Hacker News new | past | comments | ask | show | jobs | submit login
Intel Management Engine Critical Firmware Update (intel.com)
140 points by osivertsson on Dec 9, 2017 | hide | past | favorite | 32 comments



So is this actually a critical vulnerability, or is this just Intel plugging one of the recently-found exploits that lets us disable the IME?


BING BING BING

Guaranteed it's the latter. Intel isn't about to give up the huge contracts it has with NSA.


Any proof?


After the Snowden disclosures -- never mind the whole Room 641A business ( https://en.wikipedia.org/wiki/Room_641A ) -- I think the only safe assumption is bad faith on the part of both government and industry.

In fact, that's the whole problem with extrajudicial domestic spying. In defiance of the principles of both justice and logic, the innocent are presumed guilty, and the burden of proof is shifted to the skeptics.


There isn't anyway to know for sure but its extremely suspicious that they will not release the off switch despite already having developed it for the US government.


The only way there could ever be proof of such a thing would be from whistleblowers and that would be major news (or so I believe).


What's changed in this advisory since it was first issued November 20? Just more vendor links?


The Intel Management Engine IS the vulnerability.

Read this like: We are patching our backdoor so no one but us and our undisclosed friends can own you whenever we want.


This could prove harmful. If people analyze the patch they might get more information


I wonder the long term effect on unpatched MEs out there.

What would a skilled attacker use it for? Hack nearby laptops of folks within the cryptocurrency world?


Could one write a worm that worked purely on the Intel me, spread machine to machine via me Ethernet monitoring, that could then look at the local hd for crypto keys and report them back to a remote server?

Is the above theoretically possible?


I envision a worm that disables the ME completely once it's found and "infected" another few. Perhaps show a message that says "Your computer is now owned... by you." That would certainly raise some interesting discussion about ethics...


While this is possible, people with dark motives are clearly incentivized more.


Yes, it's a general-purpose processor inside your processor.


Using which exploit? Quoting the article: " The vulnerability identified in CVE-2017-5712 is exploitable remotely over the network in conjunction with a valid administrative Intel® Management Engine credential. The vulnerability is not exploitable if a valid administrative credential is unavailable."

So where is the Ethernet level remote vulnerability? The rest require physical access.


I think the gps meant “hypothetically” and not “theoretically,” presuming some future vulnerability


Based on what I've read so far, in my opinion the biggest risk from ME comes from targeted evil maid style scenarios. And I'm not sure if even in those limited conditions ME is reliably exploitable. So I'm more annoyed than panicking right now.


Intel:

A status of may be Vulnerable is usually seen when either of the following drivers aren't installed:

Intel® Management Engine Interface (Intel® MEI) driver

Intel® Trusted Execution Engine Interface (Intel® TXEI) driver

If adding closed-source Intel drivers is a "fix" for a vulnerablity, that sounds like a way to get a Trojan onto your system.

Who audits Intel?


Without the drivers the tool can’t check, so it has to report “may be vulnerable”.


"May be vulnerable" as in "cannot query to detect vulnerability status."


Apple is not on vendor list. Q: Why not?


> Intel® ME 11.0.0-11.7.0

Apple is shipping 10.0 with High Sierra.


Not if they're using Skylake or later CPUs


I remove the drivers during deployment. How much does that reduce the vulnerability footprint? Assuming that Lenovo has indeed enabled the firmware write protect feature that Intel describes?


Not installing the drivers prevents your OS from interacting with ME but I don't think it changes the fact that ME has exceptional access to your computer.


What value does the ME actually offer the user? Why is it even there?


As far as I've read, it's more targeted at corporate deployments when the owner/administrator and user aren't the same person or authority. It allows things like remotely reimaging the machine if the OS install gets screwed up, deleting encryption keys if the machine is stolen or otherwise compromised, verifying that the mandatory "endpoint protection suite" is actually running, etc..


But also secure boot and full disk encryption and SGX.


You don’t need intel ME for full disk encryption? Or is that a Windows only requirement I’m unaware of?


I think some laptops don't have a hardware TPM and use software running on ME instead.


Then we should be able to turn it off.


You can remotely wake-on-wlan (maybe even 4/5g modem) - remote control, install Os, software - it's a management engine. And it's quite terrifying in its power. But sure, it's potentially useful - it's just a shame it's closed, so it's more of a liability/flaw than a feature.




Join us for AI Startup School this June 16-17 in San Francisco!

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: