Announcement

Collapse
No announcement yet.

It's Now Possible To Disable & Strip Down Intel's ME Blob

Collapse
X
Collapse
 
  • Page of 5
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 template Next
  • chithanh
    replied
    Originally posted by starshipeleven View Post
    If your enemy has enough resources to discover a completely undocumented interface
    Not publicly documented, just available to the manufacturer and select business and government partners.

    Or somewhat documented, but nobody notices for a year. Like the Skylake USB debugging interface.

    Originally posted by starshipeleven View Post
    and does that to target you specifically (as it's wildly unlikely to have any other audience)....
    The audience who would perform this erase are typically the high-profile targets.

    1000 random computer users erasing ME -> not worth developing an exploit
    1000 political activists, cybersecurity experts, high ranking government employees erasing ME -> now that gets interesting

    Originally posted by starshipeleven View Post
    you should not be using digital media at all even to watch cat videos,
    That is an unsound argument.

    Originally posted by starshipeleven View Post
    The main issue with ME is malware exploiting the fact that these firmwares NEVER get any update to patch vulnerabilities
    The Q35 vulnerability used in the proof-of-concept AMT DMA-based keylogger was patched by Intel.

    Originally posted by starshipeleven View Post
    And ME/AMT are seemingly disabled as their public API does not function anymore after this hack.
    FTFY

    Leave a comment:

  • Luke
    replied
    Originally posted by starshipeleven View Post
    If your enemy has enough resources to discover a completely undocumented interface that appears only if you erase most of ME firmware on flash, and does that to target you specifically (as it's wildly unlikely to have any other audience).... you should not be using digital media at all even to watch cat videos, like Putin's Russia's crucial documents that are still written with typewriters for example.

    The main issue with ME is malware exploiting the fact that these firmwares NEVER get any update to patch vulnerabilities, that means such malware can be deployed on a MASSIVE scale and run on ring -3 on most PCs of the planet to form botnets or worse. That is the bad shit this system prevents.

    And ME/AMT are effectively disabled as their API does not function anymore after this hack.
    As for ME never getting updated, for those to whom an adversary targetting them is the main threat, this is a good thing. That's because updates are a known vector of malicious replacements signed with the vendor's key. This has already been postulated for fake updates of Intel CPU firmware delivered over Windows by the NSA, assuming the NSA was the Intel keys. Either the NSA or the FBI(I forget which) has previously used fake iTunes updates to deliver malware.

    On the other hand, the lack of updates makes botnets easier as said before, and if an adversary did not mind the risk of being found by network traffic analysis would make data-mining type bulk surveillance easier for a future attacker.

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by chithanh View Post
    I don't think would be irrelevant, at least not to those folks interested in running coreboot and shutting down the Intel ME.
    If your enemy has enough resources to discover a completely undocumented interface that appears only if you erase most of ME firmware on flash, and does that to target you specifically (as it's wildly unlikely to have any other audience).... you should not be using digital media at all even to watch cat videos, like Putin's Russia's crucial documents that are still written with typewriters for example.

    The main issue with ME is malware exploiting the fact that these firmwares NEVER get any update to patch vulnerabilities, that means such malware can be deployed on a MASSIVE scale and run on ring -3 on most PCs of the planet to form botnets or worse. That is the bad shit this system prevents.

    He goes to great lengths to harden his laptop against targeted Evil Maid style attacks and also mentions Intel ME/AMT.
    And ME/AMT are effectively disabled as their API does not function anymore after this hack.

    Leave a comment:

  • chithanh
    replied
    I don't think would be irrelevant, at least not to those folks interested in running coreboot and shutting down the Intel ME.

    Here is a talk by coreboot developer Peter Stuge at 30C3:
    https://events.ccc.de/congress/2013/...ents/5529.html
    https://media.ccc.de/browse/congress/...ter_stuge.html

    He goes to great lengths to harden his laptop against targeted Evil Maid style attacks and also mentions Intel ME/AMT.

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by chithanh View Post
    As I wrote, the worst case could be that the Intel ME is now in some kind of free-for-all debugging mode accessible over a non-documented interface.
    Broadly irrelevant, any ME malware won't be targeting an interface enabled by butchering most of it on flash, just because there will be like 10-20 devices with that treatment at any given moment, worldwide.

    Leave a comment:

  • chithanh
    replied
    It was indeed observed that the Intel ME device dropped off the PCI bus, and the usual networking functions stopped. But that is just the previous publicly visible interface.

    We don't know how much OOB networking functions remained in the non-erased part. We don't know how much it can still DMA over main memory. We don't know whether it still interfaces with anything else in the chipset. As I wrote, the worst case could be that the Intel ME is now in some kind of free-for-all debugging mode accessible over a non-documented interface.

    Leave a comment:

  • starshipeleven
    replied
    Originally posted by chithanh View Post
    We don't know that.
    If tools can't reach it from userspace (either the ME disappears from lspci or they segfault) as reported, and networking module is erased, it's not exactly going anywhere, isn't it?

    Leave a comment:

  • chithanh
    replied
    Originally posted by uid313 View Post
    Are there any side-effects to disabling Intel ME, does anything useful stop working?
    We don't know. From observation, fewer things happen, but as everything is closed and proprietary we do not know which functionality remains.

    Worst case would probably be if these erase steps cause the Intel ME to enter some kind of debug state where anyone can access it without authentication. (Similar to the recently discovered Skylake USB JTAG debugging function)

    Originally posted by stevenc View Post
    Or maybe, having some mini- operating system running on the chip has some performance impact after all.
    The performance impact by Intel ME activity is measurable but so tiny that you won't notice unless you are specifically looking for it.

    Originally posted by starshipeleven View Post
    If you erase most of ME from flash, and like this tool also the modules exposing the APIs used to control it from the OS (and also used for exploits), you have actually "disabled" it.
    We don't know that.
    • Likes 1

    Leave a comment:

  • AsuMagic
    replied
    Originally posted by TerraRoot View Post
    Pointless anyway, ARM is the future!
    On the desktop world, not today.

    Leave a comment:

  • TerraRoot
    replied
    Pointless anyway, ARM is the future!

    Leave a comment:

Previous 1 2 3 4 5 template Next
Working...
X