insta-pwn all win10 devices if they so choose. With other OS they could just push updates, so they could still pwn your PC as long as you had your updates enabled.
Besides, any software company can do the same, they can push updates on your PC, and if you agree you give the updater root access anyway.
Note that I'm not saying they are necessarily using it for evil.
I can't imagine good reasons to put so much proprietary blobs "for your convenience".
Usually closed-source and proprietary blobs are used to hide half-assed features and copyright infringement from the eyes of experts that would call them out.
There is fancy thing: this is most widespread HW around the globe. Being smarter? Possible, BUT not everyone could afford it. After all, it takes higher level of expertise, so you can't just go nearby shop and buy arbitrary PC/laptop/MB. Things are getting slightly more complicated.
Very valid point. Though I could imagine backdoors using side-channel signalling
Leave a comment:
-
Originally posted by uid313 View PostIt is silly how difficult it is to disable this Intel Management Engine (ME). I wish there was just an option in the UEFI setup screen to disable this feature.
Why isn't there?
And except ME there're also plenty of other "cool" uber-privileged or critical system-level stuff like SMM handler and so on. Which is also proprietary. Sure, there is Coreboot, etc. But it isn't Intel to thank for it, to begin with...
Leave a comment:
-
Originally posted by starshipeleven View PostI think these things are a slightly more carefully guarded secret than say Mediatek SDKs that can be easily found on panbaidu. Or Allwinner's full hardware docs that are on sunxi's download servers.
If it was so easy to get at such secrets, we would have much more malware that exploits ME,
Furthermore, there is plenty of powerful malware these days. Granted how powerful these techs are, they tend to be used only against most valuable targets. Some random cybercriminals either do not have appropriate expertise and/or prefer to pursue low-hanging fruits instead (needless to say there're plenty). Just because it gives them plenty of money without such a great efforts. So these techs are typically used against some valuable targets for long-term stealthy espionage and somesuch, dubbed by security-mided ppl as APT - Advanced Persistent Threat. That is it.
much more malware means that those usually fighting malware and botnets (there is a quite large amount of companies involved, MS included) will eventually figure out that it it's not a common rootkit, and Intel would be knee-deep in bad PR articles.
He might not be using his Intel hardware for truly secure stuff, I don't know. If you use Intel hardware (or relatively recent AMD hardware) for truly secure stuff you are a dumbfuck, period.
a router running LEDE/OpenWRT with a proper setup will be a pretty effective watchdog here.
The stuff running on ring -3 or even in the chipset's cores is in an entirely different ballpark.
Leave a comment:
-
However if we look deeper into details,
- If system has got bootguard enabled, this thing just does not works
- Even when it works, it does not really removes ME blobs completely, just some modules. ME still stays active and some modules are still running.
Needless to say running modules are still blobs and what they do isn't exactly known. So ME still stays quite evil, even after this PARTIAL deblob.
Leave a comment:
-
Originally posted by chithanh View PostI think you underestimate the abilities of criminals and private security contractors to get their hands at internal manufacturer documentation.
Such documentation is used in China to create cheap knock-offs of western products all the time. It is readily available there.
If it was so easy to get at such secrets, we would have much more malware that exploits ME, much more malware means that those usually fighting malware and botnets (there is a quite large amount of companies involved, MS included) will eventually figure out that it it's not a common rootkit, and Intel would be knee-deep in bad PR articles.
I wouldn't call Peter Stuge a dumbfuck, not even a high-profile one. I met him personally, he is very nice and smart.
Intel ME/AMT supports out of band network communication, undetectable to the host.
Your argument of the style "Do not take measure X or be concerned about Y because we are all going to die anyway" is still unsound.
Way to move the goalposts. Intel has updated the Q35 AMT firmware, and provided the update to its customers. The update is available as BIOS download for the hardware that the security researcher demonstrated the keylogger on.
Anyway, I said "never gets any update" which is both "there is no official update" and "none actually updates the BIOS", so technically it's not moving goalposts. Maybe it's unclear, but not moving goalposts.
Unless Intel is auto-updating that part of the firmware (afaik they don't, imho they really fucking should), you can usually assume the exploit is still wide open in most devices like for any other firmware that is never updated unless the device has issues.
It doesn't do most of the usual things that signal ME activity any more.
The stuff running on ring -3 or even in the chipset's cores is in an entirely different ballpark.
Leave a comment:
-
Originally posted by starshipeleven View PostSame thing as I said. Still very-fucking-high level enemies.
Such documentation is used in China to create cheap knock-offs of western products all the time. It is readily available there.
Originally posted by starshipeleven View PostHigh-profile dumbfucks, yes. I already told you why most people is deleting it, safety from malware and ideological reasons.
Originally posted by starshipeleven View PostPlease note, malware targeting high-profile targets also has to blow through their other (informatic or physical) defences, usually also fool them too, and of course target them specifically.
Originally posted by starshipeleven View PostTell that to activists in Russia, China or North Korea, people not taking some precautions disappear easily there.
Originally posted by starshipeleven View PostI'm not finding any evidence of that, also was this patch distributed to everyone automatically? Afaik most board-level stuff never gets updated unless the OEM releases a new version, and the OEM rarely gives a fuck.
Originally posted by starshipeleven View PostThe ME/AMT is disabled as it does not work anymore, what isn't disabled is the stuff running as ring -3 and loaded at board initialization to start the hardware. You can't have truly safe Intel board unless they release the sources for their firmwares, that's well-known.
Leave a comment:
-
Originally posted by chithanh View PostNot publicly documented, just available to the manufacturer and select business and government partners.
The audience who would perform this erase are typically the high-profile targets.
If you have really juicy secrets, you should be taking far more precautions than this, as Luke always states every now and then (= not using hardware with such backdoors in the first place).
1000 political activists, cybersecurity experts, high ranking government employees erasing ME -> now that gets interesting
To infect random PCs you just need to infect servers and wait for unsuspecting prey to see them with a non-hardened browser (noscript and company) or send them stuff they click on. To target VIPs (actual VIPs, not dumb movie stars) you need quite a bit more effort than that. In many cases writing highly-advanced malware is not the best choice as you'd have to use so much manpower to plant it in their stuff that you're better off using more conventional old-school ways.
EDIT: not to mention the shitstorm that would cause the discovery of such malware. Many intelligence-gathering strategies are "fail-safe" so that even if they fail (not exactly unexpected) they can be easily denied, blamed to someone else, or simply not detected at all. If somenone detects an uber-malware cracking uber-keys pwning uber-systems everyone will know it wasn't done by amateurs, and that will be an issue.
That is an unsound argument.
The Q35 vulnerability used in the proof-of-concept AMT DMA-based keylogger was patched by Intel.
FTFYLast edited by starshipeleven; 18 January 2017, 07:29 AM.
Leave a comment:
Leave a comment: