Let's get to the bottom of this - how can I control my home Qubes computer using Intel ME?

Let’s get to the bottom of this - how can I control my own computer using Intel ME?

There have been threads here about how dangerous/evil Intel ME is (I have done it many times to the point of extreme paranoia and rage).

But then I started thinking.

  • My home desktop computer, running Qubes, is connected to my router at home with an Ethernet cable through which it gets internet connection. The usual home internet setup.
  • I’m at a hotel in Hungary and connect to the internet with my laptop.
  • I know my home computer is turned on, back in Arizona. I have no idea if my ISP gave me a fixed IP address and I have no idea what local DCHP IP address my home computer has.
  • So now what?
  • How do I control this Arizona home computer from Hungary using this great feature of my home computer’s CPU known as the Intel ME?

The point of these questions is, if even I can’t access it, why would Intel/NSA be able to?

ME is not enough, you need a vPro system with AMT.

If you have a vPro CPU you can use ctrl+p on the boot screen, that will take you to the AMT menu where you can configure the device.

MeshCommander is an open source project for controlling AMT devices.

1 Like

IME and AMT are tools that allow administrators to remotely access and
control computers, using management software. Unlike programs like VNC
or TeamViewer, these tools allow remote control even if the box is shut
down, and provide access at BIOS level.

You can use MeshCommander or OpenAMT, which are open source tools or
any commercial management tool.
You will need to provision the router to pass through traffic to the
desktop.
You will need to enable and configure AMT on the box.
You will need to resolve the IP issue - you don’t need a static
address, as you can use Dynamic DNS to be able to use a static name
even if the IP address changes.
You can set static DHCP on the router to help with the forward routing.
This is all straightforward.

These tools are invaluable for enterprise or SME operations.
The worry is that they are closed - people fear what bugs may be
exploitable, and what back doors may be built in.
If you can do this, then an attacker can do the same.

I never presume to speak for the Qubes team. When I comment in the Forum or in the mailing lists I speak for myself.
2 Likes

Thank you for the reply. So some configuration on the “target” machine (the desktop computer in this case) really is required.

But most desktop users moaning about the ME over the years (including myself)

  • Never provisioned any router to pass through traffic to their computer.
  • Never enabled or configured AMT on their boxes.

Even if there is a backdoor there, were these people really safe from this backdoor all along?
Were they whining for no good reason?

In this case, I feel so DUMB right now. I’ve been depriving myself of a fast CPU and using only old/slow “ME disabled” CPUs. You’d think companies that peddle this would care to mention that the attack vector / threat model everybody is moaning about doesn’t apply to 99% of users to begin with?

I don’t think there is any real evidence of an ME/AMT backdoor, and AMT is not designed to be used covertly. If anyone takes control of the system you can easily see it’s happening, the screen gets a flashing border. Your computer also gets a second network interface, this is not hidden from the user.

The issue with ME has always been that you are forced to use it, and it’s closed source, on top of this there has been found multiple software vulnerabilities in AMT, including remote code execution.

You know your threat model and if you are okay with using a device with ME, I personally fine with using a system where ME is HAP disabled, and I try to avoid system that have AMT. It limits what hardware you can use, but not to the point where you can’t use a current generation PC.

3 Likes

Thanks for this info. In my house I have vPRO devices and now I have finally an idea on how to use it for remote control.

In case of NSA they have potential access to all your network traffic. They probably can hack your router. Or the OS directly without ME/AMT. Having low level access just makes it easier to hide.
I’d care more about BIOS/OS security in general. ME would be lower on the list.

Ah of course.

  • They could simply strongarm my ISP to give them the public IP of my home router in Arizona.
  • The could use the Intel ME (or other CPU equivalents) on the router to get access to my home computer.
  • And same for my home computer.

So maybe I wasn’t so wrong after all. Maybe my paranoia was well-founded!

So doesn’t the secret to success (ability to use latest/fastest high-end Intel CPU on home computer) now boil down to: Putting it behind a ROUTER with the ME neutralized? Anyone know of such routers?

Since routers don’t need as much CPU power, it shouldn’t be a big deal to have them with an older fully ME neutered CPU - or even without any ME to begin with!

https://ryf.fsf.org/categories/routers

However, strictly (paranoidly) speaking, this may not be sufficient. Imagine that someone has the source for the Intel ME and knows how to use its (unproven) backdoor. Intel ME is always working at Ring -2 and has access to all RAM, CPU. In theory, it could constantly check the RAM for a special signal to start doing something. However, neutralized Intel ME is unlikely to be able to do it in my opinion, see this:
https://forum.qubes-os.org/t/intel-me-real-threat-for-ordinary-persons/7693/9

2 Likes

My current router came from my ISP and it’s modem + router all in one. Would I have to ask my ISP for a modem-only device and then get a ME-neutralized/no-ME router to connect to that modem? Or should it be possible to use my modem+router as a modem-only?

That link is not working for me.

Indeed, sorry about it. This is a link to a closed part of the forum, which will be available to you after you become a Member.

Quote:

Back in the day we tested a release version of a router from a well
known manufacturer that had the GUI interface enabled on the external
NIC, and carried a well known default password.
The condition upon which God hath given liberty to man is eternal
vigilance.

1 Like

36C3 - Intel Management Engine deep dive

That presentation gives a good idea of how fare reverse engineering ME has come, and that was 3 years ago.

ME isn’t a black box that no one understands, it’s pretty well understood. I think it would be very difficult to hide a backdoor at this point.

This is quite convincing except only one single point that I can’t understand: Why doesn’t Intel allow me to disable Intel ME in “my” computer? Also, every new CPU has an updated ME, more locked down, with more code. Would you rely on reverse engineering every time to be sure?

4 Likes

I personally don’t worry too much about it, I knew what I was buying when I bought a CPU that wasn’t open hardware. They could open source ME and build their super secret backdoor directly into the fabric, what would you then do?

All I’m saying is that smart people have dissected ME, they know how it works, and they didn’t find a smoking gun.

Is it possible to setup an old PC, with an old CPU with no ME, as an intermediary between my ISP modem/router and my fast home PC (which has ME)?

This way, NSA could get into the ISP modem/router, but they couldn’t get any further because the intermediary doesn’t have any ME.

How to do this? I want to connect the home PC with an Ethernet cable BTW, not WiFi.

Are such network setups even possible? What keywords am I looking for? That intermediate computer would be sort of a “hub”, so to speak.

I am no expert on any of this, so please correct me if my assumptions are wrong.

  1. there is a separate CPU that has access to all hardware and is transparent to the main CPU
  2. it can run even when I think that my computer is “off”
  3. the code running on that separate CPU is closed
  4. I as a user cannot even verify easily if it’s currently running the officially released version
  5. like all software it could have (unknown to most including it’s authors) vulnerabilities

Hence:

  1. if a thread actor has knowledge of a zero-day and
    2a) can trick me into executing malicious code in dom0 or
    2b) can gain physical access to my computer or
    2c) had physical access to my computer BEFORE I received it

… they now have network connected KVM without me having any way of knowing. No amount of locking down the router will help, since it’s an outgoing connection that could disguise itself as whatever (e.g. HTTPS).

HOWEVER…

Is this a realistic thread to me? No. I’m just a security enthusiast with no access to anything worth exposing such a zero-day. But as a matter of principle I simply don’t like the idea of this separate CPU running who knows what and my computing doesn’t suffer from being restrained to a 10 year old CPU with 16 GB RAM. But that’s only true because I gave up on Windows on Qubes and run it on a separate computer that I VNC into. That one has a modern CPU, 32 GB of RAM and ME enabled. It’s where all my corporate stuff lives and IT installs all kinds of “end points” and whatever on it. If there is one leaky device it’s that one. :wink:

Is it worth obsessing about? Again, for me no. I have all kinds of phones and tablets lying around and so does my wife. If I had real security concerns neutering all build in microphones and cameras would be the first order of the day before worrying about ME in my laptop.

… SO WHAT?

You have to make your own assessment of your threads. Who do you want to protect from? What are their capabilities? Are you kidding yourself? Are you obsessing about your Qubes OS computer while in the same room / apartment you have all kinds of internet connected devices anyone could hack into by doing a Google search? Whoever your opponent is, they will FOR SURE use the EASIEST and LEAST EXPENSIVE method of compromise. You’re having an Android phone in your pocket? … Alexa on your desk? … don’t sweat the ME. You got other fish to fry :wink:

3 Likes

“NSA has the manpower, they can get in regardless” ← is what I was going to say, but if you look at snowden and julian assange, they were using computers to leak government info and were actively pursued by the government. It’s all about your personal threat model. For me, I just don’t want code that hasn’t been audited by any normal person to be running on most of my hardware.

Example setup looks like this:

ISP (hostile network) → Modem in bridge only mode (closed source code) → LibreCMC router (free software) → Libreboot computer (free software BIOS)

1 Like

Why is executing something in dom0 necessary? If Intel ME has full access to CPU and RAM, then any Javascript code could be sufficient, couldn’t it be?

:slight_smile:

Sure, if the attacker has:

  1. a Chrome/Firefox zero-day to break out of the browser
  2. a Qubes OS / XEN zero-day to break out of the qube and
  3. a ME zero-day to take over the ME

Again, I am not an expert but I assume in order to attack and command the ME one would need to be in dom0. Granted I am just guessing.

I talked about the scenario where the ME as it is might be proprietary and closed source but not malicious per se. An attacker with knowledge of an ME zero-day could take it over and make it malicious.