[cantrevealname]

I've been hearing about Intel’s Active Management Technology for years, but I'd like to see a demonstration of how an attack would work. I have an unused laptop with:

1. an Intel CPU that supports the vPro feature set

2. an Intel networking card

3. the corporate version of the Intel Management Engine (Intel ME) binary (well, definitely, a corporate laptop that used to get updates, but how do I check for ME?)

Is there a website I can visit that can initiate a remote takeover (I'm consenting to it)? Why isn't this possible? What other step is required on my side to make it possible? Is it possible only through the physical ethernet connection? Why aren't we seeing wide scale exploits based on AMT?

[threatripper]

Absence of evidence is not the evidence for absence.

If the backdoor exists you will need to know a secret to open it. Currently, the public obviously doesn't know this secret or the doors would be wide open for virtually anybody. Because we don't know the secret key, we cannot open them to prove that they exist. So we don't know for sure if the backdoors exist. But the way the IME is designed and handled makes it possible and plausible that backdoors could exist. It's up to Intel to prove that they don't exist.

[dmix]

The odds of this being actively exploited by a nation state is higher than it not being exploited. It's too juicy of a attack target, while being almost universally deployed since 2008.

Even 14 years ago the FBI was using off cellphones as microphones, recording in-person conversations in a restaurant between some Mafia targets. It was acknowledged during a criminal trial, which means it was probably old-hat by then:

> Kaplan's opinion said that the eavesdropping technique "functioned whether the phone was powered on or off."

> He ruled that the "roving bug" was legal because federal wiretapping law is broad enough to permit eavesdropping even of conversations that take place near a suspect's cell phone.

https://www.cnet.com/news/fbi-taps-cell-phone-mic-as-eavesdr...

Getting access to laptops/PCs regardless of power state with long-term persistence and very low detectability, regardless of traditional OS monitoring, would be top of the list in terms of requirements for any intelligence agency.

[na85]

>So we don't know for sure if the backdoors exist

Doesn't the NSA_High_Assurance_Platform bit or whatever it's called pretty much prove there's a backdoor?

edit: Here it is: https://en.wikipedia.org/wiki/Intel_Management_Engine#%22Hig...

Why would the NSA demand such a feature if they didn't foresee even a potential vulnerability there?

[scott00]

The NSA doesn't need to know a backdoor exists in order to worry about one. The ME is infrequently exercised code with a large attack surface and highly privileged access. If you are security conscious and don't need the functionality it's quite logical to want to turn it off, whether you're the NSA or anybody else.

[selectodude]

>It's up to Intel to prove that they don't exist.

That seems a bit over the top to ask them to prove a negative.

[akimball]

It would be easy for Intel to prove what code is running. Peer review does the rest.

[alasdair_]

Releasing the code would allow people to verify it.

[shawnz]

Releasing the code would help to make it more auditable.

[rcxdude]

There have been two really severe AMT vulnerabilities (basically allowing complete takeover of the PC through the network). These have been patched and no widescale exploitation of them has been reported AFAIK. The other vulnerabilities essentially allow for a super-rootkit: if you can get arbitrary code execution in the AMT from the OS then you can escalate an exploit into a rootkit which is basically impossible to detect or remove, and this kind of exploitation has been seen in the wild.

[cantrevealname]

> severe AMT vulnerabilities (basically allowing complete takeover of the PC through the network)

Does this mean when the PC was connected by ethernet cable? Even by wifi? The exploit could have worked by visiting an arbitrary website? With no click? (I’m not being skeptical. I just want to understand what’s required for the exploit to work.)

[wlesieutre]

Here’s one from 2017: https://www.tomshardware.com/news/intel-amt-patch-may-8,3434...

Connected to Ethernet (with Intel hardware), but doesn’t need to be turned on. Must have vPro and AMT enabled.

[swiley]

You don't even need to boot the machine much less go to a website.

One of them I think was actually a zero day, you could get up on shodan and find piles of machines that would just let you upload an ISO and boot whatever you wanted on them.

It really is that bad.

[corty]

When the computer is off: WiFi would also work if it were configured with an ESSID and credentials. But usually, most people dont't do this.

When it is on: AMT Wifi might also just piggyback on the existing config of the OS.

[abtom]

"... the fundamental rule of technological progress: if something can be done, it probably will be done, and possibly already has been." -Edward Snowden (Permanent Record)

[fsflover]

https://news.ycombinator.com/item?id=16238765

[1vuio0pswjnm7]

https://www.blackhat.com/docs/us-17/thursday/us-17-Evdokimov...

https://www.youtube.com/watch?v=ubmKdOMRhLk