Intel Management Engine Exploit

[alt3rn1ty]

Anyone reading this, study it a bit more than you would usually - If this is not your kind of thing .. Still study it.

The more you understand about this problem the more your jaw will drop.

First do a google search for "Intel Management Engine Exploit"

Now you are not just taking my word for it - Have a listen to the Security Now video episode 611 (go to time 13:15 just after the Cloudflare ad blab)

 

Summary : Imagine if Intel had put an extra chip on all motherboards for a few years, and kept the use of them / capabilities secret. And this little engine could be remotely connected to without your knowledge, or the OS that is installed, or no matter what state the machine was in (though it would need power, but the machine could be off/standby). It also does not matter what OS the machine is running, so even a Linux machine could be taken over.

There is nothing you can do about the chip on your motherboard (apart from buy another machine and hope it hasn't got one in future), but there are some steps can be taken to close down the service on your machine which I think is what enables the remote exploit of your machine, hooking an attacker up with your machines secret little addition, and giving them complete ownership of your machine, and you will clueless about what they are doing.

I just went through the procedure Disabling Intel AMT, and even though I found only one of them had the dedicated driver setup (if you have any Drivers with Intel ME in the name of the driver, you probably want to uninstall that too), all four of our laptops in the house had the AMT services running quietly in the background

See also the SN Show Notes PDF https://www.grc.com/sn/SN-611-Notes.pdf

 

But if nothing else, have a look over Disabling Intel AMT on Windows

Note the first command you run (ACUConfig.exe UnConfigure) can take a while to complete, be patient, the command prompt will come back when its done.

This is one badass exploit, if you dont feel comfortable with some of the commands and "navigating" in a command prompt, get the family geek

I dont think Microsoft Windows Updates will be able to do anything about it, because its Intel Hardware, unless windows / linux specifically can target and nobble the software and services installed ?

The Security Now podcast mentions a BIOS update on a few occasions .. But I cant see a BIOS update being able to update this firmware .. Because its a different chip .. Maybe he means something similar to a BIOS update thats fed to all machines out there via official updates, or Intel just remotely controls everyones machines to do it if thats possible, who knows.

Its certainly going to be a tough problem to solve for everyone who has not read such articles

 

Anyway, you now have as much information as I, follow the links and read, I cant explain it any better or offer advice on what you do with your machine. Some of the above may be inaccurate at this time so watch out for updates to linked info.

One other thing to be wary of - Typically laptops (and even desktops) may have their own software which keeps your drivers up to date automagically (well until the machine is no longer supported and your machine silently and slowly goes more and more out of date and you didnt know) .. Would such software notice you have disabled any installed Intel Management Engine services and software, and re-install it for you ....

[lmstearn]

@Alt: Thanks for the heads up.

From the show notes:

Quote

So we searched and found a software package for installing LMS on Dell's website. After LMS was installed, we were able to configure/provision AMT on the computer, giving us access to AMT via the web interface.
 
So... in other words, AMT could not be accessed by Intel's tool from within Windows without the interfacing LMS service present and running.
 
The Intel Management Engine / AMT ports:
 
● 16992: Intel AMT HTTP Used for WS-Management (Web Services Management) messages to and from Intel AMT. This port is open over the network only when Intel AMT is configured or during the configuration process. Starting with Release 6.0, the port is optionally open when TLS is enabled. The port is always open locally. (But may NOT be open to the Network.)
 
● 16993: Intel AMT HTTPS Used for WS-Management messages to and from Intel AMT when TLS is enabled.
 
● 16994: Intel AMT Redirection/TCP Used for redirection traffic (SOL, Storage Redirection, and KVM using Intel AMT
authentication). Enabling the redirection listener enables this port. ● 16995: Intel AMT Redirection/TLS Used for redirection traffic (SOL, Storage Redirection, and KVM using Intel AMT authentication) when TLS is enabled. Enabling the redirection listener enables this port.
 
● 623: ASF Remote Management and Control Protocol (ASF-RMCP) Used for RMCP pings. This port is a standard DMTF port and accepts WS-Management traffic. It is always enabled.
 
● 664: DMTF out-of-band secure web services management protocol ASF Secure Remote Management and Control Protocol (ASF-RMCP) Used for secure RMCP pings. This port is a standard DMTF port and accepts secure WS-Management traffic. It is always enabled.
 
● 5900: VNC (Virtual Network Computing) - remote control program Used for KVM viewers that do not use Intel AMT authentication but use the standard VNC port instead. See Working with Port 5900 and Changing the Default KVM Port Setting.

and

Quote

What could an attacker could do after gaining an access to the AMT services?
 
Intel AMT provides the ability to remotely control the computer system even if it’s powered off while electrically connected to power and the network.
 
Also, Intel AMT is completely independent of OS installed on the computer system. This technology allows OSes to be remotely deleted or reinstalled and there are a number of possible attacks:
 
KVM (remote control of mouse keyboard and monitor) can be used to remotely perform any common physical actions (with mouse, keyboard) that would be done physically at the computer. So any program could be remotely loaded and executed and any files read or written.
 
IDE-R (IDE Redirection) allows the boot device to be remotely changed to another device or to a virtual drive image sourced locally or remotely.
 
SOL (Serial over LAN) allows remote control of power, reboot, reset and more. The BIOS settings can also be accessed and modified.
 

Feeling better now? As Anthony Quail used to say on the Evil Touch:

Pleasant Dreams!

 

[alt3rn1ty]

Yep I thought other people would be interested in knowing about this beauty. I think once the service is stopped ( and disables access to the chip and its functions ), and if your machine is sat behind a NAT Firewall which most home routers have these days, its not easily ping'able from the web. So doing those disable commands should do the trick.

I wonder if an ISP provided router (which can see individual machines within a household), would allow an ISP at the request of government to access specific machines via this hardware. Glad I bought my own router, and bypass the ISP forced DNS servers (their routers do not allow you to specify your own DNS servers) which British Telecom does to all of its customers.

I reckon it wont be long though before malware and already bot leveraged ownership of peoples machines will be making even more use of this hardware now the cats out of the bag, all they need to do is reverse engineer the Intel ME driver software, learn its hooks and install self to this hardware and you have one (probably impossible to remove) hell of a rootkit, "sob is dug in like an alabama tick".

[NightStar]

I feel so much better now about running that separate firewall which allows nothing to get through it either way unless I specify it as allowed. Every connection in my house goes through it. Yeah, it has been a huge PITA over the years to configure because nothing has worked out off the box, but this reminded me of its advantages.

[alt3rn1ty]

4 hours ago, NightStar said:

I feel so much better now about running that separate firewall which allows nothing to get through it either way unless I specify it as allowed. Every connection in my house goes through it. Yeah, it has been a huge PITA over the years to configure because nothing has worked out off the box, but this reminded me of its advantages.

Just a thought .. Is that a Linux box with its own PC motherboard (possibly with its own ME chip) and maybe running an Intel ME service ?

Linked from the "Disabling Intel AMT" link is a tweet that Intel are working on a Linux Guide, but its not up yet https://mobile.twitter.com/IntelSupport/status/859437569368567811

Something to watch for if there are any concerns

[NightStar]

Yes, it's a linux box with its own motherboard, but it's not Intel. It's something a lot rarer.

[Arthmoor]

Meanwhile, on AMD systems.... sitting in the corner giggling about this latest bug we don't have

[RabidGears]

I think AMD have something similar, but given that Intel systems make up a bigger target, it's probably less likely to be exploited.

 

[egocarib]

According to the security escalation notes released by Intel:

Quote

This vulnerability does not exist on Intel-based consumer PCs with consumer firmware

I am no expert though, so I'm not really sure what the extent of the issue is for consumer laptops/PCs.

[RavenMind]

Wow, glad I stumbled across this one. Thanks for posting it @alt3rn1ty. FINALLY, I found someone else that listens to Security Now! It's where I found out about SpinRite, which has saved many o' hard drives of mine. Am I the only one who wishes Leo would shut up & let Steve talk more often? lol  Sadly, I stopped listening after my twins were born and didn't hear about this one. I'm surprised to see you're so security conscious. I though the British welcomed government spying!   (I'm joking. I'm currently located about 15 miles away from the NSA's largest Data Center.... )

[alt3rn1ty]

2 hours ago, RavenMind said:

~ Am I the only one who wishes Leo would shut up & let Steve talk more often? lol  ~

Nope, you are certainly not on your own there :), Leo is sometimes a bit over reactive on subjects which could be interpreted as highlighting the methods of tracking customers his own TWIT site uses, so there is an occasional exchange which makes you feel they dont quite meet eye to eye on some details .. And you just want Steve to continue his train of thought. That all works better when Leo is on Holiday and the Padre steps in, Steve and the Padre mesh a lot better. I always grab the podcast to play with VLC so I can just skip bits like ads aswell.

The last five / six weeks have been full of interesting news though, especially the heap of wifi devices needing firmware updates (Krack in episode 633). I have a NetGear D7000 downstairs (replacing the ISP provided spy box), and a NetGear AC1900 WiFi Range Extender upstairs .. Both of which needed an update. Glad Netgear were quick to respond on that one, and the Firmware update is quite smooth on these boxes which handle the whole process themselves when you tell them to update. Gone are the days of crossing your fingers you got exactly the right file so as not to brick the router with an incompatible firmware update :).

Anyone with XBOX, Playstation, WII, mobiles and tablets with Wifi .. They all need updating too if they are still supported by their manufacturers

[RavenMind]

Yeah, it's funny sometimes when they both just pause & you know they're taking deep breaths to calm down & continue on. I love The Padre, he engages so well with Steve and it seems like the conversation advances a lot smoother. Oh well, Leo's providing the means for the podcast to continue, so I guess I shouldn't complain.

I've been meaning to see if they had an episode on Krack (thanks for the ep. #). I'm pretty media isolated these days besides the modding outlet, so I just heard about it recently when I had to search my AV's support forums. I've got a NetGear WNDR3700 & an older Asus RT-N16, in addition to the Comcast modem/router. So far nothing from Asus on a firmware update addressing Krack. Haven't checked NetGear yet. Both have been surprisingly easy to upgrade the firmware on in the past, pretty much click & reboot. I really quite like NetGear's firmware so far. I'm not a fan of Asus' firmware though, they took out a lot of the fine-tuning options that it came with originally (clunky as it was). I've been toying with the idea of flashing Tomato or DD-WRT but never got around to it. I'd just buy a newer one, but the thing's been so rock solid reliable I haven't been able to bring myself to replace it.

[fireundubh]

Regardless of whether the Intel ME vulnerability (from May, by the way, which has since been patched) exists on consumer firmware, I uninstalled Intel ME anyway.

Just extra unnecessary services soaking up memory and CPU time.

Thanks for the post, although I'm a bit late to the party.

[alt3rn1ty]

On 11/17/2017 at 11:13 PM, fireundubh said:

Regardless of whether the Intel ME vulnerability (from May, by the way, which has since been patched) exists on consumer firmware, I uninstalled Intel ME anyway.

Just extra unnecessary services soaking up memory and CPU time.

Thanks for the post, although I'm a bit late to the party.

Concur, extra crap we dont need running in the background.