Secret 3G Intel Chip provides Backdoors

Discussion in 'privacy general' started by CloneRanger, Sep 26, 2013.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,978
    More details have been disclosed !

     
  2. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    Man that's convenient... for Big Brother and his lapdogs.
     
  3. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    We need to create a list of all CPU SKUs that are affected by this!

    No?
     
  4. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    This is crazy stuff but not surprising. Question is how would you find out?
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    As I read this, all Core i3/i5/i7 Sandy Bridge (2011) and later CPUs have the 3G radio chip, and the Core vPro CPUs may have additional features.

    Wikipedia says:

    <-https://en.wikipedia.org/wiki/Sandy_Bridge_%28microarchitecture%29->

    <-http://www.pcmag.com/article2/0,2817,2369110,00.asp-> Wikipedia [39]

    <-http://www.intel.com/content/www/us/en/architecture-and-technology/vpro/vpro-technology-general.html-> Wikipedia [40]

    This is bad. Very bad.
     
  6. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    Exactly what does that mean ?
    Note that it says 'remotely unlock' NOT 'bypass' !

    This would in fact be a good thing, because it would allow to remotely re-boot a encrypted system and enter the password, something often asked for by TC-users ?
     
  7. Reality

    Reality Registered Member

    Joined:
    Aug 25, 2013
    Posts:
    1,198
    Unless we keep our old computers in service (and maybe that aint foolproof) this takes us one step closer to having to make the inevitable choice. Kiss your privacy TOTALLY goodbye and live with it, or chuck your computer down the nearest darkest deepest hole and bury it for good. While youre at it, toss in the cell phone and the smart meter. Not kidding.
     
  8. dogbite

    dogbite Registered Member

    Joined:
    Dec 13, 2012
    Posts:
    1,290
    Location:
    EU
    Too bad, encryption is going to be useless.
     
  9. Enigm

    Enigm Registered Member

    Joined:
    Dec 11, 2008
    Posts:
    188
    That is EXACTLY the FUD they hope people will believe !

    If encryption was to be useless, they wouldn't need to 'back-door' the hardware, would they ?
    (Yes, it IS quite worrying that you can't trust the hardware, but it isn't exactly news, 'The Tinfoil Hats' have been saying it for years )
     
  10. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,390
    I have used the the ark.intel.com website to search for Intel processors with VT-x, and VT-d capabilities some time ago in search for a suitable laptop processor to match my needs of both multiprocessing (multicore) and virtual hardware support technology (VT-x and VT-d) for installing the Qubes OS.

    That is probably where you can start your search for Sandy Bridge and every new generation of Intel processors. The output can be filtered to give a nice list of processors with various capabilities and it should probably yield whether a processor contains the vPro or not.

    Example:
    If you go to ark.intel.com and select Mobile Products, and then in a new tab click on 4th Generation Intel® Core™ i7 Processors click on the Compare Select All button, you will get a (row) under the Advanced Technologies category indicating whether or not Intel vPro Technology is supported on any one of the product chips (columns). Then repeat for all of the Mobile Processor categories under Mobile Products at the ark.intel.com webpage.

    -- Tom
     
    Last edited: Sep 27, 2013
  11. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    I am going to play devil's advocate because I've personally deployed these vPro chipsets and requested them in the past for corporate environments. Not to mention this article has a high amount of sensationalism. These chips are a great tool for when your employee's laptops get stolen out of unlocked cars or by other means. Granted there can be that one thief that walks around with a Faraday cage however from a security/risk perspective being able to remote nuke a device across a large coverage area is a good thing. Especially if it contains sensitive data.

    Now for personal, yes, the end user should be able to choose if they want such capabilities in their systems or not.

    -EB
     
  12. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yes, there's much FUD.

    And this stuff has in no way been "secret" or "hidden". Intel has been promoting it! I just wasn't paying attention :(

    I agree that many (all maybe) of these features are useful in managed environments (enterprise, leasing, theft-protection services, etc). What's uncertain (to me. anyway) is how they're secured in unmanaged environments, such as my house. Who has default access? How are features configured and enabled/disabled? Are there truly-hidden backdoors that can't be secured and/or disabled?

    I clearly need to understand this. It may well be that only pre-2011 Intel CPUs are secure, in a privacy sense. So it would be irresponsible of me to recommend later models in VM hosts for routing VPNs and Tor. Another option would be using AMD CPUs. Can we be confident that they're backdoor-free?

    Further, I suspect that all smartphone CPUs are hosed in these ways. Right?
     
  13. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    This is surely getting out of hand now....

    The only options available is to go off-line lol
     
  14. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Out of whose hand?

    That's one option. But what about your neighbors?

    Where there's a will, there's a way ;)
     
  15. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
  16. guest

    guest Guest

    So you're saying that you can't be safe just by unplugging yourself from the internet (which I agree with) but there are various methods to make the internet itself to be more secure than other communication lines?
     
  17. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Although I can't speak for J_L, I concur. Consider, for example, how much easier it is to be relatively anonymous on the Internet than in person. On the Internet, there are VPNs, Tor, dead-drop email services and so on. There are vulnerabilities, of course, and it's crucial to identify and address them. But being at all anonymous in person is much, much harder. Reliably getting anonymous snailmail, for example, is nontrivial. It's also very expensive, given the need for shell corporations, legal fees, paying rent, etc. And it's impossible to do without trusting a bunch of people who might sell you out.
     
  18. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
    I've got nothing to add to mirmir's excellent interpretation, except that not enough people are getting the big picture of the Internet and real-life spying scandals.
     
  19. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    So much for the "latest and greatest" hardware. I'll stick with my old obsolete Pentiums.
    The privacy vs hardware is following the same path as it is with software and operating systems. There isn't a well defined line where we can trust hardware on one side of the line but not the other. Like operating systems and software, this "feature creep" is incremental.

    Regarding remote access built into the chips and processor and how it works, it has to be able to receive incoming instructions to function. There's only so many ways this can be done.
    Either the signal comes in via a wired internet connection or,
    the signal is RF and received by an antenna or,
    the signal is sent over the power line.
    If those paths are secured, access to those "features" is unavailable.

    The ideal solution for end users is to not use such hardware. If that isn't an option, users can rely on the old "tried and true" strategy of securing the perimeter and default-deny. The only real change is that the hardware itself has to be regarded as part of the attack surface and be set up so that control signals can't reach the equipment. Older equipment that doesn't recognize and pass the control signals can be used as ethernet firewalls. A small Faraday cage over the PC itself and shielded cables to the peripherals will stop wireless access. Signals sent via the power line can be removed with an isolation transformer. Remote powering up can be stopped by using a real power switch.
    Regarding:
    This most likely refers to encryption implemented by the hardware itself. For encryption performed by the software, an adversary is limited to trying to capture data before it's encrypted or the passwords themselves. These have been issues all along with operating systems, passwords stored in RAM, etc.
    Keeping older hardware in service isn't that difficult, but there is a bit of a tradeoff involved. There's been several threads here on this subject, including a few that discuss the pros and cons of powering a PC down when not in use vs running it 24/7. This generally boils down to one question:
    Which causes more wear or damage, continuous steady state running or the electrical and thermal shock of powering down and restarting the hardware? That gets factored against the added energy cost of letting the hardware run. Now we can add a 3rd factor that's hard to quantify, namely the undesirable costs associated with new hardware, like backdoors in the chips.
    For the last dozen years, I've been running my equipment 24/7. In that time I've upgraded my primary PC once. The previous unit still works fine. It's just insufficient to my needs. My primary unit is over 10 years old and also serves as a Tor relay. My firewall is between 15 and 20 years old, a P5-133 with 32MB of RAM running Smoothwall. Except for power outages, it's been in continuous service for over 5 years.
    IMO, PC hardware is like car engines when it comes to lifespan. They take most of their wear and damage during startup. When temperatures stabilize, the clearances of small moving parts like those in hard drive remain constant and the lubricants are evenly distributed. There's no voltage spikes from components starting and stopping. It's a fact that materials expand and contract as the temperature changes. It's also a fact that different materials expand and contract at different rates for the same temperature change. These include a PC board base material, the metal foils on that board, the metal leads on components, and the solder that connects them. Every time the temperature cycles, there is a small amount of flexing and stress on every solder joint. Everything fatigues over time when subjected to repeated flexing. There's thousands of these connections in a PC. Many of them can't be seen without x-ray equipment. I obviously don't have a lab or the equipment to verify this. Even if I did, I wouldn't waste the older hardware given revelations regarding what's been done with the current hardware. IMO, it's just common sense, less stress equals longer lifespan.
     
  20. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    From an non-rooted smartphone perspective, you are hosed in more ways than one, the chipset is the least of your worries.;)

    For this article however, these chipsets rely on additional software (Active Management Technology) to set up and configure. Communications to these Intel chips commonly occur on the same IP address assigned to their client. Once the chip is in a configured and operational state, network traffic on ports 16992-16995 is directly intercepted within the chipset before being passed to the host operating system.

    In a wired mode,the Intel traffic occurs below the operating system and the client firewall. If the host operating system is not available, usually it will continue to operate as long as power is attached and a network connection is present. Please also note the factory default state for Intel's anti-theft firmware is unconfigured and unusable. You can download their Setup and Configuration Software if you want to do further analysis to see if your chip is affected. Hope this helps.
     
  21. TheCatMan

    TheCatMan Registered Member

    Joined:
    Aug 16, 2013
    Posts:
    327
    Location:
    sweden
    Am confused by this whole thread, I see regulars posting ie to use AMD cpus or post 2011 intel cpus all due to this 3g wireless built into chip.

    I still don't believe all this discussion on backdoor trojans and backdoor win8 software and now wireless built into intel chips that can read hdds when off !

    Perhaps I missed the dry satire and irony and missed the joke, or perhaps I should type this all with a tin foil hat ;)
     
  22. EncryptedBytes

    EncryptedBytes Registered Member

    Joined:
    Feb 20, 2011
    Posts:
    449
    Location:
    N/A
    The article is inaccurate. Intel has been marketing a special version of their chipsets that contains a collection of computer hardware technologies which enable management features such as remote access to the PC, independent of the state of the operating system (OS) or power state of the PC, and security features for the past couple of years.
     
  23. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    You've not restated accurately.

    The best advice at this point is using AMD or pre-2011 Intel CPUs.

    It's not just the 3G wireless chip, which first appeared in Sandy bridge. Now there's also vPro, which I gather provides additional functionality.

    So you don't believe what Intel says on it's website?

    It's getting harder and harder to rule anything out as "tin foil hat" anymore :(
     
  24. J_L

    J_L Registered Member

    Joined:
    Nov 6, 2009
    Posts:
    8,738
  25. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    As I read this, it's about specific flash/wireless chips for network devices, not general-purpose CPUs.

    At this point, the Intel Core 2 family is the latest that's safe.

    It's possible that some later Intel CPUs are safe, but I'd want good evidence.

    AMD CPUs are still an unknown. AMD was probably behind Intel on these features, so anything pre-2011 is probably OK. But newer, hard to say.
     
Thread Status:
Not open for further replies.
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.