The hijacking flaw that lurks in Intel chips

Myriad

Level 7
Thread author
Verified
Well-known
May 22, 2016
349
" The hijacking flaw that lurked in Intel chips is worse than anyone thought "

This story has been floating around for a few years now , but hasn't attracted much attention .

This article brings it up to date .
It certainly can't have been a mistake on the part of Intel , and that leads to a suspicion
that they were " persuaded " to implement it .

Who knows ?
 

Parsh

Level 25
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
Dec 27, 2016
1,480
Look at that:
AMT, which is available with many vPro processors, was set up to require a password before it could be remotely accessed over a Web browser interface.
But, remarkably, that authentication mechanism can be bypassed by entering any text string—or no text at all.
According to a blog post published Friday by Tenable Network Security, the cryptographic hash that the interface's digest access authentication requires to verify someone is authorized to log in can be anything at all, including no string at all.
That's absolutely inane! How could such a slip in programming the security happen at such a firm? That does lead to suspicion.
And now they expect PC makers to fix the flaw via firmware update soon, after such a long time. Good God!
 

Myriad

Level 7
Thread author
Verified
Well-known
May 22, 2016
349
Look at that:

That's absolutely inane! How could such a slip in programming the security happen at such a firm? That does lead to suspicion.
And now they expect PC makers to fix the flaw via firmware update soon, after such a long time. Good God!

I knew in the back of my mind that I had read and written about this issue on other forums in the past ,
but I didn't realize it was over 3 years ago ..... Scary !

I found this Wilders thread from that time , and I see that the topic has just come alive again recently over there ,
in this thread .
 

Myriad

Level 7
Thread author
Verified
Well-known
May 22, 2016
349

@frogboy

Yes that is a good find !
Thanks for sharing .

I found some of my notes from back then , and the ways a person might catch Intel AMT in the act .
But it looked to be next to impossible , because the thing is dormant by default .

The old favorite methods of network analysis and port monitoring won't be of much use .
The chance of catching it " getting chatty" is almost zero , and you would have to monitor and log a ton of stuff
for months , or even years !

Now it could get a whole lot easier , thanks to Embedi :-
ports 16992 and 16993 are the ones to watch

It would be a nice trick if the hardware owner could provoke Intel AMT to wake-up , and make it phone home :)
I'll post back if I find a way , but until then I'm going to hold off with the deactivator script from GitHub

I'm going to read through this article ( again ! ) :- " Silent Bob is Silent " on the Embedi website ,
.... there is a lot to digest .

From what I've read so far , it appears to be mainly Enterprise systems that are vulnerable .
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
AMT manages the hardware of your infrastructure, while you are in front of your laptop, via the network .
For example, if you have some machines to install (a call center, a data center, etc) it is nice to be able to do this from your laptop by not having to go to turn on, boot/netboot, and maybe install any machine at a time.

Every vendor has some solution (DELL has iDRAC, HP has iLO, ...) since via software we can manage the "remotely automated install", but we still need a control on the hardware (power, network booting, etc), and on the configuration of the network.

Usually this is the purpose of the LOM. The security problem (not this in particular, but in general) is that this is usually a proprietary system, developed and controlled by just a few vendors, often not upgradeable, being in various ways linked to the HW, and it can operate beyond the control of the end user.
 

Myriad

Level 7
Thread author
Verified
Well-known
May 22, 2016
349

I was just about to post the very same thing :)
I looked at it yesterday and ran it earlier on my 2 Intel based laptops

The tool will check your system ( there are GUI and cmd versions bundled ).

On my systems it reports " Not vulnerable " but it also shows " LMS service state : running "
.... ??

Going back to the arstechnica article :-

"Making matters worse, unauthorized accesses typically aren't logged by the PC because AMT has direct access to the computer's network hardware. When AMT is enabled, all network packets are redirected to the Intel Management Engine and from there to the AMT. The packets bypass the OS completely. The vulnerable management features were made available in some but not all Intel chipsets starting in 2010, Embedi has said. "

.... my emphasis in that quote .
 

Winter Soldier

Level 25
Verified
Top Poster
Well-known
Feb 13, 2017
1,486
I'd assume Intel knew from the beginning about the bug because we don't need to be a particularly skilled engineer to understand the risk of that technology, and any engineer who works at Intel had the ability to notice that since the first day and discover that the firmware had just been bugged to allow the backdoor ...

Nine years to fix a backdoor at low level in the hardware, not detectable by the victim of an attack.
It is outrageous and I think Intel will not pay for this...it is as if nothing had happened!
 
Last edited:

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
I ran the Intel tool for active management exploit, and it says my PC is vulnerable.
What to do?
I have custom built PC with mobo: Asus B150M-K D3

I tried to download the disable tool from Github, but Avast zapped it.

EDIT: Okay, I disabled Avast and ran the tool, but it failed. It says it doesn't work for my system specs.
 
Last edited:
  • Like
Reactions: tonibalas

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Now that I think about it, a firmware exploit like this would have to be carried out by a targeted attack that penetrates the local network. Correct?
That means it is not a threat for ordinary home users, who have neither valuable business secrets nor plans to blow up the world.
So I guess I should be safe...
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top