[Cryptography] Intel Management Engine pwnd

Jerry Leichter leichter at lrw.com
Tue Nov 28 23:17:28 EST 2017

> When used in accordance with official use, it listens on a certain port, like any other service.
> But since normal code manages listening on ports, how does the management engine do this.  How does the management engine hook your tcp-ip stack?
> For your tcp-ip stack is implemented by diverse operating systems in diverse hardware and software....
As I understand it, the ME's TCP stack is integrated into the Ethernet engine.  When it sees a packet attempting to connect to the management port it simply grabs it - and all the packets that are part of the resulting connection.  The implementation in the OS simply never sees those packets.  If you were to write code listening on that port, you'd probably never see an incoming connection.

This is really no different in most details from any stateful firewall - except that the firewall generally discards the undesirable packets, while the ME acts on them.

You could block this entire mechanism by using an external Ethernet interface and not connecting the built-in one to anything - or connecting it to a separate management network fully isolated from the Internet and carefully controlled.  But not many will choose to do that because of the additional cost and likely performance implications.

                                                        -- Jerry

More information about the cryptography mailing list