Important caveat is not that necessarily that Intel itself is malicious, but whether governments can force Intel behind the scenes to be malicious without disclosing it, and my understanding is that they can and do at least with other companies. It’s not difficult to imagine that the government might mass surveil social media for undesired opinions or people adjacent to them and make a list of specific targets for Intel to grant the government a backdoor to.
1 Like
Even if the government forced Intel’s hand, Intel would be able to comply by selling CPUs with malicious firmware. Disabling IME would not protect you in this case. You’d need to avoid using Intel CPUs altogether. However, there’s no reason to support these sorts of conspiracy theories about big tech.
1 Like
No. When eventually discovered this would be the end of Intel/whatever hardware company they forced to do this and it would make everybody’s devices insecure, including the administration, police etc.
All Intel needs to do when being approached this way would be to leak it to the press and it would be a major scandal.
1 Like
So all the talk of VPNs with warrant canaries is BS? There is a difference between the government coming to a company and asking for them to design a backdoor vs. a company receiving a warrant or other demand that they provide information or access they already have. Facebook and Twitter collaborated with the Feds with no consequences. There are plenty of tech companies that work with the government like this.
No government has to be involved, any attacker could find a security vulnerability in ME. You can go over the CVEs related to ME, it includes both local privilege escalation, and RCE for AMT, and none of it is related to any government.
ME can compromise any OS, it has unrestricted access to the memory, that is the real danger of ME. It’s not a government backdoor, but that doesn’t mean it not a huge security risk.
Yeah but these are companies with very specific devices, not CPUs used by everyone.
If the ME is built in for everyone then Intel could selectively target specific individuals.
And once the backdoor gets found everyone can target everyone else. It would be suicide on a company level to do something like that voluntarily.
1 Like
I don’t follow. Doesn’t your position assume that Intel didn’t write a method for Intel to get remote access to the ME? If I set up ssh on my computer, that’s not an exploit but a built in feature. I could have the most secure implementation but if I have given my keys to someone they have access. Wouldn’t you assume that the Intel ME has some method to communicate with Intel that does not depend on an exploit?
For those of you concerned about Intel ME & AMT, I have a question:
Is their an existing alternative or harm reduction strategies to use with ME/AMT for people who need some of the capabilities that ME+AMT enables (remote access & control) that doesn’t involve purchasing additional hardware devices?
I’m specifically thinking about abilities such as:
- Remotely power on/off a system
- Remote access the BIOS/UEFI
- Remotely make or restore a backup and/or boot into an alternative OS
- Remotely reinstall the OS
These are capabilities I may need to rely on in the near future, I’m considering using AMT for this, but I’d like to minimize my exposure and vulnerability
You have to assess the risk and benefit of having it before making a blanket statement that it is bad. It is one thing to say it can be implemented better. It is another thing to say that it is so bad the user should disable it and lose security features that are provided.
If you’ve got Intel, IME is what you get. If you don’t trust Intel, don’t buy an Intel. Would it be nice if it was open? Sure, but neither is AMD’s PSP which does almost the same thing. The reason we don’t hear much about it is because the dated conspiracies never really talked about it as AMD was less popular, particularly in the laptop space. Besides, Intel and AMD can trivially add a backdoor without either the ME or PSP - they can introduce something like another Spectre/Meltdown/Zenbleed variant. The whole point about protecting the user against Intel or AMD while using their hardware is moot.
It would be nice if open source stuff like RISC-V takes off and remain open. However, security features still need to be implemented. Things like Boot Guard still needs to be provided, and it will still mean that the user wouldn’t be able to replace the key that is fused. They also have to fully trust the firmware that is flashed in the same way they would have to trust proprietary firmware. Firmware security is impossible without an immutable root of trust.
Outside of privacy communities, customers don’t really care about anything besides not having persistent malware in their firmware and so the computer manufacturer isn’t part of the threat model.
What you don’t want to be doing is inhibiting security features which prevent persistent malware from living on the device. Personally this concerns me more in my threat model than Intel or AMD suddenly becoming malicious.
In that above article, nobody really knows what the HAP bit does or if it even breaks anything from working correctly:
We also found some code in BUP that, when HAP mode is enabled, sets an additional bit in Boot Guard policies. Unfortunately, we have not succeeded in finding out what this bit controls.
We do know that Boot Guard does look at the HAP bit and it is measured and loaded into pcr0. We know that this configuration does mess up modern standby and fTPM are known not to work. The HAP bit clearly messes with Boot Guard policies, and no one knows what it actually does. It could mess up policy enforcement for all we know.
That article also has a quote from Intel stating that there was limited validation, so it would seem something that doesn’t get a whole lot of testing (even from within Intel) and isn’t widely requested. The old NSA HAP program seems was largely deprecated (2011). We can assume they chose to work with companies directly:
While last year’s budget documents signaled that NSA would begin work on a third generation of HAP that other documents show would have added even more security and virtualization features, this was scrapped as the commercial market began offering similar capabilities in integrated packages. Going forward, Lamont said, NSA will continue keeping a close eye on integrated security, as it always has.
The IME is not accessible from outside and doesn’t have it’s own network interface. If it was sending anything it would appear on network intrusion detection systems. All of the exploits we’ve seen so far involve exploits against the ME include stuff like SMM or the MEI interface, which at that point your machine is already pwned.
4 Likes