[seanherron]

The author is right that USB-C docks can be used to hide malicious devices - but the same is true of any USB device. You could hide a Pi Zero in a mouse, keyboard, memory stick, or anything else that you can open up and access the USB headers. Scary - but also requires a higher level of physical access than other vectors such as phishing.

[npteljes]

They also bundle a separate CPU inside the real CPU, and gave it full access over the system.

https://en.wikipedia.org/wiki/Intel_Management_Engine https://en.wikipedia.org/wiki/AMD_Platform_Security_Processo...

[matheusmoreira]

This is just the tip of the iceberg. Turns out our operating systems are actually just sandboxed applications in the hardware manufacturer's proprietary hellscape. Not only are they not real operating systems anymore, they are no longer even in real control of pretty much anything.

https://youtu.be/36myc8wQhLo

[metadat]

Do ARM processors have a similar mechanism?

Edit: Yes, it's called TrustZone.

https://en.wikipedia.org/wiki/ARM_architecture_family#Securi...

[qbasic_forever]

ARM doesn't have a concept of anything like the management engine, but remember it's just an ISA and actual SoC implementations like from Qualcomm, Samsung, Apple, Amazon, etc. are free to add their own logic and side controllers.

[ace2358]

Which I feel like Apple does do? When I turn my iPhone off, it says it’ll still be able to be found using find my phone…

[concinds]

That's different. It's a feature where Apple deliberately keeps some components running after shutdown, in a very low-power way, and provides an option to turn that off. Those components (the Bluetooth chip, for example) are all strictly separated from each other by IOMMUs.

Intel Management Engine is very different. It's basically another CPU within your real CPU, running its own software with no visibility to the main OS, and it has (AFAIK) full access to other components. If it's compromised, or has a factory backdoor, you're 0wned.

The closest thing to Intel IME that the iPhone has, is the baseband, which can run its own code. But if I'm reading marcan correctly (https://news.ycombinator.com/item?id=30393283), modern iPhones/Android phones all use IOMMUs to isolate that (with the exception of a few so-called "free/libre" phones). The IOMMUs can be easily inspected from the OS to make sure they're correct, so it's just not a concern, unlike IME.

[fmajid]

The baseband doesn't have control over the application (main) processor the way IME does, however, and Apple is rightfully distrustful of Qualcomm's security and the two are fairly stringently separated. What a baseband (or WiFi controller) rootkit can do, however, is intercept all your network traffic, and inject exploits for software bugs in the main OS.

[ace2358]

Thank you for this break down. I appreciate the distinction.

[dmitrygr]

not the same at all. Trustzone is a special mode of the very same main CPU (more like intel's SMM), whereas PSP and ME are a separate core

[elromulous]

More specifically, trustzone is the arm equivalent of Intel's (mostly deprecated) sgx.

https://en.m.wikipedia.org/wiki/Software_Guard_Extensions

[concinds]

Note that Apple M-chips don't have TrustZone or anything equivalent.

[squarefoot]

Are those CPUs documented enough so that we can be 100% sure of that?

[amelius]

How do we know that the foundry didn't insert anything Apple doesn't know about?

[tempay]

I would expect apples quality control processes to pick this up. They’re so closely involved in the chip design process that it’s hard to imagine Apple’s engineers are debugging wouldn’t notice something was amass.

Not to mention the technical challenge of quickly understanding and editing Apple’s designs from the limited information that is shared with the foundry.

[amelius]

The device could be dormant until it gets a signal, meaning Apple won't find it unless they cut up the die. And they could attach it to anything that looks like a bus, then figure out how to exploit it later.

[naikrovek]

I love how people forget what this is for. that's "love" in sarcasm quotes, if it isn't clear.

this is for me when I want to enable virtualization on a user's laptop remotely, without sending a human to their desk or to their house to enter the bios password and to enable virtualization or do whatever else I need done in there.

this is how I ship a laptop from the manufacturer directly to an end user, at their home, and they unbox it, turn it on, log in, and the computer becomes a corporate-managed device. I don't have to fly someone out so they can set up the computer, or ship the computer to the office for configuration before it gets shipped again to the end user.

this is not a nefarious thing, nor is it a target for hackers, because there are far easier ways to trick someone into doing something which lets the hacker onto their system.

[LukeShu]

Neat, I'm glad you have the option of purchasing hardware with this feature. But please let me buy hardware without it.

[naikrovek]

well if you aren't in an enterprise it is unused and inactive

if you don't want to spend $0.10 on the feature in the chip, spend 100 billion times more than that to start a CPU fabrication company and license x86_64 so you can make your own CPU.

we can't have everything a la carte. it doesn't make sense.

[LukeShu]

Framing it as a $0.10 cost issue is disingenuous. It's not that I want to save $0.10, it's that I want hardware that specifically does not have that functionality. And I'm willing to spend more to get it; though not $10billion more.

And it's not that they'd have to re-tool their fabs to make it either; they're already set up to make non-ME systems for certain government buyers. Please let civilians buy those systems.

[speed_spread]

> nor is it a target for hackers

I think hackers will decide on this, not you. And at least acknowledge that IME/PSP seriously expands the attack surface of the hardware at a very low level, enabling new classes of exploits against which the OS has no defense.

[mihaaly]

So this is made for noble purposes so it must be no risk?

So is the internet. And a few other things. I do not feel your arguments particularly strong.

E.g. wouldn't this purpose a target for specially prepared external managmenet dongles (similar like those hinted in the article but of course made professionally and with the noblest of noble system admin motives) that could be plugged in where and when corporate management is necessary to set up, then remove, send to the next computer if necessary? And not built into EVERY computer, from granny to the schoolboy so YOU could do something? This concept soulds like the key under the doormat kind of security. And you rely corporate systems on this.

[imwillofficial]

“ nor is it a target for hackers, ” Most ignorant statement of the year.

[naikrovek]

yep all the hacks which have broken it sure have me proven wrong. gosh.

the thing isn't even capable of the devastating things you all fear. it's a minimal CPU (a slow 486 on Intel chips) with a miniscule web server which is off unless configured to be on and it can't read your disk or read RAM. all it can do is talk to hardware. it's how you configure the bios without rebooting at the console.

[matheusmoreira]

https://www.csoonline.com/article/3662772/cybercriminals-loo...

https://www.wired.com/story/intel-management-engine-vulnerab...

https://www.tomshardware.com/news/intel-me-security-vulnerab...

You were saying...?

[naikrovek]

yeah I was saying that these are not always enabled on consumer devices and are protected by firewalls in most consumer and corporate situations by default.

you are smart enough to have firewalls in place, right? or are you so knowledgeable about security that you turn those off?

I see you linking to attempts and maybe some real vulns but even if they were exploited in the wild without local USB access, which I don't see in those links, firewalls would have prevented them.

physical access appears to be a requirement for those now-patched vulnerabilities, so while I was mistaken about a bit of this, my overall point stands. wow I guess you sure proved your side!

if you don't like this kind of thing in your CPUs, please feel free to start a CPU company and make your own stuff.

[imwillofficial]

Bingo. One of the core competencies of a SysAdmin is thinking critically about security vs convenience.

[matheusmoreira]

Good for you I guess but I sure as hell don't want no "corporate management" malware anywhere near my stuff let alone inside the chips where they can't be disabled. Please keep this crap fully isolated in your "corporate devices" so that we don't have to deal with it.

[nequo]

Why is there no easy way to disable it if I don’t need someone to tweak my non-corporate-managed laptop remotely?

[npteljes]

It's true that we haven't got a remote exploit yet, or at least, it's not publicly known. And I agree that it can be useful, convenient even, for everyone involved. It does however give up a good amount of control, the end user's control over their own machine.

>this is not a nefarious thing

Hell is paved with good intentions. The intent is irrelevant. Every substance that we banned so far in agriculture were developed, and used with the intent of improving the crops. Yet, they turned out to be a net negative. We don't know the end game of the ME/PSP yet, but I'm not keen to participate, I'd gladly buy a CPU without it, and let other people find out.

[snow_mac]

Or they could pre-make a bunch of docks and swap them out at a cowering space or target office building. Easy enough to gain physical access to most offices. You could get a job with the cleaning crew

[tedivm]

They could order a bunch from amazon or newegg and then return them. It wouldn't be as targeted but it would still get some interesting results.

[LanceH]

Slap the companies logo on it and mail 100 of them to the office.

[micromacrofoot]

I imagine this is how a lot of basic espionage already happens?

[Cthulhu_]

Even a simple charging cable can contain e.g. a HID chip while still working as a charging cable. I saw an unattended cable on a table at work once, I'm sure someone who needs one would've used it without second thought. But our employer is also sending fake phishing emails to make people aware, I wouldn't be surprised if they also plant devices like that.

...and if they don't I should propose it, sounds like a fun project. Leave a random cable or USB stick that just shows a warning that it could have been malicious. Or something that just opens up https://nyan.cat and sets the volume to max :D.

[bobsmooth]

Do co-working spaces usually have shared peripherals besides docks?

[dotancohen]

I've seen monitors, keyboards, mice, network printers, wifi access.