Print this page

Intel chip flaws leave millions of devices exposed

SECURITY RESEARCHERS HAVE raised the alarm for years about the Intel remote administration feature known as the Management Engine. The platform has a lot of useful features for IT managers, but it requires deep system access that offers a tempting target for attackers; compromising the Management Engine could lead to full control of a given computer. Now, after several research groups have uncovered ME bugs, Intel has confirmed that those worst-case fears may be possible.

On Monday, the chipmaker released a security advisory that lists new vulnerabilities in ME, as well as bugs in the remote server management tool Server Platform Services, and Intel’s hardware authentication tool Trusted Execution Engine. Intel found the vulnerabilities after conducting a security audit spurred by recent research. It has also published a Detection Tool so Windows and Linux administrators can check their systems to see if they're exposed.

Upper Management

The Management Engine is an independent subsystem that lives in a separate microprocessor on Intel chipsets; it exists to allow administrators to control devices remotely for all types of functions, from applying updates to troubleshooting. And since it has extensive access to and control over the main system processors, flaws in the ME give attackers a powerful jumping-off point. Some have even called the ME an unnecessary security hazard.

Intel specifically undertook what spokesperson Agnes Kwan called a “proactive, extensive, rigorous evaluation of the product,” in light of findings that Russian firmware researchers Maxim Goryachy and Mark Ermolov will present at Black Hat Europe next month. Their work shows an exploit that can run unsigned, unverified code on newer Intel chipsets, gaining more and more control using the ME as an unchecked launch point. The researchers also play with a sinister property of the ME: It can run even when a computer is “off” (just so long as the device is plugged in), because it is on a separate microprocessor, and essentially acts as a totally separate computer.

As with previous ME bugs, nearly every recent Intel chip is impacted, affecting servers, PCs, and IoT devices. Compounding the issue: Intel can provide updates to manufacturers, but customers need to wait for hardware companies to actually push the fixes out. Intel's maintaining a running list of available firmware updates, but so far only Lenovo has offered one up.

Intel has confirmed that those worst-case fears may be possible.

"These updates are available now," Intel said in a statement to WIRED. "Businesses, systems administrators, and system owners using computers or devices that incorporate these Intel products should check with their equipment manufacturers or vendors for updates for their systems, and apply any applicable updates as soon as possible." In many cases, it could be a while before that fix becomes available.

The newly disclosed vulnerabilities can cause instability or system crashes. They can be used to impersonate the ME, Server Platform Services, and Trusted Execution Engine to erode security verifications. And Intel says they can even be used to “load and execute arbitrary code outside the visibility of the user and operating system.” This is the crucial danger of the ME. If exploited, it can operate totally separate from the main computer, meaning that many ME attacks wouldn’t raise red flags.

Unclear Fallout

Still, the true impact of current ME vulnerability isn't clear, given the relatively limited amount of information Intel has released.

“This looks bad, but we don’t yet know how easy it will be to exploit these vulnerabilities,” says Filippo Valsorda, a cryptography engineer and researcher. “It’s a really wide range of machines that are impacted, not just servers. Intel seems worried enough to publish detection tools and do a well-orchestrated release.”

The good news is that most of the vulnerabilities require local access to exploit; someone has to have hands on a device or deep in a network. Intel does note, though, that some of the new wave of vulnerabilities can be exploited remotely if an attacker has administrative privileges. And some of the bugs also potentially allow for privilege escalation, which could make it possible to start with a standard user status and work up to higher network access.

“Based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal,” Matthew Garrett, a Google security researcher, wrote on Twitter when the vulnerabilities were first announced. But he quickly added that, “on reflection I don't see many outcomes where this is fairly harmless.”

It will take time for the full impact of these ME bugs to come into view, but for researchers who have warned about the dangers of ME for years, Intel's fixes now are cold comfort.

Read 4744 times


  • Eric Jones
    Eric Jones 11 days ago

    Hello, my name’s Eric and I just ran across your website at raindesigner.com...

    I found it after a quick search, so your SEO’s working out…

    Content looks pretty good…

    One thing’s missing though…

    A QUICK, EASY way to connect with you NOW.

    Because studies show that a web lead like me will only hang out a few seconds – 7 out of 10 disappear almost instantly, Surf Surf Surf… then gone forever.

    I have the solution:

    Talk With Web Visitor is a software widget that’s works on your site, ready to capture any visitor’s Name, Email address and Phone Number. You’ll know immediately they’re interested and you can call them directly to TALK with them - literally while they’re still on the web looking at your site.

    CLICK HERE http://talkwithcustomer.com to try out a Live Demo with Talk With Web Visitor now to see exactly how it works and even give it a try… it could be huge for your business.

    Plus, now that you’ve got that phone number, with our new SMS Text With Lead feature, you can automatically start a text (SMS) conversation pronto… which is so powerful, because connecting with someone within the first 5 minutes is 100 times more effective than waiting 30 minutes or more later.

    The new text messaging feature lets you follow up regularly with new offers, content links, even just follow up notes to build a relationship.

    Everything I’ve just described is extremely simple to implement, cost-effective, and profitable.

    CLICK HERE http://talkwithcustomer.com to discover what Talk With Web Visitor can do for your business, potentially converting up to 100X more eyeballs into leads today!

    PS: Talk With Web Visitor offers a FREE 14 days trial – and it even includes International Long Distance Calling.
    You have customers waiting to talk with you right now… don’t keep them waiting.
    CLICK HERE http://talkwithcustomer.com to try Talk With Web Visitor now.

    If you'd like to unsubscribe click here http://talkwithcustomer.com/unsubscribe.aspx?d=raindesigner.com

  • write me an essay
    write me an essay 2 months ago

    Howdy! This article could not be written any better!

    Looking at this article remind mee of my previous roommate!
    He continually kept preaching about this. I most certainly will send this information tto him.

    Fairly certain he's going to havfe a very good read.
    Thanks for sharing!
    wwrite me an essay
    write me an essay http://5fcda9759a4dc.site123.me/blog/how-to-write-a-college-essay-with-examples

We use cookies to improve our website. By continuing to use this website, you are giving consent to cookies being used. More details…