Firmware-level vulnerabilities (eg, LightEater) and bungled implementations of boot security (eg, Intel TXT), alongside the small horde of attack vectors introduced through peripherals, provide ample ammunition to attackers, according to Rutkowska.This means you can't really trust your sensitive data with your hardware, and instead crucial information should really be kept apart from the main machine. She said a strict separation of state-carrying (trusted) element from the rest of the hardware has become necessary as people and personal computers become increasingly interdependent.Rutkowska said the communal effort on improving personal security in the application layer in recent years – from GnuPG and Tor, through to OpenVPN and disk encryption tool LUKS – “is meaningless if we cannot trust our operating system, because the operating system is the trusted part – if it is compromised then everything is lost.”There have been notable efforts to create a trustworthy operating system stack. Rutkowska herself had started the open-source Qubes OS project five years ago, which now has dozens of contributors. Qubes works by running different applications in their own virtual machines – for example, the VM running a browser used to visit any old website is separate to the VM running GPG; if the browser is compromised, the attacker has to break through the Xen hypervisor to get to the encrypted email client.
Version 1.0 of Qubes OS was released in 2012, while 3.0 was released in October of this year.The core of her talk dealt with the widespread assumption of trustworthiness in hardware, particular in regards to laptops, which it doesn't deserve.Intel's x86 platform is ubiquitous in modern laptops, and “present Intel processors really integrate everything and the kitchen sink,” said Rutkowska. “Ten years ago we used to have a processor, a Northbridge, a Southbridge, and perhaps even more discrete elements on the motherboard. Today, nearly all of these elements have been integrated into one processor package.“Of course there is only one company making these,” Rutkowska said. “It's an American company called Intel, and it's a completely opaque construction. We have absolutely no ways to examine what's inside [its chips]. The advantage is that it makes the construction of laptops very easy now, and lots of vendors can produce little sexy laptops.”
When we talk about processors today, we are no longer talking about just the CPU, said Rutkowska. “The processor is now the CPU, GPU, the Memory Controller Hub, PCI express, some southbridge – so for example SATA controller – and so on, as well as something called Management Engine (ME).”Intel ME is a microcontroller, and part of Intel's AMT hardware and firmware technology which allows administrators to remotely manage the hardware over network – all underneath whatever operating system is running. As this management is conducted at a low-level in the stack, it dodges the OS – meaning overwriting your out-of-the-box Windows installation with a Linux distro will not guarantee any trustworthiness.
The ME microcontroller comes with its own RAM, it can access the system's RAM, and it has its own private ROM of firmware code, which nobody may inspect. “It runs a whole bunch of proprietary programs,” said Rutkowska, “and even runs Intel's own proprietary operating system, and this is all happening whenever you have some power connected to your processor, even in sleep mode, and it could be doing anything it wants.”The first thought for security people is that this is an ideal backdooring or rootkitting infrastructure. Which is true. However there is another problem, what I call the 'Zombification' of personal computing.
As a former stealth malware researcher, Rutkowska said she could not imagine a more ideal infrastructure for malware than the Management Engine: “ME has access to everything that is important. It has unconstrained access to DRAM, to the actual CPU, to GPU, it can also talk to your networking card, especially your Ethernet card, the controller for which is also in the Southbridge in the processor. It also has its own dedicated partition on the SPI Flash which can be used to store whatever ME wants to store there. This is really problematic, and we don't know what it runs.”Typically, people run software in the application layer, and expect all the decision making by software to happen there; the low-level code below acts as a middleman, instructing the hardware to do what the users wants it to do.
Citing a book by one of the Intel architects who had designed ME – as “it's about the only somehow official source of information about Intel ME,” according to Rutkowska – the researcher reckons Intel wishes to completely invert this model.Intel “essentially wants to eliminate all the logic that touches data from apps, and the operating system even, and move it to Intel ME. Remember, Intel ME is also an operating system, a separate operating system... nobody knows how it works. Nobody has any possibility to look at the source code, or even reverse-engineer as we cannot analyse the binaries. It is an operating system which is fully controlled by Intel, as is any functionality it offers,” she said.The ME blackbox is not trustworthy, says Rutkowska: “The complexity of the architecture … doesn't look like it could be solved effectively.”Although this seemingly borked Qubes OS's confidence that it could securely lock down and compartmentalize software on a machine, there may be a different way to win the game: “You cannot really win under the old rules, said Rutkowska, who added that it was perhaps time to begin to change those rules. That starts with recognising that most of the problems here begin with the persistent state.”Infosec wild man John McAfee has taken time off from his US presidential campaign to launch a fresh funding drive for a password replacement product.
The proximity-based authentication and access control product, dubbed EveryKey, is also touted as a replacement for physical keys, as the pitch explains.Everykey replaces your passwords and keys. When Everykey is close to your phone, laptop, tablet, house door, car door, or another access-controlled device, it unlocks that device.
When you walk away, that device locks back down. Everykey can also log you into your website accounts. If you lose your Everykey, you can remotely freeze it, so no one else can use it.Everykey, which is designed to be paired with an associated smartphone or laptop using Bluetooth, would also store a password keychain.The whole idea is still at the prototype stage despite three years of development and repeated delays. Estimated delivery currently stands at March 2016.McAfee, chief evangelist at Everykey, has launched an Indiegogo campaign to fund production for Everykey. Would-be early adopters have already shelled out $61K with 13 days of the funding drive still to run.A YouTube promo video of McAfee demoing EveryKey can be viewed below.The idea tackles an all too real problem but caution is still advisable. Infosec consultant Paul Moore argues that there's still little to show for the project after three years of development and multiple delays.