Our beloved GOD tool got rekt – Intel ME vs. security researchers

In the light of the recent bugs found in Intel ME, every PC user should be aware of what kind of “above root” tools are implemented in all of the most recent Intel (since 2015) and AMD (since 2013) CPUs. Why should you bother with this? Because in Intel’s case there is a good chance it can be remotely accessed. First of all what the heck is ME?

Intel ME & AMD PSP are both stinky!

“The Management Engine is a barely documented black box. It has its own CPU and its own operating system – recently, an x86 Quark core and MINIX – that has complete control over the machine, and it functions below and out of sight of the installed operating system and any hypervisors or antivirus tools present.” – quote taken from theregister.co.uk

Okay, so what’s the problem with it? The problem is, like any other software, ME firmware contains bugs and Intel don’t really want anybody to audit it.

“Garrett said if an exploit allows unsigned data to be installed and interpreted by the ME, an attacker could effectively trigger the reinfection of malware after every ME reboot. Were that to happen, the only way to fix things would be to reflash the hardware by hand. At that point, he said, it would probably be cheaper just to get new hardware.” – quote taken from theregister.co.uk

Oh, got infected because of the AMT and/or ME vulnerability? Basically you are screwed.

Then what about Ryzen? It has Platform Security Processor (or Secure Processor).

“Since the launch of AMD Ryzen, a small piece of hardware that handles basic memory initialization as well as many security functions has been the center of some controversy. Called the Platform Security Processor (the “PSP” for short) it is essentially an arm core with complete access to the entire system. Its actions can be considered “above root” level and are for the most part invisible to the OS. It is similar in this regard to Intel’s Management Engine, but is in some ways even more powerful. – taken from www.techpowerup.com

– – –

In order to reduce the risk of a remote attack then you should use a PCI NIC or maybe using your onboard Realtek NIC can block direct access to your ME because Realtek chips are separate from the main chipset (according to Wendell at Level1Techs). If the attacker has direct access to your computer’s USB ports and know how to exploit these bugs then you will be out of luck again.

Let’s hope it will be patched soon. May the force be with us…



Leave a Reply