cancel
Showing results for 
Search instead for 
Did you mean: 

Odds are you are compromised

johnathonm
Level 7
For all of you up in arms over farts, fans, lights, beeps etc. There is a much bigger issue at stake - Your intel management engine code is ancient within even the latest bios's. This means that even if your machine is powered off if there is a lan connection you are likely infected at this point and dont even know it, likely with HERA from vault 7. I self propgates into the efi firmware and dmitables and the sheer volume of information compromised and leaked is staggering. You can't flash over it as once it moves in, it's in. You can't clean install it out as it masquerades as legitimate hardware to the operating system, so it's payload is unkillable. NO antivirus product out there detects it as they are designed to scan for file hashes/names/crc's and doesn't even look at the hardware.


Go into device manager and see how many keyboards it says are plugged into your system, or mice, see the awesome upgrades to motherboard devices which will have doubled.

i am an infosec professional, professor at a major university as well and research is what I do, it took 10 days for me to find it and it's now part of the system.

Further, updating the ME engine firmware manually - I have access to it in our labs, doesn't matter once it's in. I also suspect it might penetrate the firmware of your hard drives, but samsung has their stuff locked down, writable, but not readable, so I can't rule that out but HERA is documented to penetrate everything. It also is able to infect Mac's as their chipsets have the ME chip with ancient firmware and the software payloads run under Windows, OS X and even Unix.

I have spent about 45 days with my combined team of comp sci, elec engineers and infosec people trying to flush it out. At this time it appears that unless a tool is released by the vendor to check the firmware integrity and/or efi integrity you are basically just an open door to the world.

It's bad and a level of complexity I have never seen to date.
17,158 Views
44 REPLIES 44

johnathonm
Level 7
As long as you have an ethernet cable plugged in, even when powered down, you can be infected.

Marcello_S
Level 7
Not even a TPM would work? Or is it completely useless anyway we put it?

Nice try but the 3 devices I personally manage are clean, despite that in general all manufacturer-supplied BIOSes are vulnerable.
He who invokes history is always secure.
The dead will not rise to witness against him.

You can accuse them of any deeds you like.
Their reply will always be silence.

Yeah, but this is basically being used by governments for surveillance, right? Or can it be exploited by hackers?

Korth
Level 14
Intel's Management Engine has indeed been hacked, at least as a proof-of-concept vulnerability. This is why (after so many years of unexcitement) the IME has recently attracted a lot of public attention.

http://hackaday.com/2017/05/02/is-intels-management-engine-broken/
https://www.wired.com/2017/05/hack-brief-intel-fixes-critical-bug-lingered-7-dang-years/
https://www.theregister.co.uk/2017/05/01/intel_amt_me_vulnerability/
http://www.tomshardware.com/news/intel-amt-vulnerability-me-dangerous,34300.html
http://securityaffairs.co/wordpress/58656/hacking/intel-management-engine.html
https://semiaccurate.com/2017/05/01/remote-security-exploit-2008-intel-platforms/

The demonstrated hacks are profoundly disturbing since they demonstrate a potential "backdoor" embedded within every Intel chipset PCH made within the last decade. At the "baseboard" or "bare-metal" layer, the IME (theoretically) has complete priority over all onboard firmware (BIOS) and software (OS) code - essentially a "hardware-level rootkit". It's a complete black-box unit, a computer inside your computer, and (although much effort has been committed to reverse-engineering and analyzing it) nobody outside of Intel really knows exactly what capabilities it has. And it's an always-active attack surface, all it requires is motherboard power (the computer is simply plugged in, it doesn't need to be powered on) and a physical or wireless network connection.

However the demonstrated (known) exploits all require ME components (like AMT) which are rarely, if ever, installed on consumer platforms. These components are rarely even supported and can't normally be installed or executed on non-Xeon chipsets/processors.

The presence of a TPM wouldn't be relevant. It only provides active cryptosecurity, it is still "compromised" when running underneath compromised platform logic.

Admittedly, there's not a whole lot of "hacking" potential on a powered-down computer. The drives won't spin, the RAM and NVRAM won't work - data basically can't be accessed - and unpowered processors can't process anything anyways. But there are real concerns about the possibility of a hacker injecting code onto a dormant machine which will be executed on subsequent startups.

Conspiracy theories abound, but one reality is that whether or not Intel works intimately with organizations like NSA or CIA or whatever, they must still comply to USA laws (and court orders) from such organizations which might demand technical specifics.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

Korth
Level 14
But @johnathonm -

Can you provide links to anything which describe this threat in detail?

As an infosec professional, you'll naturally understand my skepticism over the-sky-is-falling doomsday omens, hoaxes, frauds, and other such hearsay.
"All opinions are not equal. Some are a very great deal more robust, sophisticated and well supported in logic and argument than others." - Douglas Adams

[/Korth]

You can use this link to check if your system is vulnerable.

https://downloadcenter.intel.com/download/26755

Marcello_S
Level 7
All in all those "hack" could be performed only and if the targeted machines have some critical and sensible data.

Marcello.S wrote:
All in all those "hack" could be performed only and if the targeted machines have some critical and sensible data.


this i don't get.

how can the hacks only be performed (or in other words: i haz no sensitive crap in my pc, therefore i am immune) on machines having critical and sensible (i take it you mean sensitive) data ?


how does this even make sense?
no siggy, saw stuff that made me sad.