Anyone disabled the Intel ME yet?
386 views
Skip to first unread message
alexc...@gmail.com
Sep 18, 2017, 4:33:31 PM9/18/17
to qubes-users
Has anyone here successfully disabled the Intel ME yet?
http://blog.ptsecurity.com/2017/08/disabling-intel-me.html
I'm hoping a future release of Qubes integrates this into the install process for us. Or be downloadable as a package like Anti-Evil Maid?
Thoughts?
Alex
Sep 18, 2017, 4:43:18 PM9/18/17
to qubes...@googlegroups.com
easily automated. As you can understand from the article, newer ME
versions manage the boot process so some level of functionality is
required just to have a working computer.
Being an opaque component, different versions have highly variable level
of built-in functionality and architecture position, so while some ME
versions on some chipsets could just be zapped away, others have to be
patched, reflashed, bypassed or replaced to be disarmed.
Hence, the operations to "disarm" ME still resemble more surgery than
patching; our only hopes are that Intel will give a simple way of
disabling the unneeded "services" (i.e. network services?) with
something reasonable like a hardware jumper of some sort. They will be
able to give the HAP guarantees to their customers without impairing
security for everybody else...
--
Alex
alexc...@gmail.com
Sep 18, 2017, 5:15:09 PM9/18/17
to qubes-users
I see, thank you for the explanation. I had no idea ME versions were that fragmented.
Rusty Bird
Sep 18, 2017, 6:01:33 PM9/18/17
to alexc...@gmail.com, qubes-users
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
alexc...@gmail.com:
https://github.com/corna/me_cleaner
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJZwEIxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNg8P/R29hIUOrlolKVQXjgQ27MX0
oWClVtfGX7+geO+mU3WYY0UQYeOCWyRJIxOrbsySrKf0WcqN2H0NwpxcJrHXYI8Z
mm1CVcC8VZcR7hMARHLWz61EFfBbSUL+azP1elPZQ/yuB1If3NpyR9PSM8Nrhs0v
Mdh9N2HdhYfxV6YNPhcUo1bVsaP9Z3X8/8T/whybN6KaMiF4y573wXqXwSc/lNsN
P5bpBH1GcAZI2BfH29dt1TU+t94pELekdAtZKDFW4riSLhhWW9nfDPThupqJ2kps
MXhFJxREXsUPpXOf6vc+JI667+8s1Cb4jfXovKPGgIG/4dh3qFIIyc9p/0q6pLca
UBN7V2GBkkpdpyRX/QhHHcbw+Ri2SKul/2LRMVZ7d/nqwRfHchxGmYKFIjFjYVdx
1bfVc8wgnX1WZGOg0EvEgx0vG8H0+DU+Yw5Wyuv4jO4UfILJ/FTBxa1KyMWv6xvS
lf9tjL28k+HBiwzDs5MCdV9rUJ9W0q/zySntZItI/7wd8UPC0YadzqwxF74xh/d4
SLy9rL/1aMwhpvd+rCFipn1B3wIlY/y/VPq3FpLsPrAjoesbZ1BeUmQ9wdvumTn3
sSwcUfUnt1N6mWWtPYtSPYQyD1A4r9I2RFEuq8YuLEyG3BveC9RanApNE5CboBFA
JKyVN0I7q5dmd0bk4IEm
=UlBw
-----END PGP SIGNATURE-----
Hash: SHA512
alexc...@gmail.com:
Rusty
-----BEGIN PGP SIGNATURE-----
iQJ8BAEBCgBmBQJZwEIxXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ4NEI1OUJDRkM2MkIxMjlGRTFCMDZEMDQ0
NjlENzhGNDdBQUYyQURGAAoJEEadePR6ryrfNg8P/R29hIUOrlolKVQXjgQ27MX0
oWClVtfGX7+geO+mU3WYY0UQYeOCWyRJIxOrbsySrKf0WcqN2H0NwpxcJrHXYI8Z
mm1CVcC8VZcR7hMARHLWz61EFfBbSUL+azP1elPZQ/yuB1If3NpyR9PSM8Nrhs0v
Mdh9N2HdhYfxV6YNPhcUo1bVsaP9Z3X8/8T/whybN6KaMiF4y573wXqXwSc/lNsN
P5bpBH1GcAZI2BfH29dt1TU+t94pELekdAtZKDFW4riSLhhWW9nfDPThupqJ2kps
MXhFJxREXsUPpXOf6vc+JI667+8s1Cb4jfXovKPGgIG/4dh3qFIIyc9p/0q6pLca
UBN7V2GBkkpdpyRX/QhHHcbw+Ri2SKul/2LRMVZ7d/nqwRfHchxGmYKFIjFjYVdx
1bfVc8wgnX1WZGOg0EvEgx0vG8H0+DU+Yw5Wyuv4jO4UfILJ/FTBxa1KyMWv6xvS
lf9tjL28k+HBiwzDs5MCdV9rUJ9W0q/zySntZItI/7wd8UPC0YadzqwxF74xh/d4
SLy9rL/1aMwhpvd+rCFipn1B3wIlY/y/VPq3FpLsPrAjoesbZ1BeUmQ9wdvumTn3
sSwcUfUnt1N6mWWtPYtSPYQyD1A4r9I2RFEuq8YuLEyG3BveC9RanApNE5CboBFA
JKyVN0I7q5dmd0bk4IEm
=UlBw
-----END PGP SIGNATURE-----
Alex
Sep 21, 2017, 2:23:01 AM9/21/17
to qubes...@googlegroups.com
Replying to this thread to report that somebody DID ACTUALLY find an
exploitable vulnerability in the latest IME 11+, and they will be
sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
europe 2017.
Abstract here:
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
Title is pretty scary, but we'll see if it's actually that dangerous...
--
Alex
exploitable vulnerability in the latest IME 11+, and they will be
sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
europe 2017.
Abstract here:
https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
Title is pretty scary, but we'll see if it's actually that dangerous...
--
Alex
Hugo Costa
Sep 21, 2017, 12:08:41 PM9/21/17
to qubes-users
Was going to post the same. 2 Russian researchers that a couple weeks ago found out a way to clean some modules on Intel ME now have found a significative exploit that allows them to actually run code on a piece of hardware with direct access to the network. The scary thing is - it's impossible to detect.
cooloutac
Sep 24, 2017, 8:24:44 PM9/24/17
to qubes-users
and thats prolly just what we know about lol.
cooloutac
Sep 24, 2017, 8:27:18 PM9/24/17
to qubes-users
I feel like cause I live in nyc that you just expect this type of stuff from your friends and neighbors hahaha. maybe not the same means but the same ends. but ya hardware level stuff is scary, cause that means real security means alot of money, so poor people are screwed.
filtration
Sep 24, 2017, 9:23:23 PM9/24/17
to qubes...@googlegroups.com
cooloutac:
you, I know.
As far as AMT, apparently the entry is through Intel NICs. I hoped to
mitigate it by using a third party NIC. The Intel device stayed lit
(amber, not green) on power off, my new one is completely off when
powered off.
> On Sunday, September 24, 2017 at 8:24:44 PM UTC-4, cooloutac wrote:
>> On Thursday, September 21, 2017 at 12:08:41 PM UTC-4, Hugo Costa wrote:
>>> On Thursday, 21 September 2017 07:23:01 UTC+1, Alex wrote:
>>>> Replying to this thread to report that somebody DID ACTUALLY find an
>>>> exploitable vulnerability in the latest IME 11+, and they will be
>>>> sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
>>>> europe 2017.
>>>>
>>>> Abstract here:
>>>> https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
>>>>
>>>> Title is pretty scary, but we'll see if it's actually that dangerous....
>> On Thursday, September 21, 2017 at 12:08:41 PM UTC-4, Hugo Costa wrote:
>>> On Thursday, 21 September 2017 07:23:01 UTC+1, Alex wrote:
>>>> Replying to this thread to report that somebody DID ACTUALLY find an
>>>> exploitable vulnerability in the latest IME 11+, and they will be
>>>> sharing nothing less that this UNSIGNED CODE EXECUTION vuln at blackhat
>>>> europe 2017.
>>>>
>>>> Abstract here:
>>>> https://www.blackhat.com/eu-17/briefings/schedule/#how-to-hack-a-turned-off-computer-or-running-unsigned-code-in-intel-management-engine-8668
>>>>
>>>>
>>>> --
>>>> Alex
>>>
>>> Was going to post the same. 2 Russian researchers that a couple weeks ago found out a way to clean some modules on Intel ME now have found a significative exploit that allows them to actually run code on a piece of hardware with direct access to the network. The scary thing is - it's impossible to detect.
>>
>> and thats prolly just what we know about lol.
>
> I feel like cause I live in nyc that you just expect this type of stuff from your friends and neighbors hahaha. maybe not the same means but the same ends. but ya hardware level stuff is scary, cause that means real security means alot of money, so poor people are screwed.
>
My motherboard has a "Disable ME" jumper. Not good enough for many of
>>>> --
>>>> Alex
>>>
>>> Was going to post the same. 2 Russian researchers that a couple weeks ago found out a way to clean some modules on Intel ME now have found a significative exploit that allows them to actually run code on a piece of hardware with direct access to the network. The scary thing is - it's impossible to detect.
>>
>> and thats prolly just what we know about lol.
>
> I feel like cause I live in nyc that you just expect this type of stuff from your friends and neighbors hahaha. maybe not the same means but the same ends. but ya hardware level stuff is scary, cause that means real security means alot of money, so poor people are screwed.
>
you, I know.
As far as AMT, apparently the entry is through Intel NICs. I hoped to
mitigate it by using a third party NIC. The Intel device stayed lit
(amber, not green) on power off, my new one is completely off when
powered off.
rysiek
Sep 25, 2017, 2:46:12 AM9/25/17
to qubes...@googlegroups.com
Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
--
Pozdrawiam,
Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
> My motherboard has a "Disable ME" jumper. Not good enough for many of
> you, I know.
>
> As far as AMT, apparently the entry is through Intel NICs. I hoped to
> mitigate it by using a third party NIC. The Intel device stayed lit
> (amber, not green) on power off, my new one is completely off when
> powered off.
These are not really good options for laptops. :(
> you, I know.
>
> As far as AMT, apparently the entry is through Intel NICs. I hoped to
> mitigate it by using a third party NIC. The Intel device stayed lit
> (amber, not green) on power off, my new one is completely off when
> powered off.
--
Pozdrawiam,
Michał "rysiek" Woźniak
Zmieniam klucz GPG :: http://rys.io/pl/147
GPG Key Transition :: http://rys.io/en/147
Alex
Sep 25, 2017, 3:01:12 AM9/25/17
to qubes...@googlegroups.com
On 09/25/2017 08:45 AM, rysiek wrote:
> Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
>> My motherboard has a "Disable ME" jumper. Not good enough for many
>> of you, I know.
>>
>> As far as AMT, apparently the entry is through Intel NICs. I hoped
>> to mitigate it by using a third party NIC. The Intel device stayed
>> lit (amber, not green) on power off, my new one is completely off
>> when powered off.
>
> These are not really good options for laptops. :(
>
They may even be worse - I used to have a tablet with a "Intel ME
> Dnia Sunday, September 24, 2017 9:23:06 PM EEST filtration pisze:
>> My motherboard has a "Disable ME" jumper. Not good enough for many
>> of you, I know.
>>
>> As far as AMT, apparently the entry is through Intel NICs. I hoped
>> to mitigate it by using a third party NIC. The Intel device stayed
>> lit (amber, not green) on power off, my new one is completely off
>> when powered off.
>
> These are not really good options for laptops. :(
>
Disable" option in the bios, and tried to flip that setting.
The tablet would not start anymore, and had to buy a clip to reflash the
bios eeprom to be able to recover it.
--
Alex
Sean Hunter
Sep 25, 2017, 3:33:49 AM9/25/17
to rysiek, qubes...@googlegroups.com
> On 25 Sep 2017, at 07:45, rysiek <rys...@hackerspace.pl> wrote:
>
> These are not really good options for laptops. :(
Sean
Sent from my phone. Sorry if brief.
pixel fairy
Sep 25, 2017, 4:57:54 AM9/25/17
to qubes-users
i would find a list of annoyances with qubes 4 on a librem 15 helpful. im thinking of getting one.
Theo
Oct 22, 2017, 4:08:30 PM10/22/17
to qubes-users
On Monday, 18 September 2017 13:33:31 UTC-7, alexc...@gmail.com wrote:
> Has anyone here successfully disabled the Intel ME yet?
> Has anyone here successfully disabled the Intel ME yet?
Purism says they are diabling it by default on all laptops they are sending out now.
Ref:
https://puri.sm/posts/deep-dive-into-intel-me-disablement/
Now if only the hardware was just slightly more powerfull and future oriented.
Reply all
Reply to author
Forward
0 new messages