The V and Intel Management Engine


#21

Oh, I’m not criticising - my question is genuine. This particular vulnerability isn’t described in detail, and is described as allowing “remote” exploits, which the previous one didn’t. It could well be a different one based on the article you linked.

Looking into it, Charlie from Semi-Accurate has been reporting on a remote exploit vulnerability in IME since May of this year. An article from that same month says Intel offered a patch.

Looks like we’re watching a game of whack-a-mole here.


#22

Serious though, the ultimate backdoor, on the CPU level it may operate to work around stuff above - like TPM (bitlocker). I doubt you could get a usb key to call jtag and do the needed… but anything that runs code for sure - how many times are you connecting your phone to your PC?
On the other side it would be such a complex task to build something that lets say steals your CC info or bitcoins or passwords etc and intel will probably quick and dirty patch the gap much sooner than anyone could seriously develop anything (NSA that probably have something already in their inventory not counting) :slight_smile:


#23

The quote in the Ars Technica article that stood out to me was
"The highest-level vulnerabilities, rated at 8.2 and 7.5 on the Common Vulnerability Security Scale (CVSSv3) respectively, are in the most recent versions of Intel Management Engine. They have the broadest impact on PC users: they allow arbitrary remote code execution and privileged information access."

This sounds different than the vulnerability (USB exploit only) that was reported earlier. And it also sounds more dangerous to me. I figured it was just a matter of time for the network stack to get exploited, but maybe it happened quicker than I thought. I’ll be glad when Intel has a patch.


#24

If things like this bother you, you can always opt for Libreboot.


#25

Is there recent information available ?

Harrowing Story of Installing Libreboot on ThinkPad | Hackaday


Dec 16, 2016 - First of all, libreboot only works on a handful of older ThinkPads. Newer models have fallen victim to a new strategy by Intel of checking the …


#26

Love the idea. Sounds difficult (maybe impossible) unless it’s preinstalled. Maybe that’s Eve’s next product idea - a super secure 2-in-1 that would include Libreboot :wink:


#27

This market is already taken by puri.sm ^^


#28

I had never heard of them. Interesting. Looking at the tech in their 2-in-1, it has some distinct limitations. 5th generation CPU for instance (probably for pre-IME ). It’s no V…


#29

y, if you want to be independent you have to reverse engineer all the stuff or be on the goodwill of intel and other manufacturers to release the source codes. This is why they don’t have top notch stuff, but you get hard kill switches for gps, cam and micro, for some ppl. these are important features. just saying :slight_smile:


#30

So there’s a patch for the Intel AMT, wondering if it will be implemented in time for the LB batch?


#31

From my understanding of everything it seemed as though there are several factors involved here. Appears that in order to allow remote access to Intel ME 3 things are needed.

  1. Vpro or intel AMT (Active management technology)
  2. Whether or not CPU has consumer or corporate Intel ME. The corporate version has the full network stack in the bindery. Whereas the consumer version does not.
  3. An Intel wireless chip
    If all 3 of these things are Not present Remote access to Intel MI is not possible.

The question then is does the Eve V have all 3 of these things I know it has Intel wireless but I’m uncertain of the other 2, only someone on the team could answer that question. But even then that is just one Avenue of attack. Not any kind of exploit. Please bear in mind that even if remote access is not possible that intel me is still secepticle to exploits from other directions such as usb or malware. This may be one of the largest and over reaching securitiy issues in recent history.


#32

Hi. Has anyone with a device (@Team, @toiletsheep) been able to test the V’s vulnerability to this using Intel’s detection tool yet? Would be good to get acknowledgement that this issue is at least on the radar.


#33

Hiya @Ben!

I just checked and the current V’s are shipped with ME 11.6.something so we’re vulnerable. However, we’re checking with our manufacturing partner to update the ME to a newer version that does not have the issue - I don’t have any ETA on this as we’re still in the process of checking with our partners.


[B] Intel Management Engine security issue
#34

Great, thanks @iKirin. I suspected it would be as it seems so widespread. That’s all I wanted to hear as a response.


#35

Thanks for checking. I figured it would take some time. I’m really glad to know it’s on the radar.


#36

I’m sure the team is indeed quite busy, but if the patch for this vulnerability is quickly pushed through, it will again showcase EVE’s commitment to quality, and in this instance security as well.


#37

That’s great. Shouldn’t be a big problem as Intel has already released their new firmware. On my home system with Fujitsu D3417-B2 it’s already patched by 11.25.2017


#38


Maybe also interesting for the team.


#39

I think I’ve received a driver with a ME 11.7.0 version - that might have the issue fixed, I’ll install it on this unit for testing and report back to everyone after I checked it’s 11.7.0 and it does not ahve that issue anymore. :slight_smile:


#40

It would be cool if it was possible to deliver the option of disabling the ME via a firmware update.