Intel's super-secret Management Engine firmware now glimpsed, fingered via USB

Positive Technologies, which in September said it has a way to drill into Intel's secretive Management Engine technology buried deep in its chipsets, has dropped more details on how it pulled off the infiltration.

The biz has already promised to demonstrate a so-called God-mode hack this December, saying they've found a way for “an attacker of the machine to run unsigned code in the Platform Controller Hub on any motherboard.”

For those who don't know, for various processor chipset lines, Intel's Management Engine sits inside the Platform Controller Hub, and acts as a computer within your computer. It runs its own OS, on its own CPU, and allows sysadmins to remotely control, configure and wipe machines over a network. This is useful when you're managing large numbers of computers, especially when an endpoint's main operating system breaks down and the thing won't even boot properly.

Getting into and hijacking the Management Engine means you can take full control of a box, underneath and out of sight of whatever OS, hypervisor or antivirus is installed. This powerful God-mode technology is barely documented and supposedly locked down to prevent miscreants from hijacking and exploiting the engine to silently spy on users or steal corporate data. Positive says it's found a way to commandeer the Management Engine, which is bad news for organizations with the technology deployed.

For some details, we'll have to wait, but what's known now is bad enough: Positive has confirmed that recent revisions of Intel's Management Engine (IME) feature Joint Test Action Group (JTAG) debugging ports that can be reached over USB. JTAG grants you pretty low-level access to code running on a chip, and thus we can now delve into the firmware driving the Management Engine.

With knowledge of the firmware internals, security vulnerabilities can be found and potentially remotely exploited at a later date. Alternatively, an attacker can slip into the USB port and meddle the engine as required right there and then.

There have been long-running fears IME is insecure, which is not great as it's built right into the chipset: it's a black box of exploitable bugs, as was confirmed in May when researchers noticed you could administer the Active Management Technology software suite running on the microcontroller with an empty credential string over a network.

The JTAG revelation came to Vulture South's attention via a couple of tweets:

Game over! We (I and @_markel___ ) have obtained fully functional JTAG for Intel CSME via USB DCI. #intelme #jtag #inteldci pic.twitter.com/cRPuO8J0oG

— Maxim Goryachy (@h0t_max) November 8, 2017

Full access the Intel ME( >=Skylake) by JTAG debugging via USB DCI https://t.co/TMvOirXOVI @ptsecurity @h0t_max @_markel___

— Hardened-GNU/Linux (@hardenedlinux) November 8, 2017

The linked blog post, in Russian, explains that since Skylake, Intel's Platform Controller Hub, which manages external interfaces and communications, has offered USB access to the engine's JTAG interfaces. The new capability is DCI, aka Direct Connect Interface.

Aside from any remote holes found in the engine's firmware code, any attack against IME needs physical access to a machine's USB ports which as we know is really difficult.

We still don't know all the details Positive Technologies will show off at Black Hat, but their trailers are sure fun to watch. ®

Bootnote

The IME is able to control a computer because it runs an OS of its own, namely MINIX: a small and simple microkernel system designed to teach computer-science students how hardware and operating systems work. And it turns out that while Intel talked to MINIX's creator about using it, the tech giant never got around to saying it had put it into recent CPU chipsets it makes.

Which has the permissively licensed software's granddaddy, Professor Andrew S. Tanenbaum, just a bit miffed. As Tanenbaum wrote this week in an open letter to Intel CEO Brian Krzanich:

MINIX was, it appears, discovered in IME by Positive Technologies, as documented here. Meanwhile, Google engineer Ronald Minnich earlier advocated removing IME software from Open Compute Winterfell nodes – Google being a big believer in Open Compute hardware.