Profile picture
Matthew Garrett @mjg59
, 14 tweets, 3 min read Read on Twitter
Thoughts on the latest Intel ME vulnerabilities: based on public information, we have no real idea how serious this is yet. It could be fairly harmless, it could be a giant deal.
There's two classes of vulnerability disclosed. One is in the Intel AMT component, which runs on ME and is restricted to "enterprise" hardware (which includes higher end laptops), the other is arbitrary ME execution and applies to the entire product range.
The AMT vulnerabilities "only" permit code execution in the context of AMT. That means at least all the capabilities of AMT, but potentially more besides.
One of AMT's features is allowing a user to VNC into a system without the OS being involved. Doing this draws a warning border around the screen to alert the user. Unclear whether that's hardware or not - if not, this could allow silent observation of affected systems.
AMT also allows secure boot to be disabled for one-shot boots, so AMT compromise is probably also a complete secure boot compromise
Worth noting - this gives *remote* users the opportunity to execute code as AMT if they authenticate. intel.com/content/www/us… allows you to authenticate with an empty authentication token. If you haven't patched that already, do so.
The ME compromise presumably gives you everything the AMT compromise gives you, plus more. If you compromise the ME kernel you compromise everything on the ME. That includes AMT, but it also includes PTT.
PTT is Intel's "Run a TPM in software on the ME" feature. If you're using PTT and someone compromises your ME, the TPM is no longer trustworthy. That probably means your Bitlocker keys are compromised, but it also means all your remote attestation credentials are toast.
Worst case there is that an attacker is able to obtain the EK credentials from PTT. Unless there's a way to generate a new EK (and a new EK certificate), you can no longer ever trust remote attestation from that system.
Of course, once someone's in the ME they're able to do anything the ME can do. Even if your system doesn't have AMT, they can do everything that AMT can do - including scraping the screen, injecting input events, disabling secure boot and so on.
But the big thing that influences whether this is very bad but manageable or whether it's "This hardware can never be trusted again" is whether it's persistent or not. ME firmware is signed. Even with ME access, it shouldn't be possible to replace the ME firmware.
However, if the exploit is in unsigned data that's interpreted by the ME, an attacker could potentially modify that data and rexploit it on every ME boot. At that point they can disable Boot Guard and have full control of system firmware as well.
If that happens? Only remediation path is to re-flash SPI by hand, because every internal root of trust is now under the control of the attacker. Probably cheaper for most companies to buy new hardware instead.
So yeah on reflection I don't see many outcomes where this is fairly harmless so uh happy thanksgiving
Missing some Tweet in this thread?
You can try to force a refresh.

Like this thread? Get email updates or save it to PDF!

Subscribe to Matthew Garrett
Profile picture

Get real-time email alerts when new unrolls are available from this author!

This content may be removed anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @mjg59 see all

Profile picture
blog.samaltman.com/e-pur-si-muove is representative of the absolute worst thing about tech culture - the idea that technological progress is more important than anything else
If tolerating homophobia is the price paid for a slightly faster ad platform, shit yeah tech is all over letting you talk about how much you hate gay people
Want to be invited to parties no matter how much you talk about making this country white again? Write a new functional programming language.
Read 5 tweets
Profile picture
Since I'm stuck here, and in honour of having just passed a million miles on United, here's my most memorable in-flight story
I was flying back from Brazil, and it was a couple of days after my birthday. I was in coach, but had an empty seat next to me.
Just after the doors close, a guy comes running up from the back of the plane and sits next to me. Dude *reeks* of booze.
Read 28 tweets
Profile picture
It's about 10PM, my partner's in Tokyo, I've been to Ikea and hung a pair of curtains on my own. Of course I have thoughts on The Intercept.
First: It is clear that in this case the leaker was going to get caught if the story was published, no matter how careful the journalists.
But there are legitimate questions. The printer dot thing isn't new. Could steps have been taken to avoid that?
Read 13 tweets

Related threads

Profile picture
Jerome Corsi says himself that he expects to be indicted for perjury, then Roger Stone tells Ingraham that the SC is 'forcing Corsi to make false statements @ me'..they're both such liars/att'n whores that until the p/w drops in court I'm not buying it. ENOUGH speculation!
2/Any associate of either Jerome Corsi or Roger Stone is about as credible as those two clowns are..so if one is saying that Corsi is negotiating w Mueller for a plea agreement, again, I'll believe it when I see it. This could well be Trump diversion.
#FridayFeeling
3/ I hope that this is true, but his atty has declined to comment. I am highly skeptical about this guy. But here's the story. washingtonpost.com/politics/stone…
Read 30 tweets
Profile picture
@Robbie_Wallis1 @DonTempt @LouiseBagshawe @LouiseMensch @Mopshell @aprilwarchol @counterchekist @lauferlaw @MachiavelliMat1 @patribotics @MarkSZaidEsq @BorisEP @jepence @deviarte @camintel @parscale @DanScavino @senatemajldr @KeithSchiller45 @KeithSchiller @SebGorka @GGigicos @HopeHicks @IvankaTrump @jaredkushner @EricTrump @LaraLeaTrump @DonaldJTrumpJr @Cliff_Sims @michaelglassner @Reince @Cernovich @stranahan @JackPosobiec @DanaRohrabacher @tedcruz @SenSanders @TulsiGabbard @DrJillStein @KyleKulinski @dark_wisdom_ Robbie,
EST. to be Indicted:

Trump Admin
💥Trump
💥Pence
💥Sessions
💥McGahn (R)
💥DonaldJr
💥Kushner
💥Ivanka
💥KAConway
💥HopeHicks
💥Ross
💥Mnuchin
💥Tillerson (F)
💥Bolton
💥SHS Sanders
💥Miller
💥Gorka (F)

Transition Team
💥Bannon (F)
💥Parscale
💥Christie (F)
💥Chaffetz
@Robbie_Wallis1 @DonTempt @LouiseBagshawe @LouiseMensch @Mopshell @aprilwarchol @counterchekist @lauferlaw @MachiavelliMat1 @patribotics @MarkSZaidEsq @BorisEP @jepence @deviarte @camintel @parscale @DanScavino @senatemajldr @KeithSchiller45 @KeithSchiller @SebGorka @GGigicos @HopeHicks @IvankaTrump @jaredkushner @EricTrump @LaraLeaTrump @DonaldJTrumpJr @Cliff_Sims @michaelglassner @Reince @Cernovich @stranahan @JackPosobiec @DanaRohrabacher @tedcruz @SenSanders @TulsiGabbard @DrJillStein @KyleKulinski @dark_wisdom_ 2/2
#GOPCongress:
💥McConnell
💥Ryan
💥Graham
💥Grassely
💥Hatch & goons (Whelan, CRC)
💥Nunes
💥Rohrabacher
💥Gowdy
💥Jordan
💥Gaetz
💥Meadows
💥Gohmert
💥Issa
💥Goodlath

#CambridgeAnalytica:
💥Robert Mercer
💥Rebekah Mercer
💥Chuck Wyile

MEDIA
💥Fox News
💥Hannity
💥Breitbart
@Robbie_Wallis1 @DonTempt @LouiseBagshawe @LouiseMensch @Mopshell @aprilwarchol @counterchekist @lauferlaw @MachiavelliMat1 @patribotics @MarkSZaidEsq @BorisEP @jepence @deviarte @camintel @parscale @DanScavino @senatemajldr @KeithSchiller45 @KeithSchiller @SebGorka @GGigicos @HopeHicks @IvankaTrump @jaredkushner @EricTrump @LaraLeaTrump @DonaldJTrumpJr @Cliff_Sims @michaelglassner @Reince @Cernovich @stranahan @JackPosobiec @DanaRohrabacher @tedcruz @SenSanders @TulsiGabbard @DrJillStein @KyleKulinski @dark_wisdom_ 3/4

Wikileaks
💥Assange
💥Roger Stone
💥Randy Credico
💥Jerome Corsi
💥Andrew Miller

GOP BIG Donors
💥Adlai Stevenson
💥Tom Barrock
💥Koch Bros
💥Russian-American Oligarch
Leonid Blavatnik

NRA
💥fmr President Wayne LaPierre
💥fmr President David Keene
💥Dana Loesh
Read 6 tweets
Profile picture
Reflections on the one-year anniversary of the Mueller investigation: contrary to claims by his detractors, Special Counsel Robert Mueller has produced a remarkable record of prosecutorial achievement in a very short time, with more likely to come. 1/
Judged by the standards of his predecessors, Mueller has moved rapidly. The average length of these investigations is around three years, and complex matters take considerably longer: Whitewater endured for almost eight years and Iran-Contra for more than six. 2/
In 1 year, Mueller has already charged around 20 defendants with crimes including conspiracy, fraud, tax evasion and propaganda violations. He has collected 5 guilty pleas, including from President Trump’s former National Security Advisor, Michael Flynn. 3/
Read 11 tweets
Profile picture
A few quick thoughts on the criminal referral to DOJ of Comey, Clinton, Lynch and others by 9 GOP Congress members
First, you can read the full referral here: desantis.house.gov/_cache/files/8…
Second, I don't think this is designed to form the basis of a TRUE criminal referral. Why? The basis for the alleged charges are mostly news reporting, and don't directly connect to the individuals referred
Read 37 tweets
Profile picture
1. Let's see what we have here (didn't have time earlier, sorry). Mueller has given the appropriate welcome to the US to THREE Russian oligarchs that CNN has found out about. Stop 'n roll. 😎
2. The premise is this: oligarchs are the ones who carry out financial transactions for Putin. If Putin wants to funnel money into Trump's campaign, it's not like he tells a picciotto to do so, like Trump does with Cohen. Nope, he has oligarchs.
3. CNN seems to be surprised that Mueller is after oligarchs, when in fact that is the first and most logical move to make if you want to know where Russian money went. And by that I mean Kremlin-sponsored money.
Read 30 tweets
Profile picture
(THREAD) Per NBC, Trump has told friends he'd be in trouble if Paul Manafort "flipped" on him—clearly signaling that Manafort can incriminate him and get him impeached. By that measure, today's events have brought Trump closer than ever to impeachment. Hope you'll read and share.
2/ Three weeks ago, NBC all but reported that Trump has incriminated himself in private calls to friends. I've no idea why this reporting didn't become major national news—frankly, I expect whoever dimed him out thought it would be. And it still should be. nbcnews.com/storyline/2018…
3/ In common and legal parlance, to "flip" on someone is to agree to testify against them in a criminal case. A current defendant like Paul Manafort would only flip on someone if they had sufficient incriminating evidence to offer their prosecutor that they could cut a plea deal.
Read 22 tweets

Trending hashtags

#SuudiArabistan #Cinema #SecretSocietySedition #Soros #r4today #maga #DemocracyRIP #Saudis #winning #Patriots #Mueller #meaning #AmericaFirst #Trump2020Landslide #Rogue #ColonialRally #MiddleEast #Kingdom #qanon8chan #OsamaBinLaden #TrumpRussia #WMD #Kuwait #BACK #GOPCongress

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member and get exclusive features!

Premium member ($3.00/month or $30.00/year)

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!