Announcement

Collapse
No announcement yet.

Intel Confirms Vulnerability In Intel AMT/ME

Collapse
X
Collapse
 
  • Page of 5
  • Filter
  • Time
  • Show
Clear All
new posts
Previous 1 2 3 4 5 template Next
  • #11
    Originally posted by starshipeleven View Post
    It will come a time when we need to attach a mini-firewall to the PC's ethernet port to filter out any unwanted bullshit trying to communicate with the hardware backdoor....
    Just install pfSense between the Ethernet PHY and the CPU.

    Comment

    • #12
      Originally posted by starshipeleven View Post
      It will come a time when we need to attach a mini-firewall to the PC's ethernet port to filter out any unwanted bullshit trying to communicate with the hardware backdoor....
      Why wouldn't you have a separate firewall anyways?

      Not trying to defend Intel here by the way. In a way I can understand why corporates might actually want something like AMT. The problem is Intel attitude, the really need to be more forthcoming as to how all of this works and allow people access to the hardware for alternative implementations. In the end the only thing you can do I is to push the manufactures for hardware free of these sorts of features.

      I say features because this fault was likely planted by the NSA. Seriously throw somebody on Intels development team a little money and you have your own surveillance channel into the hardware. I don't want to sound like "one of those guys" but I see a high probability that the security issue is a manufactured one.
      • Likes 8

      Comment

      • #13
        Originally posted by ThrowAway3000 View Post

        There is, I've just built a Bulldozer-based PC, and I bought a spare motherboard in case this one breaks 5 years later. Sucks to get a CPU from 2012 in 2017, but that was the only option to avoid PSP. Basically, stockpiling old hardware (just a motherboard, really) as per someone's advice on Phoronix.

        Oh well, at least the performance is 4 times better than my current dual-core Intel E7200 from 2008, and the CPU itself was only $110.
        The C32 Opterons are a great value right now, and there's tons of Supermicro H8SCM mobos on ebay. Makes for a rock solid combo, no PSP, and still good enough performance for a modernish desktop. I'm typing this on one, an Opteron 4386.
        Last edited by torsionbar28; 01 May 2017, 08:05 PM.
        • Likes 1

        Comment

        • #14
          Originally posted by wizard69 View Post
          Why wouldn't you have a separate firewall anyways?
          You would. This is not exploitable unless you're on the same subnet as target machine, or have physical access to the target machine.

          Originally posted by wizard69 View Post
          I say features because this fault was likely planted by the NSA. Seriously throw somebody on Intels development team a little money and you have your own surveillance channel into the hardware. I don't want to sound like "one of those guys" but I see a high probability that the security issue is a manufactured one.
          Doubtful. Obama's NSA was targeting domestic consumers. Domestic consumers don't use the business peecee's that have this feature, and foreign entities will be behind many firewalls so the feature isn't exposed. Practically speaking, this exploit is really only useful if you have physical access to the machine. As fond as Obama was of spying on us, getting a backdoor into the Windows OS is a lower cost proposition and would give broader results than a business pc firmware exploit.
          Last edited by torsionbar28; 01 May 2017, 09:03 PM.

          Comment

          • #15
            ME...backdoor/botnet by design, nothing new... https://stallman.org/intel.html. Just another tool at NSA's disposal.
            • Likes 3

            Comment

            • #16
              Would installing a PCIe NIC work around this issue? Could the hole be exposed if you used that NIC and not the built-in?
              Hi
              • Likes 2

              Comment

              • #17
                Given the fact that the guy who reported the vulnerability could only find a pretty paltry 7,000 servers that could be remotely exploited, it's not really a widespread issue. People who actually rely on AMT (and it is a very useful feature if you need it, believe me) can patch as needed.

                When I think back to Heartbleed and some other remote-execution vulnerabilities that actually caused real havoc, this is a small blip on the radar.

                Comment

                • #18
                  Originally posted by chuckula View Post
                  Given the fact that the guy who reported the vulnerability could only find a pretty paltry 7,000 servers that could be remotely exploited, it's not really a widespread issue. People who actually rely on AMT (and it is a very useful feature if you need it, believe me) can patch as needed.

                  When I think back to Heartbleed and some other remote-execution vulnerabilities that actually caused real havoc, this is a small blip on the radar.
                  Heartbleed was not a privilege-escalation kind of vulnerability, it only allowed the attacker to read small chunks of the target's memory and it was readily fixable by either patching OpenSSL or rebuilding it with the heartbeat option disabled and all of it could have been done by a sysadmin alone. This requires a firmware update that your motherboard manufacturer has to issue, it needs to be applied individually to all affected devices and given its nature it cannot be delivered easily to potentially millions of "business class" laptops out there that ship with AMT turned on by default.
                  • Likes 4

                  Comment

                  • #19
                    Considering IntelME and AMD PSP have their own access to the network, how would you filter it out using a firewall or a firewalled router even?

                    Assuming you even block all ports and protocols you don't need. It can still communicate over http/80. From the router's perspective, you'd be surfing the web and nothing more. So?
                    • Likes 1

                    Comment

                    • #20
                      Originally posted by MiUNX View Post
                      Considering IntelME and AMD PSP have their own access to the network, how would you filter it out using a firewall or a firewalled router even?

                      Assuming you even block all ports and protocols you don't need. It can still communicate over http/80. From the router's perspective, you'd be surfing the web and nothing more. So?
                      You can block it at least on the border firewalls to prevent anyone from the outside to attack your network in this way. Blocking in internally is most likely impossible if you are a company that makes use of the AMT.

                      Comment

                      Previous 1 2 3 4 5 template Next
                      Working...
                      X