Is Intel’s Management Engine Broken?

May 2, 2017 by Brian Benchoff 78 Comments

Betteridge’s Law of Headlines states, “Any headline that ends in a question mark can be answered by the word no.” This law remains unassailable. However, recent claims have called into question a black box hidden deep inside every Intel chipset produced in the last decade.

Yesterday, on the Semiaccurate blog, [Charlie Demerjian] announced a remote exploit for the Intel Management Engine (ME). This exploit covers every Intel platform with Active Management Technology (AMT) shipped since 2008. This is a small percentage of all systems running Intel chipsets, and even then the remote exploit will only work if AMT is enabled. [Demerjian] also announced the existence of a local exploit.

Intel’s ME and AMT Explained

Beginning in 2005, Intel began including Active Management Technology in Ethernet controllers. This system is effectively a firewall and a tool used for provisioning laptops and desktops in a corporate environment. In 2008, a new coprocessor — the Management Engine — was added. This management engine is a processor connected to every peripheral in a system. The ME has complete access to all of a computer’s memory, network connections, and every peripheral connected to a computer. The ME runs when the computer is hibernating and can intercept TCP/IP traffic. Management Engine can be used to boot a computer over a network, install a new OS, and can disable a PC if it fails to check into a server at some predetermined interval. From a security standpoint, if you own the Management Engine, you own the computer and all data contained within.

The Management Engine and Active Management Technolgy has become a focus of security researchers. The researcher who finds an exploit allowing an attacker access to the ME will become the greatest researcher of the decade. When this exploit is discovered, a billion dollars in Intel stock will evaporate. Fortunately, or unfortunately, depending on how you look at it, the Managment Engine is a closely guarded secret, it’s based on a strange architecture, and the on-chip ROM for the ME is a black box. Nothing short of corporate espionage or looking at the pattern of bits in the silicon will tell you anything. Intel’s Management Engine and Active Management Technolgy is secure through obscurity, yes, but so far it’s been secure for a decade while being a target for the best researchers on the planet.

Semiaccurate’s Claim

In yesterday’s blog post, [Demerjian] reported the existence of two exploits. The first is a remotely exploitable security hole in the ME firmware. This exploit affects every Intel chipset made in the last ten years with Active Management Technology on board and enabled. It is important to note this remote exploit only affects a small percentage of total systems.

The second exploit reported by the Semiaccurate blog is a local exploit that does not require AMT to be active but does require Intel’s Local Manageability Service (LMS) to be running. This is simply another way that physical access equals root access. From the few details [Demerjian] shared, the local exploit affects a decade’s worth of Intel chipsets, but not remotely. This is simply another evil maid scenario.

Should You Worry?

This hacker is unable to exploit Intel’s ME, even though he’s using a three-hole balaclava.

The biggest network security threat today is a remote code execution exploit for Intel’s Management Engine. Every computer with an Intel chipset produced in the last decade would be vulnerable to this exploit, and RCE would give an attacker full control over every aspect of a system. If you want a metaphor, we are dinosaurs and an Intel ME exploit is an asteroid hurtling towards the Yucatán peninsula.

However, [Demerjian] gives no details of the exploit (rightly so), and Intel has released an advisory stating, “This vulnerability does not exist on Intel-based consumer PCs.” According to Intel, this exploit will only affect Intel systems that ship with AMT, and have AMT enabled. The local exploit only works if a system is running Intel’s LMS.

This exploit — no matter what it may be, as there is no proof of concept yet — only works if you’re using Intel’s Management Engine and Active Management Technology as intended. That is, if an IT guru can reinstall Windows on your laptop remotely, this exploit applies to you. If you’ve never heard of this capability, you’re probably fine.

Still, with an exploit of such magnitude, it’s wise to check for patches for your system. If your system does not have Active Management Technology, you’re fine. If your system does have AMT, but you’ve never turned it on, you’re fine. If you’re not running LMT, you’re fine. Intel’s ME can be neutralized if you’re using a sufficiently old chipset. This isn’t the end of the world, but it does give security experts panning Intel’s technology for the last few years the opportunity to say, ‘told ‘ya so’.

Want Gesture-Tracking? All You Have To Do Is Lift Your Finger.

May 2, 2017 by James Hobson 12 Comments

Watching Tony Stark wave his hands to manipulate projected constructs is an ever-approaching reality — at least in terms of gesture-tracking. Lift — a prototype built by a team from UC Irvine and FX Palo Alto Laboratory — is able to track up to ten fingers with 1.7 mm accuracy!

Lift’s gesture-tracking is achieved by using a DLP projector, two Arduino MKR1000s, and a light sensor for each digit. Lift’s design allows it to work on virtually any flat surface; the projected image acts as a grid and work area for the user. As their fingers move across the projected surface, the light sensors feed the information from the image to the Arduinos, which infers the location of each finger and translate it into a digital workspace. Sensors may also be mounted on other objects to add functionality.

So far, the team has used Lift as an input device for drawing, as well as using it to feign gesture controls on a standard laptop screen. The next step would be two or more projectors which would allow Lift to function fully and efficiently in three dimensions and directly interacting with projected media content. Can it also operate wirelessly? Yes. Yes, it can.

While we don’t have Tony Stark’s hologram workstation quite yet, we can still play Tetris, fly drones, and mess around with surgical robots.

Restoring A Japanese Oscilloscope

May 2, 2017 by Al Williams 5 Comments

Oscilloscopes have come a long way. Today’s scope is more likely to look like a tablet than an old tube-based instrument. Still, there’s something about looking into a glowing green tube, especially if you’ve done the work to resurrect that old hollow state device. [NFM] picked up a Kikusui OP-31C–a vintage Japanese scope at a second-hand store. He made a video of his restoration efforts that you can see below.

The scope actually powered up and worked the first time. Of course, unlike a modern scope, the OP-31C has to warm up before it will show up. However, the pots needed cleaning and as a precaution, he replaced the old oil and electrolytic capacitors.

The big transformer and the coarse-looking single sided circuit board certainly will bring back memories if you are old enough. [NFM] had a schematic of the scope and takes you on a tour of the innards, although his schematic had some subtle differences from the actual unit, possibly due to some repair work.

He was going to rebuild one of the large electrolytic “can” capacitors to keep the outer shell with newer (and smaller) modern capacitors. However, he found a very similar modern capacitor and used that, instead.

We think it would have been more fun if the scope didn’t work. However, it was still a great tear down of the old tube-based device. This is a bigger device than the last old scope tear down we looked at. Not that we haven’t seen smaller ones (although, the link in the post has moved).

Continue reading “Restoring A Japanese Oscilloscope” →