You can clean Intel ME with a USB programmer or RPi + cables, it isn't very hard.
By default it doesn't work over wifi so you don't have to worry about it if you use a laptop in which you never plug an ethernet cable.
Does the ME / PSP have its own address? How is an attacker going to correlate your online identity with it when you use a VPN or Tor? This is a legitimate question, I'm not asking it rhethorically.
You can clean Intel ME with a USB programmer or RPi + cables, it isn't very hard.
That's true, but check a list of supported hardware for me_cleaner (part of coreboot). It is hard to completely remove ME in modern motherboards, because many functions like fan control was moved into ME. Also you could get resets every few minutes or uninitialized onboard hardware like network controller of sound card if you completely clean ME on board that is not suitable.
By default it doesn't work over wifi so you don't have to worry about it if you use a laptop in which you never plug an ethernet cable.
Not shure about laptops with integrated WiFi, those that have WiFi chip soldered on mainboard instead of traditional miniPCI-E card in socket.
Does the ME / PSP have its own address?
It have own MAC/IP independent from what your network card get from OS, sometimes, if AMT is present in BIOS you could change it and make visible. By default it seems to wait for specific packet to appear for networking. Without that packet it will not be visible for external scanners or whatever. ME have direct access to nework controller and ME networking device is not accessible from host, only from outside, so you need 2 computers to play with it.
How is an attacker going to correlate your online identity with it when you use a VPN or Tor?
Intel ME have full access to your computer hardware. So if you have access to Intel ME, then you could just read anything from memory of disk.
However, as far as I understand, to activate (and may be set Intel ME IP address) you need to be in same local network as computer with Intel ME to send activation packet. It is possible that Intel ME networking could be activated by some contents in regular packet destined to your normal IP, since it have access to network controller and could monitor all trafic, but I'm not shure. May be some ME versions could and some couldn't.
I hope efforts of reverse engineereing Intel ME will finally succeed and we will know for shure how it works, at least reverse engineered version. Intel ME uses ARC CPU core, there exist disassemblers and decompilers for that architecture so it is possible to study that crap by yourself.
It is possible that Intel ME networking could be activated by some contents in regular packet destined to your normal IP, since it have access to network controller and could monitor all trafic, but I'm not shure. May be some ME versions could and some couldn't.
Another way they could activate it would be if they controlled your router. If they've compromised computer manufacturers, they've probably compromised router manufacturers, too. So Mossad sends a signal of some sort to your Internet router, which then sends the activation packet to your PC.
since it have access to network controller and could monitor all trafic, but I'm not shure. May be some ME versions could and some couldn't.
If there are any limitations in the ME hardware, they can be gotten around. Since it has access to memory, it can write an arbitrary program into memory, and overwrite OS kernel routines or data structures to prevent that program from being detected, while allowing the OS to schedule it like any other program. Then the program can run on your ordinary CPU.
Another way they could activate it would be if they controlled your router.
Use OpenWRT on your home/office router. Small routers use simple CPUs without ME like things. So replacing firmware will get rid of any backdors manufacturer could install with original firmware.
Since it has access to memory, it can write an arbitrary program into memory, and overwrite OS kernel routines or data structures to prevent that program from being detected, while allowing the OS to schedule it like any other program.
Motherboard chipset manufacturer have to know beforehand exactly what OS you will use on your computer to make it possible. It could work to some extent with Windows/iOS, but impossible with Linux/BSD/Haiku etc, since there are endless variants of possible kernel configurations and versions and each have different addresses and internal structures organisation. You will need something really sophisticated in ME to make it possible.
So to summarise - use opensource from trusted sources anywhere possible to reduce probability of exploiting or using backdoors. Opensource is not a panacea, and need some RTFM and concious setup and adjustment but at least it will make surveillance on you much more complex.
There is a drawback, really. Using opensource make you different from regular sheeple and so more noticeable. There could be another approach used - use typical Windows/iOS in default configuration inside qemu VM running on top of opensource system to look like regular user for internet. Do not store any sensitive data in VM, and have a backup copy of VM disk image with clean installed system in case malicious actors break into your dummy honeypot system. Or you could just use a copy of clean backup image each time you start VM for internet browsing.
To be fair, it isn't confirmed that Intel is compromised, the ME has legitimate uses. It's just sketchy and proprietary. I wouldn't jump to the conclusion that routers are compromised. Although it certainly can't hurt to install Tomato or DD-WRT.
To be fair, it isn't confirmed that Intel is compromised, the ME has legitimate uses.
You are right, but in security aspect of computer tech there are no presumtion of innocence. Thing should be proven not compromised, not vice versa.
Also, that legitimate uses are accounted as an additional attack vector.
Really, the whole idea of AMT (ancestor of ME) was strange since the beginning. OK, you need to manage large fleet of employees laptops, so why not just boot them from corporate network and use network drives? Everything will be perfectly manageable on company server, no potential threat of leaking sensitive data through "lost laptop" or installed by user malware. It will even reduce costs, because that laptops will not need HDDs/SSDs.
Serious servers usually have IPMI controller, but the main difference is that servers don't usually have display and keyboard connected and it is annoying to change something in BIOS or reinstall OS from scratch when you have hundreds of them. So the IPMI goal is quite different than one of ME/PSP.
I wouldn't jump to the conclusion that routers are compromised.
That's proven thing, really. Multiple things. From outdated firmware with vulnerabilities on few years old router with dropped support to well-known "engineereing" or default passwords.
And meanwhile Tomato and DD-WRT is just an outdated versions of OpenWRT with blobs from official firmware for the sake of tiny performance goal on specific hardware. There is no any sense in using them instead of OpenWRT unless you participate in dick measuring contest with a buddy on a maximum possible throughput value.
The fact that ME can be used to implement a back door is so suspect that the legitimate uses seem more like a cover story than the real reason for implementing it. They could have supported those use cases in a way that doesn't break security.
It is hard to completely remove ME in modern motherboards, because many functions like fan control was moved into ME. Also you could get resets every few minutes or uninitialized onboard hardware like network controller of sound card if you completely clean ME on board that is not suitable.
A neutralized ME doesn't have an attack surface anymore. The network stack is disabled, so an attacker would need physical access. If that happens, a neutralized ME isn't how he's going to compromise your system.
Not shure about laptops with integrated WiFi, those that have WiFi chip soldered on mainboard instead of traditional miniPCI-E card in socket.
You can replace the built-in wifi chip with an Atheros one to make sure.
We can't be sure about that until ME code will be reverse engineered fully and replaced with something opensource wih same functionality.
A neutralized Intel ME has 300 kB of code running, which is too small for a network stack. You don't know what's going on with a black box, so you're assuming the worst, but some things are very unlikely.
It's not that easy, since Atheros chip will have another pinout and you can't just desolder old one and solder Atheros instead.
Is it the norm now to solder wifi chips onto the motherboard? There are still laptops where you can replace it.
There are BIOSes with a switch to disable it, but there's no way to check that it's actually disabled. That being said, PSP doesn't seem to be as pervasive as ME in the first place.
You can clean Intel ME with a USB programmer or RPi + cables, it isn't very hard.
By default it doesn't work over wifi so you don't have to worry about it if you use a laptop in which you never plug an ethernet cable.
Does the ME / PSP have its own address? How is an attacker going to correlate your online identity with it when you use a VPN or Tor? This is a legitimate question, I'm not asking it rhethorically.
That's true, but check a list of supported hardware for me_cleaner (part of coreboot). It is hard to completely remove ME in modern motherboards, because many functions like fan control was moved into ME. Also you could get resets every few minutes or uninitialized onboard hardware like network controller of sound card if you completely clean ME on board that is not suitable.
Not shure about laptops with integrated WiFi, those that have WiFi chip soldered on mainboard instead of traditional miniPCI-E card in socket.
It have own MAC/IP independent from what your network card get from OS, sometimes, if AMT is present in BIOS you could change it and make visible. By default it seems to wait for specific packet to appear for networking. Without that packet it will not be visible for external scanners or whatever. ME have direct access to nework controller and ME networking device is not accessible from host, only from outside, so you need 2 computers to play with it.
Intel ME have full access to your computer hardware. So if you have access to Intel ME, then you could just read anything from memory of disk.
However, as far as I understand, to activate (and may be set Intel ME IP address) you need to be in same local network as computer with Intel ME to send activation packet. It is possible that Intel ME networking could be activated by some contents in regular packet destined to your normal IP, since it have access to network controller and could monitor all trafic, but I'm not shure. May be some ME versions could and some couldn't.
I hope efforts of reverse engineereing Intel ME will finally succeed and we will know for shure how it works, at least reverse engineered version. Intel ME uses ARC CPU core, there exist disassemblers and decompilers for that architecture so it is possible to study that crap by yourself.
Another way they could activate it would be if they controlled your router. If they've compromised computer manufacturers, they've probably compromised router manufacturers, too. So Mossad sends a signal of some sort to your Internet router, which then sends the activation packet to your PC.
If there are any limitations in the ME hardware, they can be gotten around. Since it has access to memory, it can write an arbitrary program into memory, and overwrite OS kernel routines or data structures to prevent that program from being detected, while allowing the OS to schedule it like any other program. Then the program can run on your ordinary CPU.
Use OpenWRT on your home/office router. Small routers use simple CPUs without ME like things. So replacing firmware will get rid of any backdors manufacturer could install with original firmware.
Motherboard chipset manufacturer have to know beforehand exactly what OS you will use on your computer to make it possible. It could work to some extent with Windows/iOS, but impossible with Linux/BSD/Haiku etc, since there are endless variants of possible kernel configurations and versions and each have different addresses and internal structures organisation. You will need something really sophisticated in ME to make it possible.
So to summarise - use opensource from trusted sources anywhere possible to reduce probability of exploiting or using backdoors. Opensource is not a panacea, and need some RTFM and concious setup and adjustment but at least it will make surveillance on you much more complex.
There is a drawback, really. Using opensource make you different from regular sheeple and so more noticeable. There could be another approach used - use typical Windows/iOS in default configuration inside qemu VM running on top of opensource system to look like regular user for internet. Do not store any sensitive data in VM, and have a backup copy of VM disk image with clean installed system in case malicious actors break into your dummy honeypot system. Or you could just use a copy of clean backup image each time you start VM for internet browsing.
To be fair, it isn't confirmed that Intel is compromised, the ME has legitimate uses. It's just sketchy and proprietary. I wouldn't jump to the conclusion that routers are compromised. Although it certainly can't hurt to install Tomato or DD-WRT.
You are right, but in security aspect of computer tech there are no presumtion of innocence. Thing should be proven not compromised, not vice versa.
Also, that legitimate uses are accounted as an additional attack vector.
Really, the whole idea of AMT (ancestor of ME) was strange since the beginning. OK, you need to manage large fleet of employees laptops, so why not just boot them from corporate network and use network drives? Everything will be perfectly manageable on company server, no potential threat of leaking sensitive data through "lost laptop" or installed by user malware. It will even reduce costs, because that laptops will not need HDDs/SSDs.
Serious servers usually have IPMI controller, but the main difference is that servers don't usually have display and keyboard connected and it is annoying to change something in BIOS or reinstall OS from scratch when you have hundreds of them. So the IPMI goal is quite different than one of ME/PSP.
That's proven thing, really. Multiple things. From outdated firmware with vulnerabilities on few years old router with dropped support to well-known "engineereing" or default passwords.
And meanwhile Tomato and DD-WRT is just an outdated versions of OpenWRT with blobs from official firmware for the sake of tiny performance goal on specific hardware. There is no any sense in using them instead of OpenWRT unless you participate in dick measuring contest with a buddy on a maximum possible throughput value.
The fact that ME can be used to implement a back door is so suspect that the legitimate uses seem more like a cover story than the real reason for implementing it. They could have supported those use cases in a way that doesn't break security.
A neutralized ME doesn't have an attack surface anymore. The network stack is disabled, so an attacker would need physical access. If that happens, a neutralized ME isn't how he's going to compromise your system.
You can replace the built-in wifi chip with an Atheros one to make sure.
Also it's spelt 'sure', not 'shure'.
We can't be sure about that until ME code will be reverse engineered fully and replaced with something opensource wih same functionality.
While you use proprietary blob of any kind, you are potentially vulnerable.
It's not that easy, since Atheros chip will have another pinout and you can't just desolder old one and solder Atheros instead.
Thanks. Looks like I fell under brand name imprinting. :)
A neutralized Intel ME has 300 kB of code running, which is too small for a network stack. You don't know what's going on with a black box, so you're assuming the worst, but some things are very unlikely.
Is it the norm now to solder wifi chips onto the motherboard? There are still laptops where you can replace it.
There are BIOSes with a switch to disable it, but there's no way to check that it's actually disabled. That being said, PSP doesn't seem to be as pervasive as ME in the first place.
#2 u mean airgapped?
No, I don't mean that.