Source: HNN | New Intel CPUs come with a built in secret backdoor that allows remote control and all of it’s hardware even while your computer is turned off.
Hardware security export Damien Zammit revealed some startling revelations in a recent SoftPedia about the secret backdoor built in to new Intel CPUs that no one can touch or disable.
It works but setting up a TCP/IP server and since the subsystem has complete uncontrolled access to your computer’s hardware, including the network card and memory, it works without the knowledge of your computers operating system and can not be disabled by the OS or by your computer’s firewall.
No one outside of Intel has seen the ME source code and security experts are warning the built-in backdoor has the potential to explode into the worst root kit ever with every modern Intel based CPU becoming compromised.
Intel asserts it is secure from hackers and such attacks because it is protected by 2048 bit RSA encryption which theoretically thought to be uncrackable during the lifespan of everyone living on earth today.
However, the same theories were thought to be applicable to previous incarnations of the current 2048 bit RSA standard each iteration of which was proven to be absolutely wrong in practice.
Given advancements in mathematical theory relating to algorithms such as the variations of the Quadratic Sieve (QS) and the General Number Field Seive (GNFS) combined with advances in computer hardware and software to support parallel computing researchers have repeatedly surpassed theoretical limits decades and centuries before they were theoretically thought to be vulnerable.
In the mean time relatively unexplored frontiers in current technology remain abound.
Mathematicians continue to work on new theory to crack current encryption techniques combined recent rise of special hardware called Application Specific Integrated Circuits (ASICs) for the mining of concurrency create the possibility for RSA to be cracked in the next few years in ways that were previously imagined.
Moreover, a quantum computing algorithm, known as Shor’s algorithm, would be able to break such encryption in a matter of seconds should it ever be implemented on any of the quantum computers the United States Government and mega technology conglomerates, such as Google and Intel itself, has pumped billions of dollars into developing over the last decade.
Additionally, there have been repeated security issues with the SSL protocol itself revealed over the the past few years each of which present an attack surface against the built-in root kit.
Then when we begin to consider state actors, such as the NSA, the foundation for the underlying security mechanisms that the commercial world takes granted completely crumbles.
It can probably be presumed that Intel’s technology implements certificates for which the NSA can easily counterfeit and act as a man in the middle.
Moreover, instead of conducting such covert operations it could simply overtly issue Intel an National Security Letter and hence gain complete control over any given system at any given time.
The following slideshow by Igor Skochinsky presents an overview of probably the most comprehensive public review of ME.
Secret of Intel Management Engine by Igor Skochinsky
Intel x86 CPUs Come with a Secret Backdoor That Nobody Can Touch or Disable
Security researchers exposes Intel Management Engine (ME)
Hardware security expert Damien Zammit says that recent Intel x86 CPUs come with a secret subsystem that works as a separate CPU inside your CPU, can’t be disabled, and nobody can review the closed proprietary code.
Called the Intel Management Engine (ME), this subsystem is literally embedded inside the x86 chipset, where it runs its own closed-source firmware.
Zammit explains that AMT runs separately from any OS a user might install, allowing access to the computers in any deployment.
Intel ME sets up a TCP/IP server, accesses memory behind your back
In order for AMT to have all these remote management features, the ME platform will access any portion of the memory without the parent x86 CPU’s knowledge and also set up a TCP/IP server on the network interface.
[…] this server can send and receive traffic regardless of whether the OS is running a firewall or not.
There are some problems that Zammit details.
[…] The first is that nobody outside Intel’s headquarters has ever seen the source code of the ME platform.
Secondly, the ME firmware is signed cryptographically with an RSA 2048 key that can’t be brute-forced in a human life (or more).
The third obstacle Zammit detailed is the fact that, on newer Intel Core2 CPU series, the ME can’t be disabled because the CPU will refuse to boot.
Fourth and last, there’s no way to audit the health of the ME firmware. A security researcher wouldn’t be able to search for any alleged NSA backdoors, nor will they be able to check if their PC’s CPU was compromised by an attacker’s rootkit.
Intel ME: the perfect backdoor, or the unremovable rootkit?
“[…] Zammit wrote in an exposé for BoingBoing. “If ME’s secrets are compromised (and they will eventually be compromised by either researchers or malicious entities), then the entire ME security model will crumble, exposing every recent Intel system to the worst rootkits imaginable.”
The Trouble With Intel’s Management Engine
Something is rotten in the state of Intel. Over the last decade or so, Intel has dedicated enormous efforts to the security of their microcontrollers. For Intel, this is the only logical thing to do; you really, really want to know if the firmware running on a device is the firmware you want to run on a device. Anything else, and the device is wide open to balaclava-wearing hackers.
Intel’s first efforts toward cryptographically signed firmware began in the early 2000s with embedded security subsystems using Trusted Platform Modules (TPM). These small crypto chips, along with the BIOS, form the root of trust for modern computers. If the TPM is secure, the rest of the computer can be secure, or so the theory goes.
The TPM model has been shown to be vulnerable to attack, though. Intel’s solution was to add another layer of security: the (Intel) Management Engine (ME). Extremely little is known about the ME, except for some of its capabilities. The ME has complete access to all of a computer’s memory, its network connections, and every peripheral connected to a computer. It runs when the computer is hibernating, and can intercept TCP/IP traffic. Own the ME and you own the computer.
[…]Once the ME falls, everything with an Intel chip will fall. It is, by far, the scariest security threat today, and it’s one that’s made even worse by our own ignorance of how the ME works.
The Beginning of Intel’s Management Engine
In her talk at last month’s CCC, [Joanna Rutkowska] talked about the chain of trust found in the modern x86 computer. Trust is a necessary evil for security, and [Joanna] contrasts it with the normal meaning of the word, for which she uses “trustworthy”. If you can see the source code for your application, you can verify that it’s trustworthy. But since the application runs on top of the operating system, you have to trust the OS. Even if the OS is verified and trustworthy, it still has to trust the BIOS and firmware. As you keep digging down like this, verifying each layer, you eventually get to some part of the system that you can’t verify and just have to trust, and this root of trust is the role that the ME is trying to play.
This root of trust on the modern computer is, quite simply, untrustworthy. Instead of a proper BIOS that can trace its origins to the first x86 computers, computers today have UEFI and Secure Boot, a measure designed to only allow signed software to run on the device. Secure Boot can be disabled from the manufacturer, and security isn’t secure if it’s optional, and even less so if there are exploits for specific implementations of UEFI. […]
What the Management Engine Is
The best description of what the Management Engine is and does doesn’t come from Intel. Instead, we rely on [Igor Skochinsky] and a talk he gave at REcon 2014. […]
The Intel ME has a few specific functions, and although most of these could be seen as the best tool you could give the IT guy in charge of deploying thousands of workstations in a corporate environment, there are some tools that would be very interesting avenues for an exploit. These functions include Active Managment Technology, with the ability for remote administration, provisioning, and repair, as well as functioning as a KVM. The System Defense function is the lowest-level firewall available on an Intel machine. IDE Redirection and Serial-Over-LAN allows a computer to boot over a remote drive or fix an infected OS, and the Identity Protection has an embedded one-time password for two-factor authentication. There are also functions for an ‘anti-theft’ function that disables a PC if it fails to check in to a server at some predetermined interval or if a ‘poison pill’ was delivered through the network. This anti-theft function can kill a computer, or notify the disk encryption to erase a drive’s encryption keys.
[….] Finding an exploit for the Intel ME will be difficult, though. While most of the firmware for the ME also resides in the Flash chip used by the BIOS, the firmware isn’t readily readable; some common functions are in an on-chip ROM and cannot be found by simply dumping the data from the Flash chip.
The Future of ME
New Intel CPUs come with a hidden backdoor that can allow hackers or the NSA to control your computer remotely even while PC is turned off
This guy wants information on the Intel ME. Also, Hackaday has an istockphoto account.
With a trusted processor connected directly to the memory, network, and BIOS of a computer, the ME could be like a rootkit on steroids in the wrong hands. Thus, an exploit for the ME is what all the balaclava-wearing hackers want, but so far it seems that they’ve all come up empty.
The best efforts that we know of again come from [Igor Skochinsky]. After finding a few confidential Intel documents a company left on an FTP server, he was able to take a look at some of the code for the ME that isn’t in the on-chip ROM and isn’t compressed by an unknown algorithm. […]
But unsolved doesn’t mean that people aren’t working on it. There are efforts to break the ME’s Huffman algorithm. […]
There are many researchers trying to unlock the secrets of Intel’s Management Engine, and for good reason: it’s a microcontroller that has direct access to everything in a computer. Every computer with an Intel chip made in the last few years has one, and if you’re looking for the perfect vector for an attack, you won’t find anything better than the ME. It is the scariest thing in your computer, and this fear is compounded by our ignorance: no one knows what the ME can actually do. And without being able to audit the code running on the ME, no one knows exactly what will happen when it is broken open.
The first person to find an exploit for Intel’s Management Engine will become one of the greatest security researchers of the decade. Until that happens, we’re all left in the dark, wondering what that exploit will be.