Re: OT - "Intel Management Engine" security issues

2017-09-08 Thread Aaron Marcher 
Hi,

I am writing this from a Thinkpad T420 with Coreboot flashed and the
Intel Management Engine disabled!

recently there was a lot of work done regarding disabling/neutralizing
the ME.

Have a look at this:
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
https://github.com/corna/me_cleaner
And of course Libreboot.

And yes, the Intel ME has a lot of access to the system and could/can do
more than you want to. It even runs a whole operating system based on
Minix.
http://blog.ptsecurity.com/2017/04/intel-me-way-of-static-analysis.html

Regards,
Aaron

-- 
Web: https://drkhsh.at/ or http://drkhsh5rv6pnahas.onion/
Gopher: gopher://drkhsh.at or gopher://drkhsh5rv6pnahas.onion
GPG: 0x09e71697435bf54b
Fingerprint: 57D2 5F2C 9402 A6BD FEF9 B3B6 09E7 1697 435B F54B

Re: OT - "Intel Management Engine" security issues

2017-09-08 Thread Bryan Everly 
Dave,
You might want to take a look at both the Libreboot and Coreboot open
source projects.  The challenge with the IME is that if you literally
disable it, it will shut down the system - and it's code is pretty
heavily encrypted.  The Coreboot project has had some limited success
reverse-engineering how it works and can disable it in some cases but
it is very motherboard and CPU version specific which makes it
extremely difficult.
I'm running Libreboot with OpenBSD on a Thinkpad T500 and it works
reasonably well with the exception that I'm still figuring out how to
get full disk encryption working.  Coreboot is something I plan on
experimenting with as well because it can be (mostly) de-blobbed and
supports some more modern hardware.
- B
On Fri, 2017-09-08 at 14:51 -0400, Dave Anderson wrote:
> While this isn't specifically an OpenBSD issue, since OpenBSD
> emphasizes 
> security this seems like a good place to ask.
> 
> As far as I can tell the "Intel Management Engine" (IME) is a gaping 
> backdoor into every recent Intel-based system. My searches on the
> 'net 
> haven't turned up much useful information about it.
> 
> I'd really like to find documentation on how to configure and use
> it, 
> though I'd settle for just enough to know how to lock it down or
> disable 
> it such that it can't be used to attack me from the 'net.
> 
> While this wouldn't work for a laptop, for desktop systems it might
> be 
> sufficient to use an add-in NIC rather than the built-in one -- but
> the 
> limited info I've found suggests that the IME may be able to snoop
> on 
> all devices and so defeat this tactic. Does anyone here know?
> 
> Thanks for any information,
> 
> Dave
> 
> -- 
> Dave Anderson
> 
> 
>

Re: OT - "Intel Management Engine" security issues

2017-09-08 Thread Carl Mascott 
It can't be used to attack you from the public Internet unless (a) you don't 
have a firewall or (b) you have forwarded the IME port on your firewall to a 
host on your LAN. You are, however, susceptible to other hosts on your LAN 
guessing the IME password, so be sure to use a strong password.

On my old HP dc7900 IME is unconfigured and disabled out of the box.If 
resetting BIOS to defaults doesn't disable it, removing the motherboard battery 
for 30 minutes should do the trick.

You should be able to find an administrator's manual for IME via Google Search.


  From: Dave Anderson <d...@daveanderson.com>
 To: misc@openbsd.org 
 Sent: Friday, September 8, 2017 2:52 PM
 Subject: OT - "Intel Management Engine" security issues
   
While this isn't specifically an OpenBSD issue, since OpenBSD emphasizes 
security this seems like a good place to ask.

As far as I can tell the "Intel Management Engine" (IME) is a gaping 
backdoor into every recent Intel-based system. My searches on the 'net 
haven't turned up much useful information about it.

I'd really like to find documentation on how to configure and use it, 
though I'd settle for just enough to know how to lock it down or disable 
it such that it can't be used to attack me from the 'net.

While this wouldn't work for a laptop, for desktop systems it might be 
sufficient to use an add-in NIC rather than the built-in one -- but the 
limited info I've found suggests that the IME may be able to snoop on 
all devices and so defeat this tactic. Does anyone here know?

Thanks for any information,

     Dave

-- 
Dave Anderson
<d...@daveanderson.com>

OT - "Intel Management Engine" security issues

2017-09-08 Thread Dave Anderson 
While this isn't specifically an OpenBSD issue, since OpenBSD emphasizes 
security this seems like a good place to ask.


As far as I can tell the "Intel Management Engine" (IME) is a gaping 
backdoor into every recent Intel-based system. My searches on the 'net 
haven't turned up much useful information about it.


I'd really like to find documentation on how to configure and use it, 
though I'd settle for just enough to know how to lock it down or disable 
it such that it can't be used to attack me from the 'net.


While this wouldn't work for a laptop, for desktop systems it might be 
sufficient to use an add-in NIC rather than the built-in one -- but the 
limited info I've found suggests that the IME may be able to snoop on 
all devices and so defeat this tactic. Does anyone here know?


Thanks for any information,

Dave

--
Dave Anderson