Someone obtained a fully functional JTAG for Intel CSME via USB DCI

[Red Squirrel]

You know the IPMI controller from all the major manufacturers, including Dell is built onto the motherboard, right? The separate card that Dell sells (Advanced DRAC) is simply a software license and dedicated NIC. The other manufacturers just make that choice for you and either have the dedicated NIC built in or only have the option for IPMI to share one of the onboard NIC's. In all cases the BMC is on the motherboard.

It's still something that you have access to though, and typically also uses a separate NIC, and can be disabled. Supermicro has it too and I set it up on some of my servers but you can disable it if you want. It also only works at the LAN level so it's not as big of a security issue because it requires physical access to the network. Ex: you would not enable it on an internet facing firewall NIC. But with ME it's enabled no matter what on all nics and nobody really has access to it except for Intel and maybe the government.

 

[XavierMace]

I never said it wasn't something you had access to nor did I say you couldn't disable it. But your post seemed to indicate you think DRAC's are separate cards which you can just remove, which is not the case.

If we want to play the tinfoil hat game, how do you know the BMC doesn't have a 3G antenna that's reporting in? How do you know disabling it in BIOS actually disables it?

I'm all for reporting on known security issues. But once you move into "it's rumored", that ceases to be productive. Every thread on IME moves further and further away from facts. You've mentioned twice now about it being on all NIC's. What is that statement based on? I don't see anything to validate that statement.

 

[Red Squirrel]

I never said it wasn't something you had access to nor did I say you couldn't disable it. But your post seemed to indicate you think DRAC's are separate cards which you can just remove, which is not the case.

If we want to play the tinfoil hat game, how do you know the BMC doesn't have a 3G antenna that's reporting in? How do you know disabling it in BIOS actually disables it?

I'm all for reporting on known security issues. But once you move into "it's rumored", that ceases to be productive. Every thread on IME moves further and further away from facts. You've mentioned twice now about it being on all NIC's. What is that statement based on? I don't see anything to validate that statement.

Suppose that's possible, but ME actually has some reports that it has a 3G radio and such. Lot of articles on it if you search. https://duckduckgo.com/?q=Intel+ME+3G+radio&t=hw&ia=web

 

[moinmoin]

I'm all for reporting on known security issues. But once you move into "it's rumored", that ceases to be productive.

That's why projects such as NERF are important for everybody who can't get hardware with Coreboot instead.

 

[DrMrLordX]

FWIW AMD's equivalent:

http://www.amd.com/en-us/innovations/software-technologies/security

Also often referred to as the PSP or Platform Security Processor. ARM Trustzone and all that.

 

[Charlie22911]

I’m a comms journeyman, so I’m not an expert. But anyone with a SPECAN can thoroughly debunk this 3G nonsense.

It is also decidedly not purpose built for government monitoring, but instead used for remote administration.

 

[jpiniero]

FWIW AMD's equivalent:

http://www.amd.com/en-us/innovations/software-technologies/security

Also often referred to as the PSP or Platform Security Processor. ARM Trustzone and all that.

Yeah, and there's been people who have called for AMD to open source it. Which of course they can't.

It does make it seem like a rather shrewd move on China's part to buy the Zen IP so they can build their own processors without the PSP.

 

[Ferzerp]

I’m a comms journeyman, so I’m not an expert. But anyone with a SPECAN can thoroughly debunk this 3G nonsense.

It is also decidedly not purpose built for government monitoring, but instead used for remote administration.

And it has been. And barring that magic phantom connection, you've got people claiming that only Intel and the gubberment have access. Wrong, it's used for out of band (in regards to the OS at least) administration. This phantom spying would require a data path, and while that data path could be your personal wired or wireless network, that would be detected in a heartbeat. Magically no one ever has. Hence the asinine cellular claims by people who don't understand that that would be trivially detectable as well.

 

[zrav]

No it's not. But the inevitable tinfoil hat crowd/posts these threads attract are. It's well established it's a security hole. But every single thread on it degrades into "it's nothing but a tool for the government and they're probably listening and tracking us right now". Especially when it's already devolved into "it's rumored" right in the original post. That accomplishes nothing and makes the legitimate, proven complaints get ignored because it's all lumped together.

The existence of the reserve_hap field proves conclusively that the NSA had at least some say in the feature-set of ME, if only the ability to disable it. That tells is that they consider it a security risk and also makes it far more likely that other features were also implemented at their request. http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

 

[DrMrLordX]

It does make it seem like a rather shrewd move on China's part to buy the Zen IP so they can build their own processors without the PSP.

Did um, I miss something? The part where China bought all IP related to Summit Ridge?

The existence of the reserve_hap field proves conclusively that the NSA had at least some say in the feature-set of ME, if only the ability to disable it. That tells is that they consider it a security risk and also makes it far more likely that other features were also implemented at their request. http://blog.ptsecurity.com/2017/08/disabling-intel-me.html

Bing bing bing, we have winnar.

 

[jpiniero]

Did um, I miss something? The part where China bought all IP related to Summit Ridge?

https://www.anandtech.com/show/1026...ms-joint-venture-for-x86-server-socs-in-china

 

[DrMrLordX]

Interesting. China is throwing in the towel on MIPS development, and they aren't embracing VIA either.

 

[wahdangun]

This is either bad, or good. I think it's good as It could potentially lead to more knowledge on how ME works and perhaps figure out an easy way to disable it. For those who don't know, ME is a backdoor (Basically a separate cpu within the cpu) in pretty much every modern Intel CPU that allows government agencies to remote your machine at the hardware level. Even if it's off. It's also rumoured to have a 3G radio so even airgapped networks could be vulnerable, though I don't think anyone has fully proven this yet.

https://twitter.com/h0t_max/status/928269320064450560

AMD has their own version of this too, I forget what it's called.

Do amd have full blown os (minix) in their TPM module like intel ?

 

[Red Squirrel]

Do amd have full blown os (minix) in their TPM module like intel ?

I'm not sure how the AMD one works but I presume it's similar. Heck even the Intel one, not all that much is really known about it. A lot of it is speculation. This is the problem with closed source stuff especially in this age of mass surveillance.

 

[moinmoin]

AMD uses a separate ARM processor. Something has to run on it. Publicly AMD always states with ARM TrustZone they embraced an "industry-standards approach", but without sources it's obviously hard to check what that includes. Beside the black box the "AMD Secure Processor" also offers hardware acceleration for en- and decryption etc.

I hope the NERF project will take a look at it sometime.

 

[moinmoin]

Related:
https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00086&languageid=en-fr
This includes scenarios where a successful attacker could:

• Impersonate the ME/SPS/TXE, thereby impacting local security feature attestation validity.
• Load and execute arbitrary code outside the visibility of the user and operating system.

 

[PingSpike]

But with ME it's enabled no matter what on all nics

Is this true? It stands to reason Intel NICs are tied to it no problem. But there's a pretty large number of different NICs installed on different motherboards, does the management really have a way to interface with all of them?

 

[Red Squirrel]

Is this true? It stands to reason Intel NICs are tied to it no problem. But there's a pretty large number of different NICs installed on different motherboards, does the management really have a way to interface with all of them?

That's something nobody knows really. I'd like to think that if you go with some off/weird brand NIC it won't work, but there's no real way to know or test that I know of. Maybe the ones who have been working at decoding this whole mess would know though. Since really if you can simply make sure to use a NIC that does not work with it, then you've essentially disabled it.

 

[Ferzerp]

That's something nobody knows really. I'd like to think that if you go with some off/weird brand NIC it won't work, but there's no real way to know or test that I know of. Maybe the ones who have been working at decoding this whole mess would know though. Since really if you can simply make sure to use a NIC that does not work with it, then you've essentially disabled it.

It is trivial to see traffic coming from and going to a NIC. “Nobody knows” is just ignorant of the technology. Are you asserting that there is magical invisible traffic that somehow all network infrastructure cannot see, but magically manages to forward on to the proper location? You need to remove your tin foil hat. These claims only seem reasonable if you have a fundamental lack of understanding of how any networking works. You can hide the content of traffic over the wire via encryption, sure, but you most certainly cannot hide the presence in any way.

 

[XavierMace]

It is trivial to see traffic coming from and going to a NIC. “Nobody knows” is just ignorant of the technology. Are you asserting that there is magical invisible traffic that somehow all network infrastructure cannot see, but magically manages to forward on to the proper location? You need to remove your tin foil hat. These claims only seem reasonable if you have a fundamental lack of understanding of how any networking works. You can hide the content of traffic over the wire via encryption, sure, but you most certainly cannot hide the presence in any way.

Amen.

Like I said, that's the problem with these threads. What little good info there is gets lost in the sea of tin foil hats.

 

[Red Squirrel]

It is trivial to see traffic coming from and going to a NIC. “Nobody knows” is just ignorant of the technology. Are you asserting that there is magical invisible traffic that somehow all network infrastructure cannot see, but magically manages to forward on to the proper location? You need to remove your tin foil hat. These claims only seem reasonable if you have a fundamental lack of understanding of how any networking works. You can hide the content of traffic over the wire via encryption, sure, but you most certainly cannot hide the presence in any way.

We don't know it uses IP, if they really want to hide this then it would be another protocol that just uses the same physical layer. Suppose with a logic analyzer you could detect this. Though for outgoing it kinda has to use IP as the ISP would not support other protocols. It's the outgoing nic that is critical so I suppose with a passive packet sniffer in between that and the modem you could detect weird traffic. Would pretty much need to suppress all other traffic though as it would be hard to sift through and find anything odd.

Given this is a backdoor they're not going to make it easy, chances are the way the protocol is designed you won't see much. Probably listen-only and requires a very specific sequence of port triggering for example. Again, just a guess, because this is a backdoor so it's not like they're going to document how it works.

 

[Ferzerp]

We don't know it uses IP.

At this point, you are just being willfully ignorant. Networks do not work that way. You can't just magically dump data on a network and expect it to be forwarded without end to end support of that protocol. It won't route anywhere. Your magical fairy dust protocol would be a non routable protocol which means it would only work within a local network, and it would still be trivially detectable. You don't understand what you are talking about, and the things you are making up have no basis in reality.

The only way you get internet based traffic is because it is IP traffic. Anything that hits your edge router that isn't IP isn't going to magically be sent to a specific internal device. Anything that you send that isn't IP isn't going to go anywhere outside of your local network either.

 

[Red Squirrel]

At this point, you are just being willfully ignorant. Networks do not work that way. You can't just magically dump data on a network and expect it to be forwarded without end to end support of that protocol. It won't route anywhere. Your magical fairy dust protocol would be a non routable protocol which means it would only work within a local network, and it would still be trivially detectable. You don't understand what you are talking about, and the things you are making up have no basis in reality.

Well that's kind of what I said, the ISP would have to support it, (and everything in between) so chances are it would use IP for that part. But it could use something on the LAN if all the nics support it to try to hide itself from any local network management tools that could find this oddball traffic. But really more that I think about it, there is probably no need for this, as it can just rely on port triggering to activate otherwise it's dormant. If there was constant visible traffic more would be known about it. It only needs to listen. I doubt this is something that gets used often, it's just there in case law enforcement/government etc needs to. Suspicion of drugs, child porn etc.

It's the principle behind it that's wrong, nobody wants a backdoor on their computer especially at the hardware level like this.

 

[Ferzerp]

So now it's a conspiracy that every provider of network equipment is in on, but no one has said anything about, no one has detected, and magically is invisible to code audits in the case of open source routing like is done on a pfsense box?

You find this claim reasonable?

edit: I am done with this because you've made it obvious that you hold a non-falsifiable position. There is no value in attempting to educate you. There is no proof that would shake your faith in this global networking conspiracy. There are plenty of real, extant privacy issues, we need not create fantastical scenarios like you have here.

 

[Red Squirrel]

Hence why I said chances are it uses IP for going out of the local network. But it probably only listens and most likely requires some kind of port triggering, so there is little to no traffic to even detect. I doubt it just listens normally though, like all the ports are still closed, but when the packets hit the nic it probably intercepts it or something and still does something with it. If it was listening like a normal server then a port scanner would detect it. I have intel CPUs on most of my systems but never noticed anything odd on the network or weird things in port scans etc. So it is pretty good at hiding itself. Or perhaps it does not work with all NICs, which would be a good thing as if we can find out which NICs it does not work with we know to go with those, especially for firewalls.