cpu backdoor within a intel cpu?

[flash-gordon]

You are saying AMD dosent has the built-in Security Processor like Intel?

That's not what he's saying and you know...

 

[Red Squirrel]

AMD has it too I believe, but not much of it is known.

This whole revelation paints a more scary picture though. We sorta know about the Intel one, but what else is backdoored at the sillicon level that we don't even know about? Anything could be backdoored really. It does not even need to use a wired connection to talk to the mothership. Cellular is pretty much available anywhere and is a well established network.

 

[Phynaz]

You need both a vPRO supporting CPU and Q chipset to be affected.

This can also be fixed by a firmware update, but man, that has to be hard to do when you have hundreds or thousands of them.

All the top system management tools can push out firmware updates. No different that pushing out a regular Windows software installation.

 

[William Gaatjes]

From the lovely Joanna Rutkowska, who any self respecting geek must have a little crush on, has a few things to say on the matter ;

http://blog.invisiblethings.org/2015/10/27/x86_harmful.html

her paper

http://blog.invisiblethings.org/papers/2015/x86_harmful.pdf

summa sumarum

"Finally, the Intel Management Engine (ME) technology, which is now part of all Intel processors, stands out as very troublesome, as explained in one of the chapters above. Sadly, and most depressing, there is no option for us users to opt-out from having this on our computing devices, whether we want it or not.
The author considers this as probably the biggest mistake the PC industry has got itself into she has every witnessed.
"

And to get infront of the fan based culture blowback ;

"But is the situation much different on AMD-based x86 platforms? It doesn’t seem so! The problems related to boot security seem to be similar to those we discussed in this paper. And it seems AMD has an equivalent of Intel ME also, just disguised as Platform Security Processor"

But the whole read is excellent.

That is an interesting read.
I wonder if this situation is still valid ?

https://blog.xenproject.org/2012/06/13/the-intel-sysret-privilege-escalation/
It does seem to be solved by all os.

 

[William Gaatjes]

So there was some truth to this after all:

https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr

It can even be done wireless...
https://en.wikipedia.org/wiki/Intel_vPro#AMT_wireless_communication

 

[IEC]

Ars Technica picking this up. Fix incoming in a week or so.

https://arstechnica.com/security/20...-in-intel-chips-is-worse-than-anyone-thought/

 

[William Gaatjes]

Ars Technica picking this up. Fix incoming in a week or so.

https://arstechnica.com/security/20...-in-intel-chips-is-worse-than-anyone-thought/

I wonder how many of those systems have been successfully hijacked.

 

[DrMrLordX]

So now all we need is for someone to h4x AMD's Platform Security Processor and spill the beans on how they did it. Would be nice to get a fix for that too.

Assuming it's vulnerable, which it probably is.

 

[ehume]

Looks like a CIA hack to me.

 

[SarahKerrigan]

I think this is far too obvious for that. Intelligence services go for sneaky.

What this looks like is accidentally running strlen on the incoming hash instead of the stored auth hash, then iterating character by character.

Something like:

int auth = 1;
int inputHashLength = strlen(inputHash);
for (int i = 0; i < inputHash; i++)
{
if (inputHash[ i ] != internalHash[ i ])
auth = 0;
}
return auth;

where it should have run strlen against internalHash instead of inputHash.

 

[amd6502]

Looks like a CIA hack to me.

More like a built-in wide open back door.

Great short writeup: No password--no problem, https://www.theinquirer.net/inquire...aw-that-let-hackers-easily-bypass-pc-security

"The Intel AMT vulnerability is the first of its kind. The exploitation allows an attacker to get full control over a business computers, even if they are turned off (but still plugged into an outlet). [....]

"By nature, the Intel AMT exploitation bypasses authentication. In other words, an attacker may now [sic] credentials and still be able to use the Intel AMT functionality," it adds. "Access to ports 16992/16993 are the only requirement to perform a successful attack."

 

[amd6502]

AMD has it too I believe, but not much of it is known.

This whole revelation paints a more scary picture though. We sorta know about the Intel one, but what else is backdoored at the sillicon level that we don't even know about? Anything could be backdoored really. It does not even need to use a wired connection to talk to the mothership. Cellular is pretty much available anywhere and is a well established network.

Not on PC's. But nearly everyone plugs their cell (usually android) into their computer's USB to charge, upload pictures, etc. For state sponsored spyware, that's the point of entry.

 

[Red Squirrel]

I wonder how that source code was obtained. If someone actually has access to the entire source code it could help find out an easy way of turning that thing off completely. You can do so via some kind of hardware based flashing but not really something I want to chance on a $400+ cpu.

The fact that they made that mistake is sad though, that's a ridiculous primitive error and should have been caught during normal testing.

 

[amd6502]

You can do so via some kind of hardware based flashing but not really something I want to chance on a $400+ cpu.

The fact that they made that mistake is sad though, that's a ridiculous primitive error and should have been caught during normal testing.

According to Intel it only affects certain business computers, yes some like Charlie Dmj. view this as PR and disagree: http://semiaccurate.com/2017/05/03/consumer-pcs-safe-intel-meamt-exploit/

The fact that the computer can be turned off and still be vulnerable makes this OS independent, and you cannot just have Windows (or lunix) firewall that. A possible fix might be a motherboard BIOS update that could flash the ethernet card's firmware (or wifi eqiuv) to block off those vulnerable ports.

The most common affected semi-consumer products are probably mobile computers like hp elite and probook and dell lattitude/thinkpad/etc equivalents. It must be a motherboard with vPro enabled. This is a list of vPro OEM products: https://www.dropbox.com/s/l4pwf3qa64acxmm/vPro.pdf?dl=0

 

[Red Squirrel]

Yeah I'm talking about the backdoor itself not just this particular exploit. When I originally built my servers (some are Xeons which would be considered business class so they could potentially have it) I did not know about this backdoor, so not sure if any of mine have it or not. I'd have to go through that list and see which cpus have vpro and see if mine is listed. That list seems to only list specific products that use Intel cpus and not specific Intel cpus though. Will need to do more digging. If none of my CPUs even have vpro, then I probably don't have to worry, and I'll just need to be more aware of this next time I do build a machine.

I do wonder if it requires Intel Nics too though. If you use some other brand will the engine be smart enough to be able to detect 3rd party nics so it can communicate. This is all low level stuff so it almost needs to have a bunch of drivers built in.

Of course there is also the 3G radio allegations, but I'm not sure how true that is. Would be interesting if someone had access to a high res Xray to inspect these chips more. If it does have 3G it would most likely have an antenna inside the chip away from the actual die.

These articles talk about it:
https://www.infowars.com/91497/
http://news.softpedia.com/news/Secr...uld-Steal-Your-Ideas-at-Any-Time-385194.shtml
http://www.theregister.co.uk/2013/09/23/intel_stuns_world_with_wakeon3g/

Issue is there does not seem to be much technical info on this, just "supposition". Would really be nice to see what an EE would have to say and what kind of tests one could do such as using a spectrum analyzer.

 

[amd6502]

Wow, I've never heard of the 3G claims before but maybe there's something to it.

The CPU is better shielded from RF better than other chips within the case. (At lease I wouldn't expect it under the heat spreader.) If the antenna is to be found it would likely be on the motherboard chipset. It's also possible that a pin to a motherboard circuit is used as the rf input.

From https://hardware.slashdot.org/story/10/12/18/2230221/intels-sandy-bridge-processor-has-a-kill-switch

They may well have added some 3G-related silicon; but the CPU is very much inside the "shielded to keep the FCC off our backs" compartment of basically all systems. I assume that they simply baked the necessary hooks into their CPU/chipset for the system to interact with the cell modem, even if turned "off" and brick itself if so ordered.

As for the vPro, doesn't it depend not only on the CPU, but also the motherboard that the CPU sits in?

 

[Red Squirrel]

I was wondering that too, perhaps it needs a specific mobo that has the antenna built in or a slot for it. The antenna could literally be a trace on the motherboard that's rather hidden. It just needs to be the right length. Cell tower antennas use a bow tie dipole at various polarizations so they could probably do something similar on the motherboard. It's incredible how small and low power a well tuned RF circuit can operate at. Tower antennas operate at around 40 watts, a cell phone at about 0.5. So they could make this operate at like 5 watts and it would be more than enough power to get through the case etc.

You can put your phone inside the fridge or microwave or even wrap it in foil loosly and it will still work. If you wrap it in foil tight enough it won't work but it really does not take much to let the RF in/out.

 

[ehume]

Q - if we power off our machines at the PSU, will that not render one's computer immune?

 

[Red Squirrel]

Yeah I would imagine if you turn PSU switch off it would kill this cpu's standby mode. But I'd just unplug it to be safe. You can't always trust a hard switch to really be a hard switch. All the PSU's I've opened it is a hard switch though.

They could in theory make it run off a super capacitor, but with the rest of the PC off it would not really be able to do much, like you won't be powering the hard drive or ram for very long with a supercap that's not super obvious.