Obscure network hardware, driver and kernel modification as a countermeasure to Intel's Management Engine
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Obscure network hardware, driver and kernel modification as a countermeasure to Intel's Management Engine
Intel's Management Engine is a hardware feature of Intel CPU's that can do this:
"...the ME platform will access any portion of the memory without the parent x86 CPU's knowledge and also set up a TCP/IP server on the network interface. Zammit argues that this server can send and receive traffic regardless of whether the OS is running a firewall or not."
It uses code obfuscation inside the chip so this is security by obscurity. How about countering this with some security by obscurity of our own such as a non-standard network interface card that cannot be used without its obscure driver? Plus a tiny modification to the card's driver module, plus a tiny modification to the linux kernel source code so it accesses nic modules slightly differently, just enough to break anything standard that the Intel Management Engine attempts to do with the network card?
IME does not use user installed OS/kernel nor its network stack/drivers. Only an external firewall can stop it communicating.
Actually, I think that it is impossible for the CPU to send a network-packet out, without having access to the network interface card (NIC). Perhaps there is hidden onboard software on the chip that assumes that it knows how to reach the NIC, on a particular type of motherboard.
So, why aren't there already laws on the books that would entitle every owner of such a chip to sue Intel, and win? How long is it going to be before someone realizes that the "personal" security of a particular computer, multiplied by millions of computers many of which are now in shirt-pockets, is "a National Security issue?"
There is not only hidden software, there is a hidden CPU running MINIX. This CPU cannot be controlled by customer - the lawful owner of given hardware.
No, if you read the article it is operating on ring level -3, completely out of reach. Even an external firewall may not block it if it goes out to port 80 for instance, for a firewall it would be impossible to determine if this connection is or is not initiated by user.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.