Is Intel’s Management Engine Broken?

Betteridge’s Law of Headlines states, “Any headline that ends in a question mark can be answered by the word no.” This law remains unassailable. However, recent claims have called into question a black box hidden deep inside every Intel chipset produced in the last decade.

Yesterday, on the Semiaccurate blog, [Charlie Demerjian] announced a remote exploit for the Intel Management Engine (ME). This exploit covers every Intel platform with Active Management Technology (AMT) shipped since 2008. This is a small percentage of all systems running Intel chipsets, and even then the remote exploit will only work if AMT is enabled. [Demerjian] also announced the existence of a local exploit.

Intel’s ME and AMT Explained

Beginning in 2005, Intel began including Active Management Technology in Ethernet controllers. This system is effectively a firewall and a tool used for provisioning laptops and desktops in a corporate environment. In 2008, a new coprocessor — the Management Engine — was added. This management engine is a processor connected to every peripheral in a system. The ME has complete access to all of a computer’s memory, network connections, and every peripheral connected to a computer. The ME runs when the computer is hibernating and can intercept TCP/IP traffic. Management Engine can be used to boot a computer over a network, install a new OS, and can disable a PC if it fails to check into a server at some predetermined interval. From a security standpoint, if you own the Management Engine, you own the computer and all data contained within.

The Management Engine and Active Management Technolgy has become a focus of security researchers. The researcher who finds an exploit allowing an attacker access to the ME will become the greatest researcher of the decade. When this exploit is discovered, a billion dollars in Intel stock will evaporate. Fortunately, or unfortunately, depending on how you look at it, the Managment Engine is a closely guarded secret, it’s based on a strange architecture, and the on-chip ROM for the ME is a black box. Nothing short of corporate espionage or looking at the pattern of bits in the silicon will tell you anything. Intel’s Management Engine and Active Management Technolgy is secure through obscurity, yes, but so far it’s been secure for a decade while being a target for the best researchers on the planet.

Semiaccurate’s Claim

In yesterday’s blog post, [Demerjian] reported the existence of two exploits. The first is a remotely exploitable security hole in the ME firmware. This exploit affects every Intel chipset made in the last ten years with Active Management Technology on board and enabled. It is important to note this remote exploit only affects a small percentage of total systems.

The second exploit reported by the Semiaccurate blog is a local exploit that does not require AMT to be active but does require Intel’s Local Manageability Service (LMS) to be running. This is simply another way that physical access equals root access. From the few details [Demerjian] shared, the local exploit affects a decade’s worth of Intel chipsets, but not remotely. This is simply another evil maid scenario.

Should You Worry?

This hacker is unable to exploit Intel’s ME, even though he’s using a three-hole balaclava.

The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine. Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system. If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.

However, [Demerjian] gives no details of the exploit (rightly so), and Intel has released an advisory stating, “This vulnerability does not exist on Intel-based consumer PCs.” According to Intel, this exploit will only affect Intel systems that ship with AMT, and have AMT enabled. The local exploit only works if a system is running Intel’s LMS.

This exploit — no matter what it may be, as there is no proof of concept yet — only works if you’re using Intel’s Management Engine and Active Management Technology as intended. That is, if an IT guru can reinstall Windows on your laptop remotely, this exploit applies to you. If you’ve never heard of this capability, you’re probably fine.

Still, with an exploit of such magnitude, it’s wise to check for patches for your system. If your system does not have Active Management Technology, you’re fine. If your system does have AMT, but you’ve never turned it on, you’re fine. If you’re not running LMT, you’re fine. Intel’s ME can be neutralized if you’re using a sufficiently old chipset. This isn’t the end of the world, but it does give security experts panning Intel’s technology for the last few years the opportunity to say, ‘told ‘ya so’.

Another California Water Crisis

It’s no secret that a vast amount of American infrastructure is in great need of upgrades, repairs or replacements. The repairs that are desperately needed will come, and they will come in one of two ways. Either proactive repairs can be made when problems are first discovered, or repairs can be made at considerably greater cost after catastrophic failures have occurred. As was the case with the I-35 bridge collapse in Minnesota, we often pay in lives as well. Part of the problem is that infrastructure isn’t very exciting or newsworthy to many people outside of the civil engineering community which leads to complacency and apathy. As a result, it’s likely that you may not have heard about the latest struggle currently playing out in California even though it involves the largest dam in the United States and its potential failure.

Surprisingly enough, the largest dam in the US isn’t the famous Hoover Dam but the Oroville Dam at the base of the Sierra Nevada mountain range in California. At 235 meters, it is almost 15 meters taller than the Hoover Dam. It can store over four cubic kilometers of water but whether or not it will keep storing that water into the future is currently under question. In February of this year during a flood control operation damage was observed on the dam’s spillway where a massive hole had formed which only got larger as the dam was forced to continue releasing water. The hole quickly grew, and the floodwaters eroded much of the lower half of the spillway embankment, forming a canyon. Continue reading “Another California Water Crisis”

Victorians and Fiber, Louisville’s Quest For Fast Internet

It was a dark and stormy afternoon, the kind you get on the east side of the country. I was drinking a coffee, sitting in a camping chair in front of my door, and watching like a hawk for the treacherous cable man to show up. This day there would be no escape. There would be no gently rapping the door with a supple sheepskin leather glove before scurrying away for another union mandated coffee break. I was waiting, I was kind of grumpy, and by God today would be the day. Today would be the day that after hours on hold, after three missed appointments, after they lost my records twice; I would get an answer on whether or not they could actually service internet to my apartment. If I was lucky, and the answer was yes, then approximately two to three thousand years later they would run a cable from the telephone pole to my house and I could stop commandeering WiFi from the pizza shop across from me.

It’s important to note that I was in the middle of the city. I wasn’t out in the boonies. Every house on the block but mine had cable. While this is dumb, it begins to make more sense when you dive into the history. Louisville, Kentucky is a strange place. It used to be the gateway to the west. Ships would crawl up its river until they reached the falls. Then porters would charge an exorbitant fee to carry all those goods down to the bottom of the falls where they would be loaded on a ship and be sent ever westward. Resulting in every rich merchant, captain, and manufacturer in the region having a nice house there. Ever wonder why the Derby is in Louisville and the Queen comes to visit sometimes? It probably has something to do with it having the highest concentration of Victorian buildings and mansions outside of New York City.

Continue reading “Victorians and Fiber, Louisville’s Quest For Fast Internet”

Arch Your Eyebrow at Impression Products V. Lexmark International

When it comes to recycled printer consumables, the world seems to divide sharply into those who think they’re great, and those who have had their printer or their work ruined by a badly filled cartridge containing cheaper photocopy toner, or God knows what black stuff masquerading as inkjet ink. It doesn’t matter though whether you’re a fan or a hater, a used printer cartridge is just a plastic shell with its printer-specific ancilliaries that you can do with what you want. It has performed its task the manufacturer sold it to you for and passed its point of usefulness, if you want to fill it up with aftermarket ink, well, it’s yours, so go ahead.

There is a case approaching the US Supreme Court though which promises to change all that, as well as to have ramifications well beyond the narrow world of printer cartridges. Impression Products, Inc. v. Lexmark International, Inc. pits the printer manufacturer against a small cartridge recycling company that refused to follow the rest of its industry and reach a settlement.

At issue is a clause in the shrink-wrap legal agreement small print that comes with a new Lexmark cartridge that ties a discounted price to an agreement to never offer the cartridge for resale or reuse. They have been using it for decades, and the licence is deemed to have been agreed to simply by opening the cartridge packaging. By pursuing the matter, Lexmark are trying to set a legal precedent allowing such licencing terms to accompany a physical products even when they pass out of the hands of the original purchaser who accepted the licence.

There is a whole slew of concerns to be addressed about shrink-wrap licence agreements, after all, how many Lexmark owners even realise that they’re agreeing to some legal small print when they open the box? But the concern for us lies in the consequences this case could have for the rest of the hardware world. If a precedent is set such that a piece of printer consumable hardware can have conditions still attached to it when it has passed through more than one owner, then the same could be applied to any piece of hardware. The prospect of everything you own routinely having restrictions on the right to repair or modify it raises its ugly head, further redefining “ownership” as  “They really own it”. Most of the projects we feature here at Hackaday for example would probably be prohibited were their creators to be subject to these restrictions.

We’ve covered a similar story recently, the latest twist in a long running saga over John Deere tractors. In that case though there is a written contract that the farmer buying the machine has to sign. What makes the Lexmark case so much more serious is that the contract is being applied without the purchaser being aware of its existence.

We can’t hold out much hope that the Supreme Court understand the ramifications of the case for our community, but there are other arguments within industry that might sway them against it. Let’s hope Impression Products v. Lexmark doesn’t become a case steeped in infamy.

Thanks to [Greg Kennedy] for the tip.

Lexmark sign by CCC2012 [CC0].

Shut the Backdoor! More IoT Cybersecurity Problems

We all know that what we mean by hacker around here and what the world at large thinks of as a hacker are often two different things. But as our systems get more and more connected to each other and the public Internet, you can’t afford to ignore the other hackers — the black-hats and the criminals. Even if you think your data isn’t valuable, sometimes your computing resources are, as evidenced by the recent attack launched from unprotected cameras connected to the Internet.

As [Elliot Williams] reported earlier, Trustwave (a cybersecurity company) recently announced they had found a backdoor in some Chinese voice over IP gateways. Apparently, they left themselves an undocumented root password on the device and — to make things worse — they use a proprietary challenge/response system for passwords that is insufficiently secure. Our point isn’t really about this particular device, but if you are interested in the details of the algorithm, there is a tool on GitHub, created by [JacobMisirian] using the Trustwave data. Our interest is in the practice of leaving intentional backdoors in products. A backdoor like this — once discovered — could be used by anyone else, not just the company that put it there.

Continue reading “Shut the Backdoor! More IoT Cybersecurity Problems”

Fix-a-Brick: Fighting the Nexus 5X Bootloop

Oh Nexus 5X, how could you? I found my beloved device was holding my files hostage having succumbed to the dreaded bootloop. But hey, we’re hackers, right? I’ve got this.

It was a long, quiet Friday afternoon when I noticed my Nexus 5X was asking to install yet another update. Usually I leave these things for a few days before eventually giving in, but at some point I must have accidentally clicked to accept the update. Later that day I found my phone mid-way through the update and figured I’d just wait it out. No dice — an hour later, my phone was off. Powering up led to it repeatedly falling back to the “Google” screen; the dreaded bootloop.

Stages of Grief

I kept my phone on me for the rest of the night’s jubilant activities, playing with it from time to time, but alas, nothing would make it budge. The problem was, my Nexus still had a full day’s video shoot locked away on its internal flash that I needed rather badly. I had to fix the phone, at least long enough to recover my files. This is the story of my attempt to debrick my Nexus 5X.

Continue reading “Fix-a-Brick: Fighting the Nexus 5X Bootloop”

Autonomous Delivery and the Last 100 Feet

You’ve no doubt by now seen Boston Dynamics latest “we’re living in the future” robotic creation, dubbed Handle. [Mike Szczys] recently covered the more-or-less-official company unveiling of Handle, the hybrid bipedal-wheeled robot that can handle smooth or rugged terrain and can even jump when it has to, all while remaining balanced and apparently handling up to 100 pounds of cargo with its arms. It’s absolutely sci-fi.

[Mike] closed his post with a quip about seeing “Handle wheeling down the street placing smile-adorned boxes on each stoop.” I’ve recently written about autonomous delivery, covering both autonomous freight as the ‘killer app’ for self-driving vehicles and the security issues posed by autonomous delivery. Now I want to look at where anthropoid robots might fit in the supply chain, and how likely it’ll be to see something like Handle taking over the last hundred feet from delivery truck to your door.

Continue reading “Autonomous Delivery and the Last 100 Feet”