[Cryptography] Intel Management Engine pwnd

John Gilmore gnu at toad.com
Thu Nov 23 17:03:50 EST 2017


> The missing bit is a physical off or disconnect switch in the design for
> this subsystem.

According to geeks who worked on the product, there are several such
switches in the CPU and chipset.  The missing bit is a DOCUMENTED off
or disconnect switch that actually works.  Why Intel refuses to do
this is a mystery to me -- and as Frank Zappa presciently suggested,
when you can't figure out why somebody would do something, the answer
is probably MONEY.  Which would indicate that Intel have probably been
paid off by somebody (NSA, the Chinese government, ???) to force a
covert backdoor on every user of their products.  This exact issue is
why I have refused to buy Intel gear for many years, and I can't be
the only one.

Note that Intel is *still* not offering an off-switch -- just a patch
for the current exploit.  Not a patch against every future exploit.

Meanwhile, for figuring out whether your equipment has this problem
and needs a new binary blob of slightly improved exploit-laden
firmware installed, Intel only offers a proprietary program that comes
with a pre-download license as long as your arm, banning reverse
engineering, sharing with others, and use with any system that wasn't
built by Intel:

  https://downloadcenter.intel.com/download/27150

I'm sure there's a way to read the Javascript, decline to accept the
terms, and still figure out how to download the software, so you can
at least avoid the appearance of making a contract with Intel about
this, which would let you reverse-engineer it according to the laws of
your jurisdiction.  Of course, the bad guys are just going to click
"agree", download, reverse engineer anyway, and start making exploits.
So this extra layer of legal bullshit only serves to deter the honest
people whose security Intel has deliberately screwed for a decade with
their built-in backdoor.

	John



More information about the cryptography mailing list