Robert Steele: Details on NSA Backdoor in INTEL Chips

Discussion in 'Serious Discussion' started by emk810, Mar 29, 2017.

  1. MS_User

    MS_User MDL Guru

    Nov 30, 2014
    4,617
    1,340
    150
    Big brother at work again....so what else is new:rolleyes:
     
  2. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. R29k

    R29k MDL GLaDOS

    Feb 13, 2011
    5,171
    4,811
    180
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  4. JFKI

    JFKI MDL Expert

    Oct 25, 2015
    1,098
    374
    60
    JFK grounds and dons a tinfoil hat and sits down next to R29k and starts reading.
     
  5. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    Found this Bios update from Asus on a board I recently purchased...
    https://www.asus.com/us/Motherboards/PRIME-B250M-A/HelpDesk_BIOS/
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  6. CHEF-KOCH

    CHEF-KOCH MDL Expert

    Jan 7, 2008
    1,192
    1,185
    60
    #26 CHEF-KOCH, Nov 15, 2017
    Last edited: Nov 17, 2017

    • Intel has identified security vulnerabilities that could potentially place impacted platforms at risk.
    • Intel has validated and released a ME and software updates that address the identified security vulnerabilities.
    • Thus, we strongly suggest you to update your ME to the latest Version via using MEUpdateTool as attached.
    • *We suggest you update ME Driver to the latest Version 11.7.0.1040 simultaneously.
    • Fix) Mitigated security vulnerability.
    • (Fix) Failure to confirm remote configuration is enabled when running Intel(R) Common Services FW compliance test CS_040
    • (Fix) Failure of Intel(R) ICC FW compliance test ICC_TST_02 at test step 4 with an error message "HECI CMD Status = 0x00000034 (NO_SUCH_TARGET_ID)".
    • (Fix) FWUpdate will fail in case image includes Pre-update module
    • (Fix) Playready DRM returns wrong value.
    • (Fix) Failed to Get Record via CCT tool with INVALID_PARAMS
    • (Fix) ICCWDT is not universal driver
    • (Fix) Remove win7 support.

    Both firmwares fixing all known exploits except the recent discovered Skylake USB hole (which might be never fixed by a firmware -> maybe via the OS itself in RS4?).


     
  7. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    IME should be removed
    Google cited worries that the Intel ME (actually MINIX) code runs on their CPU's deepest access level — Ring "-3" — and also runs a web server component that allows anyone to remotely connect to remote computers, even when the main OS is turned off.

    For a company that holds information on almost all Internet users, Intel ME is a gaping security hole its engineers are now actively trying to nuke off their systems
    Researchers found a way to disable Intel ME over the summer
    Previous efforts at disabling Intel ME have all ended badly because Intel has interwoven the ME component within the boot-up process, configuring Intel ME to handle the initialization, power management, and launch of the main processor.

    As such, for many years, users only had the option to disable some of Intel ME components, but not Intel ME as a whole. One such script is ME_Cleaner.

    Things moved in the positive direction this past August when researchers from PT Security found an undocumented method of turning off Intel ME.

    The method relies on flipping a big in the ME firmware. Evidence suggests Intel added the ME on/off switch at the behest of the US government who wanted to run Intel-based CPUs inside secure government networks and didn't want Intel or anybody else accessing those computers via ME's built-in web server and remote management capabilities.

    Despite the discovery, security experts have warned that flipping the ME disable bit is a complex process and has not been thoroughly tested. Anyone choosing to do so should be prepared for unexpected behavior, even having his PC bricked due to faulty firmware.

    The PT Security team also confirmed Google's findings, also noticing that Intel's ME is a customized version of the MINIX OS.

    On a side note, taking into account the sheer number of Intel CPUs running Intel ME, this might mean that MINIX is now by far the world's most popular OS.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  8. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    4,071
    4,651
    150
    #28 Michaela Joy, Nov 15, 2017
    Last edited: Nov 15, 2017
    @Joe C: I read through that page. They have repeatedly stressed how dangerous it is to neuter IME.
    It also implies that it's done via fusible link, although they do offer a Python script.

    Also, at the time of "printing", that article mentions that Skylake was a work in progress.

    I for one would like to see more light shed on this subject. The title is also a little bit confusing.

    Maybe a separate thread about IME is in order.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  9. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    Good Idea, Looks like Intel has (had) secretly installed an operating system on top of their cpu's and allows a back door through any security, because it's using IME's network stack for access. The folks at Google's servers are not too happy about that
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  10. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    That comes with all the BIOS/EFI modification trouble and the fact that every EFI vendor uses their own organisation of the FPT. Additionally it depends on the generation of CPUs and with that the changes....and other needed initialisation processes.

    Besides of that it might be not a part of the EFI itself, but a separate FW.
    I suppose legacy BIOSes do not have got it, though.

    Andyps tool should help to decompose the EFI to have a look what the cleaner does....anyway without a proper backup and external SPI programmer it is not recommended to fiddle with it.

    There might be special circumstances where to disable it is easy; anyway a generic approach is IMHO hardly realizable.
    For now I need to get more info. Concerning decomposing and modding EFI MDL is one of the best place, though.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  11. CHEF-KOCH

    CHEF-KOCH MDL Expert

    Jan 7, 2008
    1,192
    1,185
    60
    #31 CHEF-KOCH, Nov 15, 2017
    Last edited: Nov 15, 2017
    You can't remove mei and this shoudl be clearly mentioned, not with any tool, there still some pieces missing and it should be stated that such tools are not for 'daily usage'.

    • Without mei you not have access to read out your hardware info (tools like Aida64, CPUID,.. need that)
    • You get BSOD's and reboots randomly
    • No tool released yet works on every processor, it's risky
    • These tools not proventing to get another mei version in case e.g. you get an bios update
    • Mei in the first place isn't the problem, the problem is that Intel refuse to give us the source code and that there was (in past) no firmware update, but they changed that now.
    • The holes are all fixed (except the USB one [which is pretty new so give it time])
    • A simply NAT firewall already blocks specific remote ports by default even if you're compromised normally you should notice that very fast because more inbound traffic!
    • Every MEI implementation is different, server firmwares are different from the consumer ones which means that enterprise firmwares might have or not have an integrated switch (depending on manufr. + firmware). E.g. Latops without mei but with Intel CPU can be found here.
    • STOP posting 'mei cleaner' recommadation if you not tested/use or read the github page yourself! I explained and showed the better way to 'disable' it here.
     
  12. Yen

    Yen Admin
    Staff Member

    May 6, 2007
    13,081
    13,977
    340
    Nobody has posted a mei cleaner recommendation and even on their page they say what it cannot....

    It is not easy to assess the matter when one is reading about a 'complete OS on top' of the CPU.
    Most legacy BIOSEs had a small OS to boot like Asus express gate already.

    The news that there is an OS on top is actually not the point since EFI itself has to be considered as a pre-OS
    What's the point is the cooperation of Intel with the NSA...and the fact you can implement it in a way nobody can remove 'it'...and the definition of an OS..the 'S' of legacy BIOS stands for system already...and input/output (I/O) is what they want.

    When industry and intelligence agencies are working together the consumer is screwed.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  13. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    If they can disable the network stack, and I think that was Google's intention with the "Me_Cleaner", then security on any intel pc can be greatly increased. IME can not be removed without breaking the system, but stopping it from network access is all that would be needed. Personally I would not attempt to try to mod the IME on my chip at this time
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  14. Michaela Joy

    Michaela Joy MDL Crazy Lady

    Jul 26, 2012
    4,071
    4,651
    150
    @Joe C: I was thinking the same thing. :eek:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  15. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    That's because great minds think alike!:rofl::drink:
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  16. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,514
    1,452
    180
    The way you follow it up with those smilies it's more like: "Great minds shrink alike"! :p :D :p (Hick! GULP! :D )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  17. Joe C

    Joe C MDL Guru

    Jan 12, 2012
    3,522
    2,093
    120
    yup, expand your horizons
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  18. gorski

    gorski MDL Guru

    Oct 21, 2009
    5,514
    1,452
    180
    Agreed! (Hick! Sometimes... :D )
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  19. emk810

    emk810 MDL Member

    May 12, 2016
    149
    295
    10
  20. CHEF-KOCH

    CHEF-KOCH MDL Expert

    Jan 7, 2008
    1,192
    1,185
    60
    Several things fixed, new holes found, but at least Intel is finally doing something and investigate into the problem. It's more important now then never to update your mei firmwares to fix the issue asap when Intel release their updates.