Summary Of The Intel Managment Engine And Why You Should Care. -

Emp55t

kiwifarms.net
For those who dont know the intel management engine(also known as "ME") is a subsystem in almost all of intel's chipsets since 2008 which can not be accessed by the host OS.The ME records and sends off all your mouse movements,keystrokes,and video outputs and the worst thing is unless your pc/laptop is no longer plugged in/connected to the battery the ME will always be on monitoring.

I'm Fine With The Monitoring

If you are ok with intel's constant eye's watching over you allow me to tell you about the alarming amounts of exploits found for the ME which allows hackers to view everything you have done and what you are doing on your PC.

TLDR:Intel's CPU's have a backdoor and intel's always watching.
 

Slav Power

Tag jes.
kiwifarms.net
I'm gonna put it differently. IME is bad because it's a hidden layer that is always on and can access every single element about your PC, and it is exploitable. It's essentially a possible backdoor and it's a horrible fucking idea that should've been done in a different way. I'm not scared of Intel using it to send my data to the NSA, I'm scared that it will be used by unauthorized people to attack my computer.

If it's purpose is remote access for system administrators, then why the fuck is it incorporated in every single chipset on the market, without the ability to turn it off? This kind of functionality should be an option, for example as a socketable chip on the motherboard which can be added by sysadmins, but not shipped with consumer boards which don't need such functionality.

The way it is done right now means that every single modern Intel system could be fully controlled remotely by hackers, if an appropriate backdoor is found. And Intel is known from having an absolutely horrendous record of known vulnerabilities, so it's a matter of time before a serious IME exploit will be found. And then what? Intel will release yet another BIOS patch that will fix it, while cutting the performance in half? And even then, how many people would update their BIOS?

So, to sum it up, Intel is incredibly incompetent and irresponsible when it comes to security of their products, to which they release patches that strongly degrade the machine's performance, and which aren't widely implemented by end users, and if every single Intel machine has a subsystem that has full access to the whole machine as long as it's connected to any power source, it's just asking for a massive security disaster.
 

The Fool

True & Honest Fan
kiwifarms.net
ME is one of the many, many reasons I religiously do not touch any machine running with an Intel processor.

Like others have said, it's not about Intel spying on me. It's about how exploitable it probably is and how utterly inept, impulsive and irresponsible Intel is.

By the way, IME is just a custom Minix distribution. Now I love Minix, but, it's not the most stable or advanced piece of software out there. I've tried it many a times and I've always been extremely unimpressed despite how promising of a project it is. I can't speak for how stable it actually is, but I'm not optimistic. The thing about this system, is it doesn't need to exist. Every single thing you add to a system is another point of failure, another thing that can break and take down the entire system. IME doesn't need to exist, it doesn't need to literally be an entire operating system. This is not a requirement for the processor to do it's one fucking job.
 

Shoggoth

kiwifarms.net
ME is one of the many, many reasons I religiously do not touch any machine running with an Intel processor.
Don't assume AMD doesn't have similar capabilities, although they have released a BIOS patch allowing you to disable it, while the IME can't be disabled.
AFAIK the IME was created to first to prevent the user from ripping blu-ray DVDs and bloated over time. It also looks like the Active Management Technology (AMT), which is what enables remote access and management, is optional and can be disabled.
Still, the way Intel processors are built, the computer will not boot without the IME, and it's a seriously risky backdoor.
 

Cedric_Eff

No secret, it's the meat. Don't skimp on the meat.
kiwifarms.net
Don't assume AMD doesn't have similar capabilities, although they have released a BIOS patch allowing you to disable it, while the IME can't be disabled.
AFAIK the IME was created to first to prevent the user from ripping blu-ray DVDs and bloated over time. It also looks like the Active Management Technology (AMT), which is what enables remote access and management, is optional and can be disabled.
Still, the way Intel processors are built, the computer will not boot without the IME, and it's a seriously risky backdoor.
What hasn't Intel fucked up in the last year or so?
 
  • Agree
Reactions: thx1138 and Dingo

AmpleApricots

kiwifarms.net
This thing is a lot older than a year.

Funnily enough, it probably also makes MINIX one of the most widespread if not the most widespread OS for x86 hardware.

There's the me_cleaner project that seeks ways to cripple it to make it stop from booting fully without making the computer unusable. I think at least with older versions of the ME, they were quite successful with it. intel threatens every attempt to reverse engineer and publish the findings with their hefty legal department. That's what they do officially. Inofficially they probably can make sure you get so blackballed you'll never work in anything computer-related again.

AMD has PSP (no, not the handheld) which is quite similar but apparently is at least (partitally) to disable.
 
  • Agree
Reactions: 3119967d0c

Shoggoth

kiwifarms.net
What hasn't Intel fucked up in the last year or so?
This thing is a lot older than a year.
Way older than a year. Imagine the IME exists commercially since 2008, meaning they've been working on it since 2005-6. It's a cross system project, needing to be architectured both as its own chip and on the CPU, so that's plenty of work for architects, add to that design, fabrication and testing.
In all fairness to intel, chip architecture and fabrication are hard. As much as they fucked up, they've hit the wall I guess AMD and TSMC are going to hit soon (node size doesn't say anything, transistor area and density is what really matters). I think their mistakes were more in the area of leadership. When TSMC had a bad process (don't remember which node it was) they quickly ditched it and shipped another one. Intel went full exceptional individual on 10nm hoping it will work, and maybe got lost in a sunk costs fallacy.
In regards to their security vulnerabilities, while disgraceful, I can sort of understand. Speculative execution is complicated, and perhaps the CPU needs to be rearchitectured in order to support it more correctly. Intel has still been running on the same uArch for over 15 years. They didn't really innovate it, just added modules on top of it. Maybe it'll be to their detriment.
I just want all sides to ship good products without bugs and to see their stonks rise.
 

Pissmaster

True & Honest Fan
kiwifarms.net
I've heard about it, yet I've never actually seen an exploit that uses it, and if an exploit became well known enough, we'd all be getting some kind of spam in some form through it. Hell, remember Windows Messenger Service on Windows 2000? Connect an unpatched machine to the internet and you'd get loads of popups in no time.
 

Shoggoth

kiwifarms.net
I've heard about it, yet I've never actually seen an exploit that uses it, and if an exploit became well known enough, we'd all be getting some kind of spam in some form through it. Hell, remember Windows Messenger Service on Windows 2000? Connect an unpatched machine to the internet and you'd get loads of popups in no time.
The main concerns regarding it are less about exploits and more about it being the proverbial keys to the castle. It's not about some Ruskies installing ransomware on your machine, but your basic rights to privacy. Theoretically if a TLA had access to it, you'd be so completely owned you might as well give up on life.
 
  • Like
Reactions: Smaug's Smokey Hole

Dingo

kiwifarms.net
It's possible to reduce IME's ability but not outright disable.
me_cleaner is a Python script able to modify an Intel ME firmware image with the final purpose of reducing its ability to interact with the system.

Intel AMT does not support manageability over a wireless interface when the host processor runs an operating system other than Microsoft Windows*. The product has not been validated when the host is running Linux or other operating systems. Do not configure Intel AMT for wireless use in these circumstances.

Intel ME has direct access to the wired LAN port, has it's own MAC and IP address and functions even when the computer is connected to a power source but turned off. This leaves me wondering if IME has access to a USB or PCIe wireless LAN adapter? If AMT doesn't work over wireless LAN with Linux then maybe IME won't either? That would mean that any attacks would need to be through the wired LAN port.
 
Last edited:

Smaug's Smokey Hole

no corona
kiwifarms.net
edit: how in the fuck did I miss the post just above me

Servers using their own management engine usually, in my experience, have it on a separate ethernet port for obvious reasons. The onboard network chip is made by Intel and is part of the overall chipset/platform and IME is using that network interface, so I wonder how the IME would be affected by using a non-Intel PCIe NIC.

A quick googling suggests that IME doesn't work with non-Intel network cards, either USB or PCIe, using one makes AMT/vPro unusable. So there's your solution.
 
  • Informative
Reactions: Dingo

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
edit: how in the fuck did I miss the post just above me

Servers using their own management engine usually, in my experience, have it on a separate ethernet port for obvious reasons. The onboard network chip is made by Intel and is part of the overall chipset/platform and IME is using that network interface, so I wonder how the IME would be affected by using a non-Intel PCIe NIC.

A quick googling suggests that IME doesn't work with non-Intel network cards, either USB or PCIe, using one makes AMT/vPro unusable. So there's your solution.
Doesn't it also have full access to memory and the protocol layer? It doesn't need access to the network layer if it can just hijack the TCP/IP stack regardless. Intel claims they haven't done that, but if they'd done that, they'd deny it, wouldn't they?
 
  • Thunk-Provoking
Reactions: Dingo

Smaug's Smokey Hole

no corona
kiwifarms.net
Doesn't it also have full access to memory and the protocol layer? It doesn't need access to the network layer if it can just hijack the TCP/IP stack regardless. Intel claims they haven't done that, but if they'd done that, they'd deny it, wouldn't they?
Maybe they could hack something together somehow and keep it a secret, but that would be if the entire purpose was nefarious or clandestine. If they could do that and it was not nefarious then you'd think that they would offer that functionality to allow remote management of servers and computers to their paying customers who wants that ability.

One valid reason that I can think of to keep it under wraps, if they could do it, is if it was a buggy piece of shit and it would be a pain in the ass to support it. It works with discrete Intel NICs but that could be because they have their own native drivers in Minix for their cards but not Chinese mystery cards and every other variant out there. Their chips/cards could also have some specific hardware features that allows IME to work, they design everything from the ground up so something like that could be part of why their cards works.
 
  • Thunk-Provoking
Reactions: Dingo

AnOminous

Really?
True & Honest Fan
Retired Staff
kiwifarms.net
Maybe they could hack something together somehow and keep it a secret, but that would be if the entire purpose was nefarious or clandestine.
Such as if it were part of an agreement with the NSA to build backdoors in to all CPUs sold commercially? Or they wouldn't have to actually build in the backdoors themselves, so they'd have deniability, but just include certain "features" that could be exploited remotely. The NSA could design their own exploits.
 
Tags
None