• Guest, The rules for the P & N subforum have been updated to prohibit "ad hominem" or personal attacks against other posters. See the full details in the post "Politics and News Rules & Guidelines."

Someone obtained a fully functional JTAG for Intel CSME via USB DCI

Red Squirrel

No Lifer
May 24, 2003
53,964
7,054
126
www.uovalor.com
This is either bad, or good. I think it's good as It could potentially lead to more knowledge on how ME works and perhaps figure out an easy way to disable it. For those who don't know, ME is a backdoor (Basically a separate cpu within the cpu) in pretty much every modern Intel CPU that allows government agencies to remote your machine at the hardware level. Even if it's off. It's also rumoured to have a 3G radio so even airgapped networks could be vulnerable, though I don't think anyone has fully proven this yet.

https://twitter.com/h0t_max/status/928269320064450560

AMD has their own version of this too, I forget what it's called.
 

moinmoin

Golden Member
Jun 1, 2017
1,317
1,110
106
More documentation about hidden "features" that can only claim security through obscurity is always good.

Google's approach to remove all possible attack vectors with NERF is a promising result of this increasing knowledge of these bug-ridden hidden OSes.
 
  • Like
Reactions: Schmide

NTMBK

Diamond Member
Nov 14, 2011
8,536
1,396
126
This is either bad, or good. I think it's good as It could potentially lead to more knowledge on how ME works and perhaps figure out an easy way to disable it. For those who don't know, ME is a backdoor (Basically a separate cpu within the cpu) in pretty much every modern Intel CPU that allows government agencies to remote your machine at the hardware level. Even if it's off. It's also rumoured to have a 3G radio so even airgapped networks could be vulnerable, though I don't think anyone has fully proven this yet.

https://twitter.com/h0t_max/status/928269320064450560

AMD has their own version of this too, I forget what it's called.
The "secret 3G radio" smells like BS... seriously, where the heck would they hide the antenna for this secret modem?

Anyway, this is great news. Hopefully they can find a way to permanently disable this backdoor.
 

maddie

Platinum Member
Jul 18, 2010
2,930
1,507
136
The "secret 3G radio" smells like BS... seriously, where the heck would they hide the antenna for this secret modem?

Anyway, this is great news. Hopefully they can find a way to permanently disable this backdoor.
The 'secret3G radio' part might be BS, but there do exist micro GPS trackers that transmit data over fairly long ranges and I really don't think the designed use was for streaming video. Compromising PCs is not a data heavy duty job.
 

cfenton

Senior member
Jul 27, 2015
277
99
101
For those who don't know, ME is a backdoor (Basically a separate cpu within the cpu) in pretty much every modern Intel CPU that allows government agencies to remote your machine at the hardware level.
That makes it sound like the only reason it exists is to allow government agencies to access your computer. It's actual purpose is remote management by administrators, especially in cases where the PC can't load its OS. I imagine most computers would be much easier to exploit using other methods.
 

Red Squirrel

No Lifer
May 24, 2003
53,964
7,054
126
www.uovalor.com
The "secret 3G radio" smells like BS... seriously, where the heck would they hide the antenna for this secret modem?

Anyway, this is great news. Hopefully they can find a way to permanently disable this backdoor.
The antenna for 3G only needs to be like a mm or so long given the higher frequency. Only thing is it would almost need to be outside of the lid part as that would act as a shield. Also it would need to transmit at like half a watt which would maybe cause interference with the cpu itself.

So it would either need to be at one of the edges, or it would need to be on the motherboard itself, which would limit it's ability to work as not all motherboards would "support" it. If it's on the motherboard the radio itself would need to be on it too most likely. That would make it easier to detect by people who analyze this stuff. But yeah not sure if it's true or not, it's just a rumor at this point. Would be tricky to test for too as I doubt it would be transmitting much all the time. My guess is that if it's true, Intel probably pays a flat fee to all the major carriers for some kind of bulk service contract. It probably sends very minimal telemetry but then if someone wants to remote in it would then transmit whatever it needs. So you'd only really detect it with right equipment such as spectrum analyzer if someone is actually remoting in and transferring data.

Either way even if it does not have a 3G radio the danger still lies in the fact that these backdoors probably exist in network cards too, so your super duper PFsense firewall that you think is keeping your network secure probably also has ME on it and the internet facing NIC can then be connected to to gain access to the rest of your network. I presume it uses a totally different protocol than just plain IP, as I've done countless port scans and never found anything weird. In order to listen to a port it would almost need to take over that port from the OS. Not really sure how that would work tbh. I doubt it would grab a secondary IP either, as that would be noticable by ISPs or network administrators. So I do wonder if the ISP also has to support whatever protocol this thing uses as it may be another protocol that works in conjunction with IP at the physical layer. Suppose someone who knows what they're doing with a logic analyzer could try to find out.

We don't seem to hear too much of people getting hacked via internet using ME, so it may turn out to not be a huge deal, but the secrecy of it is what makes it worrysome as nobody really knows how it works.

And yeah windows 10 is a bigger problem but what makes ME a problem is the fact that even if you're running a superior OS like Linux you're still vulnerable.
 

SPBHM

Diamond Member
Sep 12, 2012
4,900
301
126
Honestly, if you use Winblows 10, you have a LOT more to worry about.
yes but this is a lower level thing, more difficult to detect,
also with all the hacking going on I'm starting to become more worried about hackers than governments when it comes to the ME.
 

John Connor

Lifer
Nov 30, 2012
22,848
612
121
Squirrel, your mission should you chose to accept it. Buy an Airspy SDR and run SDR# on a laptop near your Intel-based Proc. Of course your laptop may have one. Now scan the 3G band for high dBs in that range that look to be emanating from your computer.

Chances are you won't find anything and with two major reasons:

1) If Intel or AMD did this and then discovered the fallout would be massive.

2) I couldn't imagine the sheer amount of bandwidth being taken up at the local cell tower from all these CPUs with a supposed 3G radio.
 

Red Squirrel

No Lifer
May 24, 2003
53,964
7,054
126
www.uovalor.com
Squirrel, your mission should you chose to accept it. Buy an Airspy SDR and run SDR# on a laptop near your Intel-based Proc. Of course your laptop may have one. Now scan the 3G band for high dBs in that range that look to be emanating from your computer.

Chances are you won't find anything and with two major reasons:

1) If Intel or AMD did this and then discovered the fallout would be massive.

2) I couldn't imagine the sheer amount of bandwidth being taken up at the local cell tower from all these CPUs with a supposed 3G radio.
They actually make SDRs that go that high? I might actually get one then as it would be neat to play with. Though if they do this, I doubt it would be spewing out data all the time. All it needs to do is to spit out a really quick hand shake with the server and register itself. Maybe when it's turned on, or at random etc. Now wherever the main database is of all the computers in the world, whoever has access to it can do a search, perhaps by location, or serial number, or w/e. At that point it will connect back, and then it can communicate. At least that's my guess of how it would work, otherwise it would cost Intel a lot of money as they would need to pay for that bandwidth somehow.

It could be an interesting test to do but you'd really need a proper lab environment as you'd be picking up all sorts of other stuff too on that spectrum. I wonder if anyone has indeed experimented with this in a proper lab environment. I'm legit curious myself if this is true or not.
 

John Connor

Lifer
Nov 30, 2012
22,848
612
121
They actually make SDRs that go that high?

Well, the Airspy goes up to 1800 MHz and GSM is 900, 1800 and 1900 MHz. To get at the really high frequencies check out the HackRF.


I don't know what this database thing is all about. It's all encrypted. What you are looking for is a high dB signal near your puter. There's better solutions at this though.

https://www.ebay.com/itm/OPTOELECTRONICS-X-SWEEPER-Bug-Detector-TSCM-Receiver/230400542638?hash=item35a4f147ae:g:T4EAAOxy0zhTOvtw

Edit-

That's analog only so may not work. I could have sworn they sold one that captured digital.
 

John Connor

Lifer
Nov 30, 2012
22,848
612
121
On Hack5 on YouTube they used a SDR to stream the control channel of GSM frequencies. Of course it's all encrypted so you will only see gibberish.
 

Red Squirrel

No Lifer
May 24, 2003
53,964
7,054
126
www.uovalor.com
The DB I'm referring to is what Intel would probably have. Essentially if these chips all have 3G radios they probably ping the server once in a while with a small amount of data on the computer. This would be kept in some kind of DB of "active online" computers. (online does not really mean it's on just that the ME is running). If law enforcement needs to get into a computer and they have the serial number or perhaps even GPS coords they could go to Intel and then activate the 3G connectivity and actually connect back.

I doubt this would be constantly streaming data as that would use too much bandwidth, so it probably just pings a central server. The GSM itself is encrypted and the data stream going on top of GSM would probably be encrypted too, but at the other end they would still be able to decode it, just like someone sending a file to someone over GSM can decode it because it's an established connection with proper handshake etc.

It could even work the other way, it never pings back, but some kind of broadcast can activate all the chips in a large area, then they ping back. Of course it's all speculation as to how it works, nobody really knows, or if the radio part is even a thing.
 

advt.naveen

Junior Member
May 17, 2013
20
7
81
Im not able to believe these things , there are hidden JTAG/other ports available in most of the CPUs that are not made visible outside from its company, those are used to test the processor during validation or debugging. One single port in processor are used for different purposes, in such case usb and jtag might share a same port.

Sent from my ONEPLUS A3003 using Tapatalk
 
May 11, 2008
18,309
823
126
The "secret 3G radio" smells like BS... seriously, where the heck would they hide the antenna for this secret modem?

Anyway, this is great news. Hopefully they can find a way to permanently disable this backdoor.
With todays technology it is not a real problem to design an antenna that is way smaller than the desired 1/4 wavelength that is so common.
We use in designs all the time special ceramic chip antennas that have special dielectrics.

For example :
http://katalog.we-online.com/en/pbs/WE-MCA?sid=9ec2dee9ad
https://www.johansontechnology.com/antennas
https://product.tdk.com/info/en/products/rf/rf/antenna/index.html

https://en.wikipedia.org/wiki/Dielectric_resonator_antenna

Features
Dielectric resonator antennas offer the following attractive features:

  • The dimension of a DRA is of the order of λ 0 ϵ r {\displaystyle {\frac {\lambda _{0}}{\sqrt {\epsilon _{r}}}}}
    , where λ 0 {\displaystyle \lambda _{0}}
    is the free-space wavelength and ϵ r {\displaystyle \epsilon _{r}}
    is the dielectric constant of the resonator material. Thus, by choosing a high value of ϵ r {\displaystyle \epsilon _{r}}
    ( ϵ r ≈ 10 − 100 {\displaystyle \epsilon _{r}\approx 10-100}
    ), the size of the DRA can be significantly reduced.
  • There is no inherent conductor loss in dielectric resonators. This leads to high radiation efficiency of the antenna. This feature is especially attractive for millimeter (mm)-wave antennas, where the loss in metal fabricated antennas can be high.
  • DRAs offer simple coupling schemes to nearly all transmission lines used at microwave and mm-wave frequencies. This makes them suitable for integration into different planar technologies. The coupling between a DRA and the planar transmission line can be easily controlled by varying the position of the DRA with respect to the line. The performance of DRA can therefore be easily optimized experimentally.
  • The operating bandwidth of a DRA can be varied over a wide range by suitably choosing resonator parameters. For example, the bandwidth of the lower order modes of a DRA can be easily varied from a fraction of a percent to about 20% or more by the suitable choice of the dielectric constant of the material and/or by strategic shaping of the DRA element.
  • Use of multiple modes radiating identically has also been successfully addressed.
  • Each mode of a DRA has a unique internal and associated external field distribution. Therefore, different radiation characteristics can be obtained by exciting different modes of a DRA.
It will not give you kilometers of distance but it does work , as evident by all bluetooth and wlan devices. (2,4GHz and 5GHz).
A custom designed ceramic cpu package with special dielectrics for higher microwaves may be possible.
But that is really tinfoil hat stuff and it will only give you a few meters of distance.
It is possible if one has the resources.
But in all honesty, we are not interesting enough. Not rich or extremely smart or dangerous enough.
Besides, imho everything you have ever looked up with google is scanned and when blacklisted words or phrases appear, you get another check mark added to your name.
I am sure i have quite a few check marks because of my technical curiosity.


edit :

Forgot to mention that nowadays, it is possible to make a chip that has a pll oscillator combination that can easily produce 60GHz. In a design that is just a few tens of dollars.
As evident by all the integrated radar chips(with integrated antennas) such as for example the RIC60A from omniradar.

http://www.omniradar.com/products/

You can use it with doppler radar or which is interesting for students to design :
Frequency modulated continuous wave radar.
Which has a surprising simple theory behind it to get a distance.
Great for robotics where ultrasonic might not work properly.

https://en.wikipedia.org/wiki/Continuous-wave_radar#Modulated_continuous-wave
http://www.radartutorial.eu/02.basics/Frequency Modulated Continuous Wave Radar.en.html
 
Last edited:

coercitiv

Diamond Member
Jan 24, 2014
3,472
2,789
136
It's not FUD to point out that the ME is a massive security hole.
Also not FUD when people at security conventions present how they were able to run unsigned code in Intel Management Engine.
... recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS.
Average Joe may say "I have nothing to hide", but this ain't about spying - that can be done far more efficiently with more conventional methods. Think about data or financial theft, both at personal and business / government level.

Sure, the kind of exploits we hear about may just be academic, they may not have practical use in the wild, but they're as good a warning sign as we're ever gonna get.
 
Last edited:

XavierMace

Diamond Member
Apr 20, 2013
4,307
444
126
It's not FUD to point out that the ME is a massive security hole.
No it's not. But the inevitable tinfoil hat crowd/posts these threads attract are. It's well established it's a security hole. But every single thread on it degrades into "it's nothing but a tool for the government and they're probably listening and tracking us right now". Especially when it's already devolved into "it's rumored" right in the original post. That accomplishes nothing and makes the legitimate, proven complaints get ignored because it's all lumped together.

Yeah the fact that it's so secretive and that it can't be disabled is what is a problem. If this was a management thing, Intel would sell a separate card like a DRAC.
You know the IPMI controller from all the major manufacturers, including Dell is built onto the motherboard, right? The separate card that Dell sells (Advanced DRAC) is simply a software license and dedicated NIC. The other manufacturers just make that choice for you and either have the dedicated NIC built in or only have the option for IPMI to share one of the onboard NIC's. In all cases the BMC is on the motherboard.
 

Glo.

Diamond Member
Apr 25, 2015
3,521
1,626
136
I suppose some people never heard of Edward Snowden, and what he has done about two words: "NSA", and "Surveillance".
 
  • Like
Reactions: Red Squirrel

ASK THE COMMUNITY

TRENDING THREADS