Hardware backdoors
Jhorj Privacy on english
Author's channel link - https://t.me/+6YlYqZz7gMYyOTY6
The First Part of the Series of Articles "Hardware Backdoors" – Intel ME
Article content:
1. Introduction to hardware backdoors.
2. Explanation of what “Intel ME” is. Closed source code, big rights, your own MAC and IP addresses, bypassing firewalls, and much more.
3. Threats that “Intel ME” can pose. What “Intel ME” is potentially capable of – from accessing the web camera and microphone to remotely turning the computer on and off and "enhanced" remote access to the computer.
4. Why “Intel ME” is dangerous even if you’re not a target to intelligence agencies. Vulnerabilities found in “Intel ME” and threats from hacker groups, including from “Conti”.
5. “Intel ME” can bypass almost any firewall. Potentially, “Intel ME” is dangerous even when there is no internet connection.
6. Disabling “Intel ME”. Various methods to significantly interfere with an attacker from “Intel ME”.
7. Due to what reasons, fully protecting against “Intel ME” or completely disabling it is almost impossible. Even “Coreboot/Libreboot with the HAP” method does not fully disable “Intel ME”.
8. Protection methods (Spoiler – fully protecting against “Intel ME” is almost impossible), and a suggestion of an alternative solution to the “Intel ME” problem.
9. “Intel ME” is only one of the potentially numerous hardware backdoors, and even if you solve the “Intel ME” issue, there will likely still be many other backdoors on your computer.
10. Evidence of intelligence agencies' involvement with “Intel ME”, in fact, “Intel ME” closely resembles a backdoor, and likely is one.
11. Why “Intel ME” is perhaps one of the most effective potential backdoors for intelligence agencies.
It’s likely that one of the biggest “holes” in security, privacy and anonymity are hardware backdoors.
These are intentional "holes" left by developers, intelligence agencies, etc., in the hardware.
Such “holes” can provide access to the device memory, the web camera, microphone, remote access, and some of them can bypass the system firewall. And this is far from the full functionality of such backdoors.
These backdoors are nearly impossible or extremely difficult to remove from the computer, as they are embedded at the hardware level by the hardware manufacturer.
Countries’ governments organize the production of their own processors to ensure security.
Russia, for example, creates “Elbrus” and some other processors.
China, however, is skeptical about the security of “Intel ME” – it seems that Chinese developers are convinced that “Intel ME” is a backdoor from the NSA. Here’s a link: https://mp.weixin.qq.com/s/rgRmOfoPr7x1TZhyb-1ifg
By the way, China also has made some progress in creating their own processor.
Such potential backdoors exist in almost all mass-market devices:
Intel processors
AMD processors and graphics cards
Processors with TEE technologies, i.e., almost all ARM structured processors, such as those from manufacturers like Qualcomm, Apple, Google Pixel, Huawei, Samsung.
Additionally, there are a huge number of other potential hardware backdoors, including those not only installed within the processor but, for example, installed on Wi-Fi cards, BIOS, or even hardware verification chips used in factories, which would later be used as backdoors (Intel VISA).
Such backdoors are nearly impossible to cut out or limit through the system. Even if you have a super-secure, fully open-source (FOSS) Linux/BSD distribution without systemd and a Linux-libre kernel, tunneling traffic through Lokinet, with a strictly configured system firewall, all this protection can be bypassed without any problems. And there is more, this type of protection is not much harder to bypass than the user-level protection of Windows.
I’m being absolutely serious; read the article further, and you will see that I was right.
A hardware backdoor differs from a typical "software" backdoor because the first one is integrated at the "hardware" level. As a result, even if you reflash the computer, this type of backdoor cannot be removed.
Today, we are analyzing, perhaps, one of the most famous potential backdoors – Intel Management Engine (Intel ME).
Intel “presents” this hardware platform as a convenient feature for administering a large number of computers.
But in fact, it is a computer inside your computer, consisting of a separate hardware board embedded in the Intel processor.
“Intel ME” has higher privileges than the operating system kernel, meaning the OS rules and issues are not relevant to “Intel ME”.
Moreover, “Intel ME’s” source code is closed, and it’s obfuscated using Huffman code, with the decoding table stored in hardware, so the firmware itself doesn’t contain information to decode. This means that “Intel ME's” source code is nearly impossible to obtain, even with reverse engineering.
“Intel ME” has its own IP address and MAC address, and that makes it easier for “Intel Me” to bypass the system firewall in order to send and to receive internet traffic.
Furthermore, all internet traffic received by the computer goes through “Intel ME” before the system itself receives it. This can be used for various attacks, like intercepting traffic, inserting something additional into the traffic (from viruses to additional identifiers sent to an internet resource), & etc.
• “Intel ME” is able to access the device's memory without the OS being aware of that.
• “Intel ME” can access devices connected to the computer, whether it’s a mouse, web camera, or even files on a smartphone (if the smartphone gives permission).
• “Intel ME” is able to use the microphone, web camera, and GPS module on the computer.
• “Intel ME” can secretly save the passwords, messages, and basically everything that a person does on the computer.
• “Intel ME” can provide remote access to the computer.
• “Intel ME” can replace the system image during boot. (The replaced image can contain various changes that you might not even notice).
• “Intel ME” can "insert" a virtual USB drive into the computer, this USB drive may contain viruses, a fake system image, and much more.
• Additionally, “Intel ME” can initiate turning the computer on and off. On many motherboards (if not all), “Intel ME” still has power.In other words, the attacker can control that computer even when it’s turned off. So, even a turned off computer is not safe.
“Intel ME” provides remote access, the access to all components of the computer, access to connected devices via USB and many other methods, as well as the ability to turn the computer on and off remotely.
In fact, it is almost like having physical access to a computer with all the necessary passwords, but the attacker does not need to be near the computer or even have it turned on (they can remotely turn it on themselves).
Why does this happen?
As I mentioned earlier, “Intel ME” is a separate board with very high privileges in the computer—higher than those of the operating system's kernel. This means the OS simply cannot control this component—it has higher privileges (-3 privileges) and surpasses the OS in authority. Therefore, it has access to the device's memory, can bypass the system firewall, and etc.
Extremely dangerous vulnerabilities have been found in “Intel ME”.
Some of these vulnerabilities even allowed remote access to the device. Even if Intel did not deliberately include backdoors in “Intel ME” (which I highly doubt—Intel would hardly ignore such an opportunity, nor would they likely be allowed to, for instance, by the NSA. This would allow control over millions of devices, including those with classified information on enemy servers of the United States. Further evidence linking intelligence agencies to “Intel ME” will be provided later in this article), “Intel ME” has had, and almost certainly still has, vulnerabilities. This means it still poses a significant threat, considering the level of privileges this component has in (over) the computer.
Do you think it’s normal that there is a component in your device with more access than the OS, which can bypass the system firewall, access the computer's memory, and so on, and that is extremely difficult to get rid of?
Vulnerabilities are almost everywhere, and “Intel ME” is not an exception. Even if it is not a backdoor, it is undoubtedly a highly dangerous and unacceptable component for personal? security. Additionally, it is important to understand that backdoors that were found (intentional vulnerabilities by developers, intelligence agencies, etc.) can be disguised as ordinary vulnerabilities that were "accidentally" introduced.
The threat of exploitation and misuse of “Intel ME” capabilities comes not only from intelligence agencies but also from hackers:
The famous hacker group “Conti’ showed interest in breaking into “Intel ME” (here’s evidence: ...). According to the group’s chats analyzed after their arrest, they aimed to find a way to hack “Intel ME’ to create a new, highly effective attack vector (and indeed, exploiting “Intel ME” is of interest for virtually any purpose—it offers the same functionality as full-fledged remote access and more, making such attacks almost undetectable. This "enhanced" remote access would apply to the vast majority of Intel-based computers).
Moreover, “Intel ME”, specifically its component in many Intel processors—AMT SOL—has already been exploited by hackers likely sponsored by a state. The codename for the group is “PLATINUM”, a name given to them by Microsoft’s security team, which first discovered their attacks in 2009.
AMT SOL is disabled by default, but Microsoft Security could not confirm whether the targeted computers already had AMT SOL enabled or the attackers "forced" its activation on previously compromised computers and then exploited the vulnerable AMT SOL in “Intel ME”.
Here is a link: https://www.bleepingcomputer.com/news/security/malware-uses-obscure-intel-cpu-feature-to-steal-data-and-avoid-firewalls/
And here are examples of previously discovered vulnerabilities in “Intel ME”:
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=intel+management+engine
https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=Intel+ME
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00086.html
https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00075.html
This information on vulnerabilities and hacker groups is especially for those who believe that intelligence agencies are neither their enemy nor their threat and therefore think they don’t need to defend themselves from “Intel ME”. Here are arguments proving that “Intel ME” is fundamentally an unsafe component. If a person wants a computer with a high degree of security, privacy, anonymity, and counter-forensics, even if intelligence agencies are not part of their threat model, “Intel ME” is still a very dangerous component—it can be hacked, it has very high privileges, suspicious and dangerous activity from “Intel ME” is almost impossible to detect or even limit.
“Intel ME” is an extremely unsecured part of the computer. Now, let’s examine whether it’s possible to disable “Intel ME” on the computer or not, and how to do that.
Before that, let’s discuss why system firewalls (and not just system firewalls) are not enough to fight with “Intel ME” (as many people believe setting up a well-configured firewalls solves the “Intel ME” problem).
Intel ME have bigger rights below the OS. A system firewall simply may not see connections from “Intel ME”. Additionally, “Intel ME” has its own MAC and IP addresses. Essentially, it’s a separate computer inside the actual computer that bypasses its system firewall.
Setting up a firewall on the router is possible, but there are three immediate issues:
1. If a person does not have access to the VPN server, the traffic to the router is encrypted, and they cannot differentiate certain connections.
2. Data transmission to nearby devices. “Intel ME” might transmit information through nearby devices (e.g., smartphone, neighbors’ devices, or any devices near your computer) using methods like Bluetooth, Wi-Fi, cross-device tracking, and other methods of offline data transmission (i.e., the router firewall isn’t even touched). “Intel ME” has access to almost all components of the computer.
3. Additional packets from “Intel ME” in the internet traffic. It’s possible that “Intel ME” can embed its packets into the internet traffic, transmitting extra data to the resource the computer connects to, which could include much information, such as photos from the camera and all the device’s identifiers. Configuring a firewall to block such traffic embedding is extremely difficult.
What if you set up your own VPN and install a firewall on the server, and then configure the VPN on the OS?
It’s even worse — “Intel ME” can still freely access the network. Remember, “Intel ME” has its own MAC and IP addresses and high privileges. Traffic from “Intel ME” simply won’t go through the VPN but directly where it needs to. Even if you configure the OS to route all traffic through the VPN, most likely, only system traffic will go through, while “Intel ME’s” traffic will remain undetected.
What if you set up a router, install your own VPN on it, and configure the firewall on the VPN server?
This is somewhat better—now all internet traffic goes through the router and VPN, and the firewall can block everything except allowed connections.
But the following issues remain:
1. Data transmission to nearby devices (explained above).
2. Additional packets from “Intel ME” in the internet traffic.
3. Attacks on “Intel ME”. Even if someone manages to restrict all connections from “Intel ME”, including embedded packets, “Intel ME” remains in their computer and is vulnerable to attacks. If compromised, their security, anonymity, and privacy will be at significant risk.
For less likely but still possible scenarios, “Intel ME” may contain malware to infect the device/VPN server and bypass firewall restrictions.
So to secure your computer properly, you must disable “Intel ME”.
How can “Intel ME” be disabled?
The most reliable method is flashing the BIOS to Coreboot/Libreboot (and others) and blocking “Intel ME” during boot.
Spoiler: None of the above methods completely disable “Intel ME” and leave some possibilities for attack, as discussed further.
There are two main methods to block “Intel ME”: MEI/HECI and the HAP bit. The latter became known due to “Intel ME” research, which revealed that the NSA requested a special switch to disable “Intel ME” under their program. This switch is now more widely known and can be used beyond the NSA. Read more on this in the evidence that “Intel ME” is a backdoor.
The HAP bit method is considered more secure and reliable, as it halts ME firmware execution earlier than MEI/HECI.
However, these methods of disabling “Intel ME” do not work on all computers:
1. Disabling “Intel ME” on Intel 10+ generation processors using any method is almost impossible.
2. Flashing Coreboot/Libreboot is available only on a limited number of computers, typically over 8 years old. The list of supported devices can be found here: https://doc.coreboot.org/releases/boards_supported_on_branches.html.
Additional material on Coreboot and beyond: https://en.wikipedia.org/wiki/Intel_Active_Management_Technology#Applications. This includes information on configuring and enhancing Coreboot’s security against many other potential vulnerabilities.
How can one protect against the potential threat posed by “Intel ME”, and is it even possible?
Below are the methods that provide arguably the best available protection against “Intel ME” on Intel processors from 2008 onwards.
Spoiler: Keep in mind that the methods below DO NOT FULLY solve the “Intel ME” problem; they simply create additional difficulties for attackers. This protection CAN be bypassed.
1. Disabling it using Coreboot/Libreboot, preferably through the HAP bit.
2. Setting up a firewall on your VPN server with a "block everything except specific sites" system and configuring the VPN on the router/modem (to route all traffic through the VPN with the firewall). Why this can still be bypassed is explained above.
3. Removing the web camera, GPS (to prevent “ME” from sending your photo or geolocation), microphone (to prevent cross-device tracking, identification, and snooping on your surroundings), and ideally the speakers (to prevent cross-device tracking), as well as Bluetooth, Wi-Fi, and other components that can transmit information. This ensures your device does not transmit information through nearby devices, such as your or your neighbor’s smartphone
There are other methods of transferring information that should also be considered. In general, methods of information transfer in the absence of the internet, Bluetooth, etc., can be referred to as “Airgap”. There are many Airgap methods, such as transferring information via physical media or printed paper. This information can also be hidden and encrypted. Cross-device tracking, or the transmission of information through sound, is another example of an Airgap method. There are additional Airgap information transfer methods.
Even if a person is done with everything that is above, it is still not a complete shutdown of “Intel ME”. It is more of a collection of "workarounds" because some components of “Intel ME” will still remain active (even if they "disable" “Intel ME” using the HAP-bit method).
This is easily explained because these vulnerabilities are present in the “Intel ME” module, which loads at an early stage and is necessary for the Intel processor to function. This module is not limited by MEI/HECI or HAP-bit methods (and almost certainly not limited by Coreboot/Libreboot or their analogs).
Here are examples of vulnerabilities that work even with "disabled" “Intel ME” via MEI/HECI or HAP-bit methods:
CVE-2017-5705: Multiple buffer overflows in the kernel of Intel Manageability Engine Firmware 11.0/11.5/11.6/11.7/11.10/11.20 allows an attacker with local access to execute arbitrary code.
CVE-2017-5706: Multiple buffer overflows in the kernel of Intel Server Platform Services Firmware 4.0 allows an attacker with local access to execute arbitrary code.
CVE-2017-5707: Multiple buffer overflows in the kernel of Intel Trusted Execution Engine Firmware 3.0 allows an attacker with local access to execute arbitrary code.
These vulnerabilities can be exploited EVEN IF YOU DISABLED “INTEL ME” using the HAP-bit or MEI/HECI methods.
You might argue that these vulnerabilities have already been patched, so there is nothing to fear, but there are two immediate problems:
1. With a physical or remote access to a computer, the “Intel ME” firmware can be replaced with a vulnerable version, and the vulnerabilities can be exploited (link provided).
2. THE MAIN ISSUE: If vulnerabilities in “Intel ME” can still be exploited even when it is "disabled," such "disabling" is insufficient for security. These specific vulnerabilities may seem harmless to you since they likely require physical access to the computer. However, if “Intel ME” cannot be completely disabled (likely even using Coreboot/Libreboot), this represents an attack surface that may have been intentionally left open, and it is highly likely that there are other vulnerabilities on this surface, possibly even remote ones. I do not recommend trusting this surface to be secure (especially since vulnerabilities have already been found on it) if you want a computer with a high level of anonymity, privacy, and security in the network and counter-forensics.
Regarding vulnerabilities, it’s important to understand that intelligence agencies and Intel have full access to the “Intel ME” source code. Even if “Intel ME” was not initially designed as a backdoor, they can find vulnerabilities in the source code and exploit them. It is much easier for them to find vulnerabilities because they have access to the source code of Intel ME. Additionally, they can simply add a vulnerability in a subsequent hardware update (and such updates are delivered even to many Linux distributions). If you want a computer with a high level of security, you should avoid Intel ME. This means avoiding it, not just "disabling" it using Coreboot/Libreboot or similar methods.
Summary of protecting your computer from the Intel ME threat:
Disabling Intel ME using Coreboot/Libreboot or analogs is insufficient. Adding a firewall to your VPN server or a VPN to your router is also insufficient for security. Combining these methods is not enough to ensure safety.
The only solution we have found to this problem is either avoiding Intel processors altogether or switching to open-source alternatives (we will discuss such hardware at the end of a series of articles on hardware backdoors). Alternatively, use of Intel processors from before 2008 may help (but it is worth understanding that such processors have a large number of unpatched vulnerabilities and extremely poor performance. Most likely, you will not even be able to run a single virtual machine on them, which is a crucial component for building anonymity, privacy, and network security).
Even if you somehow get rid of Intel ME, there are many other potential hardware backdoors beyond Intel ME. Therefore, you should not immediately assume that a computer without Intel ME is secure. For example, Intel VISA, closed-source drivers, blobs in Coreboot/Libreboot, and many other potential backdoors exist not only in Intel hardware.
So, even if you somehow manage to COMPLETELY disable Intel ME (though currently, such methods are likely nonexistent), there will probably still be a threat from many other potential hardware backdoors.
Evidence of intelligence agencies' involvement with Intel ME:
Currently, there is not much direct evidence of intelligence agencies' involvement with Intel ME. For obvious reasons, intelligence agencies do not want such information to spread and actively suppress it.
You might say, "Just install a firewall on the router, intercept ME traffic, install your root encryption certificate, and then analyze all Intel ME traffic to prove it’s not a backdoor."
However, I remind you that Intel ME is essentially a computer within your computer. It even has its own IP address and MAC address, meaning replacing the root encryption certificate in it is nearly impossible. Thus, understanding what exactly Intel ME sends and receives is almost impossible.
Nevertheless, we have some evidence suggesting that Intel ME is a backdoor:
1. The NSA has its own internal switch to disable Intel ME. This was revealed during research on Intel ME. Here is a link to the study:
It appears they knew Intel ME was dangerous and asked Intel to create a switch to protect themselves from this threat. After all, the NSA likely uses Intel processors as well.
Intel, by the way, confirmed that they added this switch under the NSA program:
Source: Bleeping Computer
2. Google encountered problems disabling Intel ME in its attempts to migrate its servers to open-source solutions. Why were they trying to disable it? Likely for security purposes (to protect against backdoors and vulnerabilities in Intel ME) for their servers.
3. Suspicious, excessive technical decisions:
◦ Fully closed-source code with Huffman method encryption, so the source code cannot be obtained even through reverse engineering.
◦ Its own, separate MAC address and IP address. The purpose of these features for Intel ME is unclear, the first reason that comes to mind is to send some information somewhere and bypass system firewalls and anonymizers (VPN, TOR, etc.).
◦ Extremely high privileges on the computer, higher than the operating system kernel. This can be explained by the need for high privileges to protect the computer from various types of attacks (since Intel ME is marketed as a chip to protect the computer and data from attacks). Nevertheless, this is still an extremely strange and suspicious point.
◦ While this is more indirect evidence, these are strange and excessive measures that also give reason to think that Intel ME was created not to protect your data (as Intel markets it) but rather for surveillance and attacks on your computer.
4. Insider information from within Intel:
There is information that a person who worked at Intel leaked details about backdoors in Intel ME, as well as the code name of the intelligence agencies' project for surveillance through Intel ME: ODIN'S EYE.
Here is a screenshot of the post:
The proof is questionable; nevertheless, I felt it was necessary to include it.
I think a hardware backdoors are the most dangerous threat to anonymity, privacy, and security online, both for personalized and mass surveillance for the following reasons:
1. Surveillance via hardware components with extensive privileges is almost impossible to detect.
2. Determining the source code of such hardware components is nearly impossible, even with reverse engineering methods. They are designed and encrypted to ensure the source code remains inaccessible.
3. Many backdoors, like Intel ME, easily bypass system firewalls, VPNs, and other traffic tunneling technologies. There is even a possibility they can bypass server firewalls and transmit information to nearby devices using various methods.
4. Full access to the computer. Access is so extensive that, even if you unlocked your computer yourself and handed it over to an attacker, they would have fewer capabilities than with a backdoor like Intel ME. Intel ME has more privileges than the OS itself.
5. Operation of Intel ME even when the computer is powered off. Intel ME can function for some time while the computer is turned off. What exactly it does during that time is unclear, but it is certainly not safe. During this period, Intel ME is powered by the motherboard battery.
6. Defending against hardware backdoors is extremely difficult and, in some cases, nearly impossible.
Overall, it is an almost perfect backdoor whose actions are incredibly hard to monitor, and it is challenging even to determine what and when it is doing something. It is exceedingly difficult for a user to notice an attack from Intel ME, and disabling Intel ME is almost impossible on newer Intel processors.
Essentially, it is a monopoly on surveillance, since there are not a lot of alternatives to Intel. Even the limited alternatives often have potential backdoors themselves.
In this part of the series, we discussed the issue of Intel ME. In the next part, we will examine the potential AMD PSP backdoor. After AMD PSP, we will analyze other potential backdoors in the computers as well as in the smartphones.
If you would like to learn more about surveillance, hacking, deanonymization, forensics, and how to protect against these threats, please, subscribe.
Links to articles that may also interest you (available only after subscribing to the author's Telegram channel):
• Genius PR, loud statements, and the FSB.
• Unsafe Telegram - https://t.me/c/1865751209/264
• Tails OS. False anonymity - https://t.me/c/1865751209/221