Although all modern PCs running Intel's chips are a theoretical risk of being compromised, exercising due diligence can still win half the battle. Updates to the ME firmware are not released via conventional OS update mechanisms and the user is left to the mercy of Intel and its motherboard partners to provide the requisite firmware updates. Vulnerabilities in the firmware code have been doing the rounds ever since the first Core 2 chips were launched in 2006. The Intel Management Engine allows admins to remotely control PCs on the network and it houses a full OS in its firmware. The research firm also notes that there are still some more mysteries to be solved with respect to how the HAP bit sets the Boot Guard policies in the firmware. The security researchers who have figured out how to disable the HAP bit do warn that the hack is not fully tested and can potentially brick a lot of systems if not performed under the guidance of a Serial Peripheral Interface (SPI) programmer. A recent vulnerability, CVE-2017-5689, has also been disclosed necessitating the need to address the ME loophole at the earliest. As documented by Microsoft, there is an espionage group that exploits the TCP/IP server of the AMT to remotely execute malicious code. Currently available methods only serve to slim down the ME firmware but do not completely disable it. Any attempt to tamper with the ME firmware has resulted in PCs either refusing to boot up or shutting down immediately after boot as the ME code directly affects the initiation of the main CPU. Researchers have been trying to disable the ME but due to Intel's secrecy of the code and storing it in a non-standard compressed format that needs a hardware decompressor, most of the efforts have been unsuccessful. As such, the ME has garnered a reputation for being a backdoor and a potentially powerful rootkit mechanism, earning a Ring -3 vulnerability for itself. Therefore, any attacker employing a rootkit exploit on the ME firmware can potentially take control of the remote computer and wreak havoc without being detected. As mentioned earlier, the activities of the ME are not audited as it is invisible to the OS. Despite that, experts have found ways of exploiting the ME firmware and take partial control of the ME and thereby, the computer. The ME firmware is encrypted with an RSA 2048 algorithm.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |