Re: OT - "Intel Management Engine" security issues
Hi, I am writing this from a Thinkpad T420 with Coreboot flashed and the Intel Management Engine disabled! recently there was a lot of work done regarding disabling/neutralizing the ME. Have a look at this: http://blog.ptsecurity.com/2017/08/disabling-intel-me.html https://github.com/corna/me_cleaner And of course Libreboot. And yes, the Intel ME has a lot of access to the system and could/can do more than you want to. It even runs a whole operating system based on Minix. http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html Regards, Aaron -- Web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/ Gopher: gopher://drkhsh.at or gopher://drkhsh5rv6pnahas.onion GPG: 0x09e71697435bf54b Fingerprint: 57D2 5F2C 9402 A6BD FEF9 B3B6 09E7 1697 435B F54B
Re: OT - "Intel Management Engine" security issues
Dave, You might want to take a look at both the Libreboot and Coreboot open source projects. The challenge with the IME is that if you literally disable it, it will shut down the system - and it's code is pretty heavily encrypted. The Coreboot project has had some limited success reverse-engineering how it works and can disable it in some cases but it is very motherboard and CPU version specific which makes it extremely difficult. I'm running Libreboot with OpenBSD on a Thinkpad T500 and it works reasonably well with the exception that I'm still figuring out how to get full disk encryption working. Coreboot is something I plan on experimenting with as well because it can be (mostly) de-blobbed and supports some more modern hardware. - B On Fri, 2017-09-08 at 14:51 -0400, Dave Anderson wrote: > While this isn't specifically an OpenBSD issue, since OpenBSD > emphasizes > security this seems like a good place to ask. > > As far as I can tell the "Intel Management Engine" (IME) is a gaping > backdoor into every recent Intel-based system. My searches on the > 'net > haven't turned up much useful information about it. > > I'd really like to find documentation on how to configure and use > it, > though I'd settle for just enough to know how to lock it down or > disable > it such that it can't be used to attack me from the 'net. > > While this wouldn't work for a laptop, for desktop systems it might > be > sufficient to use an add-in NIC rather than the built-in one -- but > the > limited info I've found suggests that the IME may be able to snoop > on > all devices and so defeat this tactic. Does anyone here know? > > Thanks for any information, > > Dave > > -- > Dave Anderson >> >
Re: OT - "Intel Management Engine" security issues
It can't be used to attack you from the public Internet unless (a) you don't have a firewall or (b) you have forwarded the IME port on your firewall to a host on your LAN. You are, however, susceptible to other hosts on your LAN guessing the IME password, so be sure to use a strong password. On my old HP dc7900 IME is unconfigured and disabled out of the box.If resetting BIOS to defaults doesn't disable it, removing the motherboard battery for 30 minutes should do the trick. You should be able to find an administrator's manual for IME via Google Search. From: Dave Anderson <d...@daveanderson.com> To: misc@openbsd.org Sent: Friday, September 8, 2017 2:52 PM Subject: OT - "Intel Management Engine" security issues While this isn't specifically an OpenBSD issue, since OpenBSD emphasizes security this seems like a good place to ask. As far as I can tell the "Intel Management Engine" (IME) is a gaping backdoor into every recent Intel-based system. My searches on the 'net haven't turned up much useful information about it. I'd really like to find documentation on how to configure and use it, though I'd settle for just enough to know how to lock it down or disable it such that it can't be used to attack me from the 'net. While this wouldn't work for a laptop, for desktop systems it might be sufficient to use an add-in NIC rather than the built-in one -- but the limited info I've found suggests that the IME may be able to snoop on all devices and so defeat this tactic. Does anyone here know? Thanks for any information, Dave -- Dave Anderson <d...@daveanderson.com>
OT - "Intel Management Engine" security issues
While this isn't specifically an OpenBSD issue, since OpenBSD emphasizes security this seems like a good place to ask. As far as I can tell the "Intel Management Engine" (IME) is a gaping backdoor into every recent Intel-based system. My searches on the 'net haven't turned up much useful information about it. I'd really like to find documentation on how to configure and use it, though I'd settle for just enough to know how to lock it down or disable it such that it can't be used to attack me from the 'net. While this wouldn't work for a laptop, for desktop systems it might be sufficient to use an add-in NIC rather than the built-in one -- but the limited info I've found suggests that the IME may be able to snoop on all devices and so defeat this tactic. Does anyone here know? Thanks for any information, Dave -- Dave Anderson