Just had a random thought and conveying it out loud in here....I am ignorant to how far the tech has come.

But yea, was wondering are our PC's and MAC's able to communicate "offline" and even scarier, unpowered/ off grid?

 

learn more about MEI (Management Engine) and AMT (Active Management Technology), usb bios flashback, perhaps entire chipset architecture in general ?

 

tzzsmk beat me by like 20 seconds!

https://en.wikipedia.org/wiki/Intel_Management_Engine

Intel Management Engine (ME) has been incorporated in virtually all of Intel's processor chipsets. The subsystem runs on a separate Intel Quark x86 microprocessor running the MINIX operating system. It performs tasks while the computer is running, while it is asleep and while the system is turned off - as long as the chipset is supplied with power. Its code is obfuscated using confidential encryption.

The ME has its own MAC and IP address with direct access to the Ethernet controller; Ethernet traffic is diverted to the ME even before reaching the operating system.

Critics like the EFF, Libreboot and security experts like Zammit accuse the ME of being a backdoor. Zammit stresses that the ME has full access to memory (without the CPU knowing), and can send and receive network packets, fully bypassing the operating system's firewall.

Intel responded by saying that "Intel does not put back doors in its products."

It is normally not possible for a user to disable the ME and there is no official method to disable it.

 

There is actually. And it's very bad. All CPU's since I guess the first UEFI systems, have a hidden subsystem. Thanks to "strong suggestions" by the NSA and other military/intelligence agencies. AMD, Intel, Apple... all have it.
I don't even know if Microsoft or Apple can have control over it. But for sure these agencies can totally bypass everything if they can plug whatever it is (USB, Ethernet, WIFi,...) in any computer.

PS. While I was writing @xorome and @tzzsmk beat me to it and gave more details

 

What generation did that start with?

Thanks for all the replies and for the suggestions of where to start. It's a grim reality for all of us.

 

This is in reference to "High Assurance Platform" mode? The "suggestion" of NSA, etc was (more like a requirement, it reads) adding a way to disable ME, AMT on government-entity owned systems due to security concerns about possible exploitation. It reads differently when paraphrased to suggest like this was all added at their behest. They apparently do not mind it running on others' systems, but want it not running on theirs. They would not need such a thing, and it wouldn't have been found if they had.

 

%

 

Last edited by a moderator: Jul 17, 2023

So it's really easy to block with any basic router firewall or if you don't trust the people who make routers you can built KALI from source for a super basic open-source chipset like RASCAL and packet RFV everything between your LAN and the interwebs.

Too easy to solve, but I guess, NVM... I just DGAF anymore.

 

I'd go to Vegas and place some sports wagers. What I would not do would be to read tin-foil theories about No Such Agency from "researchers" from Russia. Especially not in 2017 (when this "news story" started showing up); an entire year after NSO Pegasus' existence was already confirmed to have been used against journalists' phones in the wild. Or believe that a little chip (while machine powered off) would have enough residual power to supply enough power to the network interface or wireless adapter to authenticate so that data could be exfiltrated with the machine off. (When it could just do so past the OS/firewall as claimed) Or worry about "wifi passwords being collected remotely", while target machine was not within range to an attacker. If in range, they would collect a 4-way and pop the router on the spot.

Any IDS or Network traffic analyzer running on a second machine would see such traffic. This is like us not knowing why the Pyramids of Egypt were built, so obviously they were built by aliens. Occam's Duct Tape.

 

PC's without TPM's do what you tell them to. MAC's, who knows. Apple has been big-brother for quite a while. PC's with a properly optimized OS will behave as you command them to. Running older hardware and OS (you know, those "unsupported" kind that some monkeys wouldn't be caught dead with ) will more than likely have control over the IME through a simple interface. All my internet facing machines run windows 7 class hardware that all have BIOS access to IME that is switched OFF. No unauthorized access capability here.

Which also brings to mind a little conundrum of sorts with regard to what would be available to some monkey who tried to exploit someone with active IME on an internet facing computer. With the power off and with most all data of any interest being stored on various storage devices THAT ARE ALSO POWERED OFF (also assuming that no "wake-on" functions are enabled) what could one hope to gain from utilizing said "backdoor" in the first place?

And... Magical remote control of computers via ZERO connection medium (i.e. wifi disabled, no dial-up device, no internet hard connection, no "wake-on features" enabled, etc) comes from watching too many movies... Backend Local area networks with properly setup and firewalled vlans are not susceptible either.

 

Last edited: May 10, 2023

Take the details I told with a grain of salt because I don't remember well and there's not exactly a lot of confirmed information because of its very nature. So happy to be corrected.
I was just talking of what I remember when the IME, the intel version, began to be know to techies. I'm not sure who exactly demanded that subsystem.

 

Intel ME can be disabled, courtesy of the NSA :D
https://www.bleepingcomputer.com/ne...hated-intel-me-component-courtesy-of-the-nsa/

Anyway, you can kill and/or neutralize (depends on CPU generation) IME using Python magic:
https://github.com/corna/me_cleaner

Note that AMD have the same kind of backdoor, named PSP.

 

So cool. I only remember one pioneer long time ago that managed to disable and perhaps even removing it quite some years ago. But he bricked 3 or 4 CPUs during the process.

 

Last edited: May 10, 2023

Sure. But keep in mind that nearly every researcher who finds something has the tendency to escalate it's importance. We go from a possibly exploitable remote management service/protocol etc, to "the sky is falling and it's NSA behind it". Like clickbait.

Another thing to remember/know is that Intelligence services do not share anything they do not need to; even with allied countries services. Can you think of a better way to share *everything* than to stick some backdoor hardware chip onto every desktop/laptop computer in America/elsewhere; just waiting for other services to take apart any machine and look into the chipset? And then to have it masquerade in plain sight of Administrators who are already aware of portions of it's functionality? All waiting to be "discovered" the minute someone working at Intel or AMD decides to leak the info, with no way to "Self-Destruct" the chip's code and leaving proof on every affected product? "Powered down" phones are a much juicier target. They have microphones, cameras, people take them wherever they go, and think they are a brick as soon as you turn them off; instead of sticking them inside a Farraday cage. This is like the script for a Snowden sequel movie, but it would be starring Forrest Gump.

 

Everything is hackable or crackable
Nothing is 100% secure
What about air gapping?
Around 20 years ago i had an amd athlon 2700xp no wifi no bluetooth no internet cable connected
One day i got a prompt with wireless connection found i immediately open my internet browser and i had no internet then later that day i went to the living room where my stepdad said hey i just got free wifi and i quickly updated my norton later that day i went back to my room and i opened control panel suddenly i had a norton icon without ever installing norton on my system that is fucking weird
After that i start to get paranoid and discovered even more fuzzy stuff on my system

 

Get a PC with no wifi card and don't plug the Ethernet cable. Now you can play solitaire with nobody watching.

 

Since I am running older win7 (os and class hardware) I have bios tweaks that disable the evil Intel ME out of a hat. however you all can do basically the same thing if your internet vlan utilizes a manageable router, switch or other device that has a firewall governing your entire network. You can BLOCK all incoming/outgoing traffic on the ports that POS uses to do it's nastiness..That way ANYTHING plugged into your network will be protected. The following white paper outlines the ports in question.

https://www.intel.com/content/dam/s...work-admin-detection-and-mitigation-guide.pdf

Remember though, this POS uses out of band networking (completely outside the purview of any operating system you're running) to do its lameness. So in order to block it network-wise you must do it from a managed switch, router or gateway on your internal network. Takes all of 5 minuten to build the filters...done!

Also, FYI, if you have a newer machine/OS that has "intel management engine drivers" that are enabling comms with the onboard hardware, just yank the management warez out by uninstalling and disable any system devices having to do with intel ME... case closed. You might actually save some processor cycles and/or system resources in the same swoop.

 

Last edited: May 11, 2023

I agree in that no end of the world or similar. Perhaps I sounded catastrophist in my first post. We can only limit the spyware these days and I'm fine with that despite not being ideal.

But these subsystems... not the biggest secret but the most opaque that's running 24/7 in every CPU with power supply plugged since 8 years or so. Even less secret when the same NSA gave advice about disabling that bit because they had a severe security bug. The irony
They are running no matter if you use the the soft for useful fatures, remote managing PCs and stuff. Even if you disable TPM, secure boot. They can bypass pretty much everything since the very start of the boot and access directly the network and the PCH (for instance the RAM).

I mean, doesn't take a conspiranoic to smell what they are for, besides some legit useful features. I'm not saying agencies or whatever are using to spy everyday all around the world. Again, nothing new, but an important step up. I could be wrong of course. But for me is common sense.

 

Last edited: May 11, 2023

it's not just unplugging the cables or disable network cards

https://ieeexplore.ieee.org/document/8820015