Someone obtained a fully functional JTAG for Intel CSME via USB DCI

Discussion in 'CPUs and Overclocking' started by Red Squirrel, Nov 9, 2017.

  1. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    45,037
    Likes Received:
    4,348
    This is either bad, or good. I think it's good as It could potentially lead to more knowledge on how ME works and perhaps figure out an easy way to disable it. For those who don't know, ME is a backdoor (Basically a separate cpu within the cpu) in pretty much every modern Intel CPU that allows government agencies to remote your machine at the hardware level. Even if it's off. It's also rumoured to have a 3G radio so even airgapped networks could be vulnerable, though I don't think anyone has fully proven this yet.

    https://twitter.com/h0t_max/status/928269320064450560

    AMD has their own version of this too, I forget what it's called.
     
  2. Loading...

    Similar Threads - obtained fully functional Forum Date
    air cooled 3770k 4.6 fully stable.worth delid? CPUs and Overclocking Jun 8, 2013
    LGA 2011 Xeon's - Fully Locked? CPUs and Overclocking May 29, 2012
    Samsung obtains world's first 450-mm tool CPUs and Overclocking Jun 7, 2008
    Obtaining Warranty for AMD 1.4 CPUs and Overclocking Sep 21, 2002
    Obtaining Duron Nirvana CPUs and Overclocking Apr 2, 2001

  3. moinmoin

    moinmoin Senior member

    Joined:
    Jun 1, 2017
    Messages:
    285
    Likes Received:
    155
    More documentation about hidden "features" that can only claim security through obscurity is always good.

    Google's approach to remove all possible attack vectors with NERF is a promising result of this increasing knowledge of these bug-ridden hidden OSes.
     
    Schmide likes this.
  4. NTMBK

    NTMBK Diamond Member

    Joined:
    Nov 14, 2011
    Messages:
    7,661
    Likes Received:
    529
    The "secret 3G radio" smells like BS... seriously, where the heck would they hide the antenna for this secret modem?

    Anyway, this is great news. Hopefully they can find a way to permanently disable this backdoor.
     
    Ken g6, CatMerc, Jan Olšan and 2 others like this.
  5. maddie

    maddie Golden Member

    Joined:
    Jul 18, 2010
    Messages:
    1,764
    Likes Received:
    410
    The 'secret3G radio' part might be BS, but there do exist micro GPS trackers that transmit data over fairly long ranges and I really don't think the designed use was for streaming video. Compromising PCs is not a data heavy duty job.
     
  6. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603

    :rolleyes:
     
  7. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603
    Honestly, if you use Winblows 10, you have a LOT more to worry about.
     
    Ken g6 likes this.
  8. cfenton

    cfenton Member

    Joined:
    Jul 27, 2015
    Messages:
    140
    Likes Received:
    40
    That makes it sound like the only reason it exists is to allow government agencies to access your computer. It's actual purpose is remote management by administrators, especially in cases where the PC can't load its OS. I imagine most computers would be much easier to exploit using other methods.
     
    Phynaz and Jan Olšan like this.
  9. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    45,037
    Likes Received:
    4,348
    The antenna for 3G only needs to be like a mm or so long given the higher frequency. Only thing is it would almost need to be outside of the lid part as that would act as a shield. Also it would need to transmit at like half a watt which would maybe cause interference with the cpu itself.

    So it would either need to be at one of the edges, or it would need to be on the motherboard itself, which would limit it's ability to work as not all motherboards would "support" it. If it's on the motherboard the radio itself would need to be on it too most likely. That would make it easier to detect by people who analyze this stuff. But yeah not sure if it's true or not, it's just a rumor at this point. Would be tricky to test for too as I doubt it would be transmitting much all the time. My guess is that if it's true, Intel probably pays a flat fee to all the major carriers for some kind of bulk service contract. It probably sends very minimal telemetry but then if someone wants to remote in it would then transmit whatever it needs. So you'd only really detect it with right equipment such as spectrum analyzer if someone is actually remoting in and transferring data.

    Either way even if it does not have a 3G radio the danger still lies in the fact that these backdoors probably exist in network cards too, so your super duper PFsense firewall that you think is keeping your network secure probably also has ME on it and the internet facing NIC can then be connected to to gain access to the rest of your network. I presume it uses a totally different protocol than just plain IP, as I've done countless port scans and never found anything weird. In order to listen to a port it would almost need to take over that port from the OS. Not really sure how that would work tbh. I doubt it would grab a secondary IP either, as that would be noticable by ISPs or network administrators. So I do wonder if the ISP also has to support whatever protocol this thing uses as it may be another protocol that works in conjunction with IP at the physical layer. Suppose someone who knows what they're doing with a logic analyzer could try to find out.

    We don't seem to hear too much of people getting hacked via internet using ME, so it may turn out to not be a huge deal, but the secrecy of it is what makes it worrysome as nobody really knows how it works.

    And yeah windows 10 is a bigger problem but what makes ME a problem is the fact that even if you're running a superior OS like Linux you're still vulnerable.
     
  10. slashy16

    slashy16 Member

    Joined:
    Mar 24, 2017
    Messages:
    103
    Likes Received:
    41
    If true I'm not really worried if the goverment wants to know my preference for youtube cat videos or porn activity then go for it.
     
    psolord, Gikaseixas and CHADBOGA like this.
  11. XavierMace

    XavierMace Diamond Member

    Joined:
    Apr 20, 2013
    Messages:
    3,632
    Likes Received:
    274
    Ugh. Why are FUD threads like this allowed to exist.
     
    godihatework and Phynaz like this.
  12. SPBHM

    SPBHM Diamond Member

    Joined:
    Sep 12, 2012
    Messages:
    4,480
    Likes Received:
    136
    yes but this is a lower level thing, more difficult to detect,
    also with all the hacking going on I'm starting to become more worried about hackers than governments when it comes to the ME.
     
  13. jpiniero

    jpiniero Diamond Member

    Joined:
    Oct 1, 2010
    Messages:
    4,614
    Likes Received:
    242
    Intel would be more willing to talk about it/let you disable it if that wasn't the case.
     
    tommo123, eton975 and Red Squirrel like this.
  14. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603

    True that.
     
  15. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    45,037
    Likes Received:
    4,348
    Yeah the fact that it's so secretive and that it can't be disabled is what is a problem. If this was a management thing, Intel would sell a separate card like a DRAC.
     
  16. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603
    Squirrel, your mission should you chose to accept it. Buy an Airspy SDR and run SDR# on a laptop near your Intel-based Proc. Of course your laptop may have one. Now scan the 3G band for high dBs in that range that look to be emanating from your computer.

    Chances are you won't find anything and with two major reasons:

    1) If Intel or AMD did this and then discovered the fallout would be massive.

    2) I couldn't imagine the sheer amount of bandwidth being taken up at the local cell tower from all these CPUs with a supposed 3G radio.
     
  17. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    45,037
    Likes Received:
    4,348
    They actually make SDRs that go that high? I might actually get one then as it would be neat to play with. Though if they do this, I doubt it would be spewing out data all the time. All it needs to do is to spit out a really quick hand shake with the server and register itself. Maybe when it's turned on, or at random etc. Now wherever the main database is of all the computers in the world, whoever has access to it can do a search, perhaps by location, or serial number, or w/e. At that point it will connect back, and then it can communicate. At least that's my guess of how it would work, otherwise it would cost Intel a lot of money as they would need to pay for that bandwidth somehow.

    It could be an interesting test to do but you'd really need a proper lab environment as you'd be picking up all sorts of other stuff too on that spectrum. I wonder if anyone has indeed experimented with this in a proper lab environment. I'm legit curious myself if this is true or not.
     
  18. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603

    Well, the Airspy goes up to 1800 MHz and GSM is 900, 1800 and 1900 MHz. To get at the really high frequencies check out the HackRF.


    I don't know what this database thing is all about. It's all encrypted. What you are looking for is a high dB signal near your puter. There's better solutions at this though.

    https://www.ebay.com/itm/OPTOELECTR...542638?hash=item35a4f147ae:g:T4EAAOxy0zhTOvtw

    Edit-

    That's analog only so may not work. I could have sworn they sold one that captured digital.
     
  19. John Connor

    John Connor Lifer

    Joined:
    Nov 30, 2012
    Messages:
    22,848
    Likes Received:
    603
    On Hack5 on YouTube they used a SDR to stream the control channel of GSM frequencies. Of course it's all encrypted so you will only see gibberish.
     
  20. Red Squirrel

    Red Squirrel Lifer

    Joined:
    May 24, 2003
    Messages:
    45,037
    Likes Received:
    4,348
    The DB I'm referring to is what Intel would probably have. Essentially if these chips all have 3G radios they probably ping the server once in a while with a small amount of data on the computer. This would be kept in some kind of DB of "active online" computers. (online does not really mean it's on just that the ME is running). If law enforcement needs to get into a computer and they have the serial number or perhaps even GPS coords they could go to Intel and then activate the 3G connectivity and actually connect back.

    I doubt this would be constantly streaming data as that would use too much bandwidth, so it probably just pings a central server. The GSM itself is encrypted and the data stream going on top of GSM would probably be encrypted too, but at the other end they would still be able to decode it, just like someone sending a file to someone over GSM can decode it because it's an established connection with proper handshake etc.

    It could even work the other way, it never pings back, but some kind of broadcast can activate all the chips in a large area, then they ping back. Of course it's all speculation as to how it works, nobody really knows, or if the radio part is even a thing.
     
  21. advt.naveen

    advt.naveen Junior Member

    Joined:
    May 17, 2013
    Messages:
    19
    Likes Received:
    7
    Im not able to believe these things , there are hidden JTAG/other ports available in most of the CPUs that are not made visible outside from its company, those are used to test the processor during validation or debugging. One single port in processor are used for different purposes, in such case usb and jtag might share a same port.

    Sent from my ONEPLUS A3003 using Tapatalk
     
  22. NTMBK

    NTMBK Diamond Member

    Joined:
    Nov 14, 2011
    Messages:
    7,661
    Likes Received:
    529
    It's not FUD to point out that the ME is a massive security hole.
     
  23. William Gaatjes

    Joined:
    May 11, 2008
    Messages:
    16,431
    Likes Received:
    445
    With todays technology it is not a real problem to design an antenna that is way smaller than the desired 1/4 wavelength that is so common.
    We use in designs all the time special ceramic chip antennas that have special dielectrics.

    For example :
    http://katalog.we-online.com/en/pbs/WE-MCA?sid=9ec2dee9ad
    https://www.johansontechnology.com/antennas
    https://product.tdk.com/info/en/products/rf/rf/antenna/index.html

    https://en.wikipedia.org/wiki/Dielectric_resonator_antenna

    It will not give you kilometers of distance but it does work , as evident by all bluetooth and wlan devices. (2,4GHz and 5GHz).
    A custom designed ceramic cpu package with special dielectrics for higher microwaves may be possible.
    But that is really tinfoil hat stuff and it will only give you a few meters of distance.
    It is possible if one has the resources.
    But in all honesty, we are not interesting enough. Not rich or extremely smart or dangerous enough.
    Besides, imho everything you have ever looked up with google is scanned and when blacklisted words or phrases appear, you get another check mark added to your name.
    I am sure i have quite a few check marks because of my technical curiosity.


    edit :

    Forgot to mention that nowadays, it is possible to make a chip that has a pll oscillator combination that can easily produce 60GHz. In a design that is just a few tens of dollars.
    As evident by all the integrated radar chips(with integrated antennas) such as for example the RIC60A from omniradar.

    http://www.omniradar.com/products/

    You can use it with doppler radar or which is interesting for students to design :
    Frequency modulated continuous wave radar.
    Which has a surprising simple theory behind it to get a distance.
    Great for robotics where ultrasonic might not work properly.

    https://en.wikipedia.org/wiki/Continuous-wave_radar#Modulated_continuous-wave
    http://www.radartutorial.eu/02.basics/Frequency Modulated Continuous Wave Radar.en.html
     
    #22 William Gaatjes, Nov 10, 2017
    Last edited: Nov 10, 2017
  24. coercitiv

    coercitiv Platinum Member

    Joined:
    Jan 24, 2014
    Messages:
    2,395
    Likes Received:
    1,156
    Also not FUD when people at security conventions present how they were able to run unsigned code in Intel Management Engine.
    Average Joe may say "I have nothing to hide", but this ain't about spying - that can be done far more efficiently with more conventional methods. Think about data or financial theft, both at personal and business / government level.

    Sure, the kind of exploits we hear about may just be academic, they may not have practical use in the wild, but they're as good a warning sign as we're ever gonna get.
     
    #23 coercitiv, Nov 10, 2017
    Last edited: Nov 10, 2017
  25. XavierMace

    XavierMace Diamond Member

    Joined:
    Apr 20, 2013
    Messages:
    3,632
    Likes Received:
    274
    No it's not. But the inevitable tinfoil hat crowd/posts these threads attract are. It's well established it's a security hole. But every single thread on it degrades into "it's nothing but a tool for the government and they're probably listening and tracking us right now". Especially when it's already devolved into "it's rumored" right in the original post. That accomplishes nothing and makes the legitimate, proven complaints get ignored because it's all lumped together.

    You know the IPMI controller from all the major manufacturers, including Dell is built onto the motherboard, right? The separate card that Dell sells (Advanced DRAC) is simply a software license and dedicated NIC. The other manufacturers just make that choice for you and either have the dedicated NIC built in or only have the option for IPMI to share one of the onboard NIC's. In all cases the BMC is on the motherboard.
     
  26. Glo.

    Glo. Platinum Member

    Joined:
    Apr 25, 2015
    Messages:
    2,387
    Likes Received:
    1,074
    I suppose some people never heard of Edward Snowden, and what he has done about two words: "NSA", and "Surveillance".
     
    Red Squirrel likes this.