Software/OS spying and hardware spying. How to deal with both of them?

[vibers]

Hi,

I am using Windows 10 but as it does a lot of spying on the user I intend to switch to Linux and from Linux versions I will pick the most popular and successful OS which is Ubuntu and this will solve my problem with software/OS spying. I have the solution for this.

But a few days ago I read about the Intel processors which have another operating system inside them called Management Engine which can bypass all encryptions, firewalls in the computers and read everything even when the PC is turned off. So the processor can do all the spying and it can't be stopped.

Kindly inform how big is this threat? Does the processor keep spying on the user all the time? And is there some way to stop the spying? Kindly inform. Best regards.

[Rubi1200]

Hi and welcome to the forums

Please post a link to the source you are referring to. Without reading the article or document you read how can we reasonably be expected to respond?

Thanks.

[freemedia2018]

Hi vibers, welcome.

As you may have guessed, there are two options to avoid the problem you're talking about-- one is to use an older PC that does not have the feature. You would be surprised how far back that would go, however. Some may run Lubuntu, they would not be well suited for GNOME or KDE.

The other option is to use a non-Intel, non-AMD processor. Some ARM processors may qualify. More information here: https://jxself.org/titanic.shtml

The Intel Management Engine (ME), also known as the Manageability Engine, is an autonomous subsystem that has been incorporated in virtually all of Intel's processor chipsets since 2008

https://en.wikipedia.org/wiki/Intel_Management_Engine

[TheFu]

I wear a tinfoil hat more than most.

For some things there isn't much we can do except to unplug the computer from the network or to have external devices block in and out access to any part of the computer except that which you approve. This isn't easy, especially for unsophisticated, home, computer, users. Most home networks block inbound connections, but don't prevent outbound connections at all, which means that if someone on the outside can trick the computer into opening a connection, then they effectively can bypass the firewalls. There are some commonly used techniques to accomplish that - javascript is a favorite. Do you allow javascript in your browser?

You can run netstat to see which connections are being used inbound and outbound with source IPs:ports and target IPs:ports. Don't forget to monitor all the other protocols - the ones not based on ICMP or IP. There are many others.

The main issue is limited to the computer, so having a well-maintained, well-configured, external firewall and external router is a good way to address this. But there are liabilities with most router hardware too.

Security is always about having multiple layers and it is best to have those layers be physically separate.

[Rubi1200]

@TheFu

I am interested in security but certainly do not have anywhere near the level of expertise you do.

Could you please comment on this article https://www.eff.org/deeplinks/2017/0...way-disable-it and specifically the part where the authors write that

Not every machine is susceptible to the attack. For it to work, AMT has to have been both enabled and provisioned (commonly AMT is enabled but not provisioned by default).

If I understand correctly, isn't this more likely to be a problem in an enterprise situation and is unlikely (though I am sure not impossible) that an average home computer user would be affected?

[1clue]

Certainly this would require an external firewall device, but how to get an adequate device which is not also affected?

Switching to some other brand of processor is of limited value as that processor may have an embedded processor we don't know about, controlled by some other agency. So out of the frying pan, into the fire.

I would start by building a system from scratch, and then ONLY hook it up through a port which can be monitored (a switch with a mirror port?) at the hardware level and which has no Internet connection. See what sort of packets it sends out and where it wants to send them, before there is any operating system attached.

You would certainly need both outbound firewall rules prohibiting traffic to the sites the processor is trying to reach, and inbound firewall rules responding to that sort of traffic. And some sort of monitoring to ensure that your intel-based firewall/router is actually filtering that traffic.

[vibers]

freemedia2018, Thanks for your reply. I have checked the Processor found in your link but that would be quite expensive. I also checked other Linux PC makers’ websites but they charge quite high prices as compared to the prices charged by others. I agree that Arm based processors is the way to go if you care for your security. I would wish we see Arm processors based PCs with a reasonable price.

[vibers]

TheFu, Thanks a lot for your reply. The solution you posted is the most practical and can be applied sooner. Can you give a few links to some reasonably priced routers & firewalls? Also is there some way to find out what to block and what not to block. Kindly inform.

[vibers]

1clue, Thanks a lot for your reply. Could you suggest me some devices for that Kindly inform.

[1clue]

freemedia2018, Thanks for your reply. I have checked the Processor found in your link but that would be quite expensive. I also checked other Linux PC makers’ websites but they charge quite high prices as compared to the prices charged by others. I agree that Arm based processors is the way to go if you care for your security. I would wish we see Arm processors based PCs with a reasonable price.

Arm is a SoC architecture. By definition, there are coprocessors and whatever else in there, and some of it is undisclosed closed-source stuff with proprietary "black box" blobs in there. So Arm is no more secure.

1clue, Thanks a lot for your reply. Could you suggest me some devices for that Kindly inform.

I don't have recommendations, only speculation as I posted above.

Having done some research since you posted this, I'm not sure this has much security exposure for me personally.

It seems that this tech you're talking about is built around the same idea as IPMI, and some of the code is shared. IPMI is for servers, and the IME is for consumer products. Yes there are tools which could be used to take control of the sytem by remote, but at least according to the documentation you need to turn that stuff on first. Yes the processor is running if there's power, but if it has no IP address and is not responding to network activity then what's the harm?

If someone were to find a system which has the remote admin stuff turned on, then certainly there could be a huge problem. If they can install their own firmware there's no way to tell what you might get in there. But if you never turn it on, and if you were to take precautions with your site's firewall then I would think it could be managed.

Points:

1. The processor has its own MAC address and direct control of part of the NIC. So it does NOT have the same IP address as your computer.
2. You could define outbound and inbound rules on your firewall such that only known hosts have Internet access, either outbound or inbound.
3. You could configure your DHCP server to put unknown addresses into a special IP range so that special rules applied within your network. Like a switch-based filter limiting access to other hosts on the net, if you have a nice switch.
4. At least with IPMI, the controller does not seem to want to accept connections from a host with a different network number.
   
   1. This means that your "client" has to be on your same network.
   2. If you have an OpenVPN with a 'tap' mode (the VPN emulates a network card on the host network so it looks like you're inside the net) then they can get remote access, but not if you use 'tun' mode.
   3. If the new stuff enforces the same rule then this reduces the security exposure.

I'm not saying there's no security exposure in ANY situation, because clearly there is. My systems are always in the same place (no mobile devices except phones), behind a firewall I made. I'll see what I can do to at least detect activity from this controller, and mitigate its possible harm for me.