[tor-talk] company devised process to disable Intel Management Engine

Milton Scritsmier ktr-theonionrouter at dea.spamcon.org
Mon Dec 11 20:02:38 UTC 2017


On 12/11/2017 8:48 AM, InterN0T wrote:
> Interesting, do you have a proof of concept supporting that desktop PCs without remote administration such as AMT, can still be reached remotely via Intel ME?

No, I don't nor do I assert that. To the best of my knowledge Intel has
never commented one way or the other on whether or not the ME in
consumer PCs is capable of accessing the internet (although the ME is on
the same die as the ethernet silicon), whether the hardware is capable
of remote access but the consumer ME firmware simply doesn't support it,
etc.

But see below, on recent consumer PCs your ME is completely hackable if
the attacker has local access.

Intel has recently revealed that the current ME firmware has bugs. See
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
. All but one of these bugs require local access to the PC; one can be
accessed via AMT on enterprise PCs that support it. Not all of the bugs
apply to consumer PCs. Unfortunately Intel doesn't issue ME firmware
patches directly, you have to get them from your PC or mobo manufacturer
as part of a BIOS update.

Recently Positive Technologies announced that ever since Intel Skylake
processors came out, Intel processors contain a special JTAG debug port
that can be accessed via an USB port on your computer
(https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Where-theres-a-JTAG-theres-a-way.pdf
). They then exploited this to run unsigned code on the ME, in theory
giving them complete access to your PC even if it is turned off. They
presented the details last week at Black Hat Europe 2017
(https://www.blackhat.com/eu-17/briefings/schedule/index.html#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
) though I have seen anything from the talk yet.



More information about the tor-talk mailing list