Obscure network hardware, driver and kernel modification as a countermeasure to Intel's Management Engine
Intel's Management Engine is a hardware feature of Intel CPU's that can do this:
"...the ME platform will access any portion of the memory without the parent x86 CPU's knowledge and also set up a TCP/IP server on the network interface. Zammit argues that this server can send and receive traffic regardless of whether the OS is running a firewall or not." http://news.softpedia.com/news/intel...e-505347.shtml It uses code obfuscation inside the chip so this is security by obscurity. How about countering this with some security by obscurity of our own such as a non-standard network interface card that cannot be used without its obscure driver? Plus a tiny modification to the card's driver module, plus a tiny modification to the linux kernel source code so it accesses nic modules slightly differently, just enough to break anything standard that the Intel Management Engine attempts to do with the network card? |
IME does not use user installed OS/kernel nor its network stack/drivers. Only an external firewall can stop it communicating.
|
How does it know which i/o port to write to without knowing what the driver does?
|
Quote:
So, why aren't there already laws on the books that would entitle every owner of such a chip to sue Intel, and win? How long is it going to be before someone realizes that the "personal" security of a particular computer, multiplied by millions of computers many of which are now in shirt-pockets, is "a National Security issue?" :tisk: |
There is not only hidden software, there is a hidden CPU running MINIX. This CPU cannot be controlled by customer - the lawful owner of given hardware.
MINIX - the most popular OS thanks to Intel. |
Is there something one can do to make that CPU send some data through an nic, as a demo?
|
No, if you read the article it is operating on ring level -3, completely out of reach. Even an external firewall may not block it if it goes out to port 80 for instance, for a firewall it would be impossible to determine if this connection is or is not initiated by user.
|
How might Zammit have discovered that ME can set up a TCP/IP server on the network interface?
|
All times are GMT -5. The time now is 03:31 PM. |