How to Hack a Turned-Off Computer, or Running Unsigned Code in Intel Management Engine

Presented at Black Hat Europe 2017, Dec. 6, 2017, 3:30 p.m. (60 minutes).

Intel Management Engine is a proprietary technology that consists of a microcontroller integrated into the Platform Controller Hub (PCH) microchip with a set of built-in peripherals. The PCH carries almost all communication between the processor and external devices; therefore Intel ME has access to almost all data on the computer, and the ability to execute third-party code allows compromising the platform completely. Researchers have been long interested in such "God mode" capabilities, but recently we have seen a surge of interest in Intel ME. One of the reasons is the transition of this subsystem to a new hardware (x86) and software (modified MINIX as an operating system) architecture. The x86 platform allows researchers to bring to bear all the power of binary code analysis tools.

Unfortunately, this changing did not go without errors. In a subsystem change that will be detailed in the talk of Intel ME version 11+, a vulnerability was found. It allows an attacker of the machine to run unsigned code in PCH on any motherboard via Skylake+. The main system can remain functional, so the user may not even suspect that his or her computer now has malware resistant to reinstalling of the OS and updating BIOS. Running your own code on ME gives unlimited possibilities for researchers, because it allows exploring the system in dynamics.

In our presentation, we will tell how we detected and exploited the vulnerability, and bypassed built-in protection mechanisms.


Presenters:

  • Mark Ermolov - Security researcher, Positive Technologies
    Mark Ermolov is a system programmer that is interested in security aspects of hardware, firmware, and low-level system software (bare-metal hypervisors, OSes cores, device drivers). He has had talks at Russian security conferences PHDaysIV and ZeroNigths and at 33c3 and HITB2017AMS. One of his previous researches was about internal structure of Microsoft PathGuard and ways to compromise it. Now, he is researching various hardware components of Intel platforms: PCH, IOSF, iGPU, and corresponding firmware.
  • Maxim Goryachy - Security researcher, Positive Technologies
    Maxim Goryachy is a system and embedded programmer and security researcher at Positive Technologies. He is interested in cryptography, virtualization technologies, reverse engineering, and hardware. He has given talks at conferences including PHDays, 33C3, and HITB2017AMS.

Links:

Similar Presentations: