Intel Management Engine JTAG flaw proof-of-concept published

"God Mode" requires special USB debugging connector

The security researchers who found a way to compromise Intel's Management Engine last year have just released proof-of-concept exploit code for the now-patched vulnerability.

Mark Ermolov and Maxim Goryachy at Positive Technologies have published a detailed walkthrough for accessing an Intel's Management Engine (IME) feature known as Joint Test Action Group (JTAG), which provides debugging access to the processor via USB. The PoC incorporates the work of Dmitry Sklyarov, another researcher from the company.

The PoC code doesn't represent a significant security threat to Intel systems, given that there's a patch and the requirements for exploitation include physical access via USB. It's mainly a matter of academic interest to security researchers, though it also serves as a reminder that the IME expands the hardware attack surface.

The IME is microcontroller designed to work with the Platform Controller Hub chip, alongside integrated peripherals. Running its own MINIX microkernel, it oversees much of the data moving between the processor and external devices and its access to processor data makes it an appealing target.

The disclosure of a vulnerability last year in Intel's Active Management Technology, a firmware application that runs on the IME, amplified longstanding concerns that Intel's chip management tech could serve as as a backdoor into Intel systems.

In May last year, the Electronic Frontier Foundation asked Intel to provide a way to disable the IME. In August, Positive Technologies revealed that Intel already offered a kill switch to customers with high security requirements.


Intel's super-secret Management Engine firmware now glimpsed, fingered via USB


In September, the researchers let slip that they would be demonstrating an additional IME bug at Black Hat Europe come December. That turned out to be the JTAG exploit.

Intel issued a patch for the JTAG vulnerability (INTEL-SA-00086) last November and updated its fix in February 2018. The flaw allowed the PoC code to activate JTAG for the IME core, thereby letting the attacker run unsigned code. The PoC was developed on a Gigabyte Brix GP-BPCE-3350C, which is a Celeron-based compact PC.

Ermolov and Goryachy recommend that those interested in testing the code do so on a similar box, but note that it should work on other Intel Apollo Lake-based PCs.

Either way, TXE firmware version is required. So too is a utility called Intel TXE System Tools. Intel doesn't make its ME/TXE/SPS System Tools available to end users but some of its OEM partners include them with software and driver updates. A special USB 3.0 debugging connector is also necessary, though those who enjoy hacking hardware can make their own by isolating the D+, D-, and Vcc contacts on a USB 3.0 Type A Male to Type A Male cable.

In other words, the exploitation process is rather involved and not for the faint of heart. ®

Similar topics

Other stories you might like

  • Japan picks AWS and Google for first gov cloud push

    Local players passed over for Digital Agency’s first project

    Japan's Digital Agency has picked Amazon Web Services and Google Cloud for its first big reform push.

    The Agency started operations in September 2021, years after efforts like the UK's Government Digital Service (GDS) or Australia's Digital Transformation Agency (DTA). The body was a signature reform initiated by Prime Minister Yoshihide Suga, who spent his year-long stint in the top job trying to curb Japan's reliance on paper documents, manual processes, and faxes. Japan's many government agencies also operated their websites independently of each other, most with their own design and interface.

    The new Agency therefore has a remit to "cut across all ministries" and "provide services that are driven not toward ministries, agency, laws, or systems, but toward users and to improve user-experience".

    Continue reading
  • Singaporean minister touts internet 'kill switch' that finds kids reading net nasties and cuts 'em off ASAP

    Fancies a real-time crowdsourced content rating scheme too

    A Minister in the Singapore government has suggested the creation of an internet kill switch that would prevent minors from reading questionable material online – perhaps using ratings of content created in real time by crowdsourced contributors.

    "The post-COVID world will bring new challenges globally, including to us in the security arena," said Minister for Defence Dr Ng Eng Hen at a Tuesday ceremony to award the city-state's 2021 Defense Technology Prize.

    "For operations, the SAF (Singapore Armed Force) has to expand its capabilities in the digital domain. Whether for administrative or operational purposes, I think that we will need to leverage technology to the maximum," he declared.

    Continue reading
  • China Telecom booted out of USA as Feds worry it could disrupt or spy on local networks

    FCC urges more action against Huawei and DJI, too

    The US Federal Communications Commission (FCC) has terminated China Telecom's authority to provide communications services in the USA.

    In its announcement of the termination, the government agency explained the decision is necessary because the national security environment has changed in the years since 2002. That was when China Telecom was first allowed to operate in the USA.

    The FCC now believes – partly based on classified advice from national security agencies – that China Telecom can "access, store, disrupt, and/or misroute US communications, which in turn allow them to engage in espionage and other harmful activities against the United States." And because China Telecom is state-controlled, China's government can compel the carrier to act as it sees fit, without judicial review or oversight.

    Continue reading

Biting the hand that feeds IT © 1998–2021