Intel's zero-day problem
Intel's zero-day problem
Posted May 3, 2017 20:07 UTC (Wed) by mikemol (guest, #83507)Parent article: Intel's zero-day problem
I know there are people who've put their management ports on public IPs.
But still. *Jeeze*. Don't Do That!
Your management interfaces belong on private ports (or VLANs, if you must) on private broadcast domains reachable *only* via authenticated, secured VPN.
*All* code has bugs, so you hide away access to sensitive execution environments behind as many security layers as you reasonably can, to mitigate the impact in the eventuality that that one of those layers is flawed.
Posted May 3, 2017 20:56 UTC (Wed)
by sionescu (subscriber, #59410)
[Link] (22 responses)
Posted May 3, 2017 22:55 UTC (Wed)
by mikemol (guest, #83507)
[Link] (21 responses)
This was an inherent technical necessity with the masquerade-style NAT that's ubiquitous on IPv4, but it's by no means unique to it.
Posted May 3, 2017 23:06 UTC (Wed)
by raven667 (subscriber, #5198)
[Link] (7 responses)
Posted May 3, 2017 23:15 UTC (Wed)
by mikemol (guest, #83507)
[Link] (2 responses)
The firewall I described belongs on the network gateway. (In addition to the host.)
Posted May 5, 2017 15:55 UTC (Fri)
by raven667 (subscriber, #5198)
[Link] (1 responses)
Posted May 9, 2017 5:30 UTC (Tue)
by ringerc (subscriber, #3071)
[Link]
Posted May 9, 2017 5:26 UTC (Tue)
by ringerc (subscriber, #3071)
[Link] (3 responses)
Pathetically insecure devices that never get security audits or updates. That have no user or admin configurability or documentation. Devices hacked together by a rushed team adapting a related product's code in a single 36-hour sprint to try to beat a competitor to market, before completely forgetting about it.
Devices where if you're lucky you might be able to update or fix them with a vendor-pushed remote firmware update (assuming an attacker doesn't abuse the inevitably insecure mechanism instead). Or with a soldering iron to access pads for USB-serial, RS232, or even JTAG. Occasionally you'll have a webui to upload a firmware blob. But your chances of actually fixing anything without the vendor supplying a canned update image are nearly nil.
The more that these seething piles of crap can be hidden from the rest of the Internet, the better.
Posted May 10, 2017 16:17 UTC (Wed)
by raven667 (subscriber, #5198)
[Link]
I think you are right and its frustrating because unlike in the past, where the technology to secure devices wasn't built yet, people building IoT devices are taking tools which have access control, auth, etc. available and turning those features off, making by their action something reasonably secure, pathetic. In the same way that SSH raised the bar for default remote access/admin we need the same kind of effort to make the defaults for these kind of embedded devices reasonably decent. Basic netfilter rules and key-based auth using widely audited tools, could make these kinds of devices secure against the kind of wholesale attacks we are seeing.
Posted May 12, 2017 6:37 UTC (Fri)
by if.gnu.linux (guest, #88877)
[Link] (1 responses)
I think that there are two other sides we have to consider.
The first one is we as consumers are 'guilty' for always demanding new products which are more speedy, have more RAM etc. and for replacing one year old devices with new ones.
The second one is softwares need more RAM, more GPU power etc. to run. I think software developers think that "Nowadays a device has 4 GB RAM so what is wrong if my application use 1 GB of that RAM."
Posted May 12, 2017 11:16 UTC (Fri)
by pizza (subscriber, #46)
[Link]
Note that it is often *cheaper* to put more RAM in the device than less.
Posted May 4, 2017 6:38 UTC (Thu)
by Gollum (guest, #25237)
[Link] (4 responses)
The ME steals the packets off the NIC before the OS gets any opportunity to know about them. Which means that an OS based firewall will be oblivious to these connections. Otherwise, you could lock yourself out of your device by installing the firewall, and forgetting your creds. That would defeat the point of being able to manage even a powered off device (obviously, standby power is required).
Posted May 4, 2017 10:51 UTC (Thu)
by mikemol (guest, #83507)
[Link] (3 responses)
You're still at risk from your local "trusted" network, but then you always will be without things like isolated private VLANS or firewall rules applied at your switching layer and in your APs.
Posted May 4, 2017 11:19 UTC (Thu)
by Gollum (guest, #25237)
[Link]
Posted May 4, 2017 15:10 UTC (Thu)
by felixfix (subscriber, #242)
[Link] (1 responses)
Posted May 4, 2017 20:35 UTC (Thu)
by mikemol (guest, #83507)
[Link]
Hence a component of my remark:
> as many security layers as you reasonably can,
Keywords being *reasonably* and *layers*.
If you can't trust your network gateway, you can't trust your network gateway. If you find it a reasonable precaution, you might further segment your network such that the device you don't trust has an additional firewalled router between your clients and the untrusted device.
I do exactly this in one of my networks; I have to deal with routers on my premises owned and managed by AT&T and Comcast for upstream ISPs. Any traffic coming in on those first passes through a network segment for unfiltered traffic before they reach a router I own and control. And even on the *filtered* side of that router, there are routing nodes with stateful firewalls that segment, e.g. office activity traffic from server activity, server activity from various device management interfaces, etc. In the eventuality of a laptop or desktop infection, I don't need the infected code having easy access to nodes that the laptop or desktop shouldn't already have access to.
It's honestly not a difficult architecture to maintain, though it'd be overkill for home users.
Posted May 4, 2017 19:38 UTC (Thu)
by JanC_ (guest, #34940)
[Link] (7 responses)
Posted May 4, 2017 20:47 UTC (Thu)
by mikemol (guest, #83507)
[Link] (6 responses)
For every countermeasure, it can be assumed there's a counter-countermeasure; even DPI firewalls all the way down at the network's layer 2 could be worked around, depend on how the NIC views locally-destined packets in the outbound buffer.
But the countermeasure that defeats the vast majority of attacks is simply having a firewall between your node and the Internet that blocks unsolicited inbound connections.
Posted May 6, 2017 0:23 UTC (Sat)
by dlang (guest, #313)
[Link] (5 responses)
It's unreasonable for Intel or anyone else to ship something like this that can be accessed on any network interface, underneath the OS.
I fully understand the value of network management interfaces, but they should be on a separate interface that cannot mix with the traffic on the 'normal' interfaces.
Posted May 6, 2017 8:23 UTC (Sat)
by nix (subscriber, #2304)
[Link] (4 responses)
(It's probably really useful in the things' intended habitat, in the datacentre, where all the management LANs from a bunch of machines can end up on a physically distinct subnet from the actual traffic. It's not such a useful feature for the machine sitting by my desk :) I can understand why machines intended to be used in non-datacentre environments don't spend the extra on separate hardware for another physical network interface that will almost never be used.)
Intel do at least make timely security updates for the BMC and ME on machines they made the motherboard and chipset for available on the open Internet, making them the only vendors I have ever had experience with who will actually provide this sort of thing for people paying less than $BIGBUCKS for a support contract. (Or... as timely as you can expect for software that can brick large numbers of very expensive machines if it goes wrong enough.)
Posted May 10, 2017 7:24 UTC (Wed)
by joib (subscriber, #8541)
[Link] (3 responses)
E.g. Dell is one such biggish vendor that typically doesn't provide dedicated BMC ports.
So it's nice in that you don't need separate cables and switch ports for the management network, but I guess there's a security trade-off as well. Though I haven't heard of attacks that manage to cross to the "wrong" VLAN (which of course doesn't prove that such doesn't exist).
Posted May 10, 2017 15:03 UTC (Wed)
by nix (subscriber, #2304)
[Link] (2 responses)
Posted May 10, 2017 15:09 UTC (Wed)
by pizza (subscriber, #46)
[Link] (1 responses)
I have several SuperMicro BigTwin and FatTwin 4-node boxes that have dedicated ports for each node's BMC.
Posted May 12, 2017 12:44 UTC (Fri)
by nix (subscriber, #2304)
[Link]
Posted May 3, 2017 22:50 UTC (Wed)
by raven667 (subscriber, #5198)
[Link] (3 responses)
That's going in the wrong direction, we have a mobile devices, IoT, heading to a more connected future, these devices have to have the security tools builtin to protect themselves against the big bad internet without the crutch of VPNs and VLANs and NAT44. Anything running Linux should be modern enough to at least have a packet filter if not modern crypto, so we should demand simple robust security tools for these kinds of embedded long-lived devices, rather than just assuming that they are always on a "secure" network where there are never any malicious agents. If anything use IPv6 link-local addresses only for initial zero-touch provisioning, enroll key-pairs with your management systems, then you can drop the device anywhere on the internet with mutual authentication, safely.
Posted May 3, 2017 23:01 UTC (Wed)
by mikemol (guest, #83507)
[Link]
A host packet filter isn't going to help if your NIC is siphoning off packets for consumption by a management engine before it reaches the host network stack. You should certainly have such a filter, but you can't rely on it exclusively.
Posted May 9, 2017 5:48 UTC (Tue)
by ringerc (subscriber, #3071)
[Link] (1 responses)
That'd be nice. But the opposite is happening. There are no economic incentives to make secure consumer routers, IoT devices, and appliances. There are huge incentives to save development costs, and entirely forego software support for the lifetime of the product. In the world of the 30 day warranty (oh, how glad I am for Australia's legally mandated 1 year minimum warrenty), security holes in your fridge aren't even on the radar.
These things need to be treated like the plague-bearing insecure and un-secureable monstrosities they are, until or unless the economic incentives applied by buyers to vendors change that.
This becomes a problem when their functionality requires them to:
* Accept input, or even new code to run, from "trusted" Internet hosts, which often mean "whatever updates.mycompany.com resolves to and replies on port 80"
or, often as not, when their functionality doesn't require that, but they do it anyway.
I honestly won't be surprised if we start seeing household firewall products (both discrete and home-router-embedded) that proxy your IoT crap behind a secondary wifi network, filtering out the exploits and limiting their access.
The real worry is the ones that talk directly to public WiFi, to 3G/4G cellular networks, to hotel networks, etc, where there is no trust. You could make an Ethernet/wifi condom (proxy/filter) device for ones that use WiFi or Ethernet, but not really for cellular.
I have no idea how to help change the situation to create meaningful incentives for secure device development and deployment. But without it, the whole Internet's going to be in trouble.
Posted May 11, 2017 10:52 UTC (Thu)
by Wol (subscriber, #4433)
[Link]
For those who haven't heard, a ?white?hat wrote a worm. It targeted several common IoT devices, and did NOT try very hard to break in. When it did, it tried to switch on as many security features as it could before self-destructing.
If it *couldn't* secure the device, it overwrote the firmware with /dev/zero and rebooted...
Apparently it's made a massive dent in the current round of DDos attacks :-)
Cheers,
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
> Pathetically insecure devices that never get security audits or updates
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
AFAIK it's actually fairly common to not have a separate RJ45 port for the BMC, but rather the BMC is connected to one or more of the onboard RJ45 ports and shared with the host OS. The BMC does have it's own MAC though, and standard practice is to use a different VLAN for the management network.
Oh indeed: I've only ever owned one machine with a dedicated BMC RJ45 out of several with BMCs. I'm not aware of any machines on which the BMC is *only* connected to a dedicated RJ45, though -- they all seem to be able to share NICs with the main CPU (and indeed are usually configured that way by default).
Intel's zero-day problem
Intel's zero-day problem
Intel's zero-day problem
> I know there are people who've put their management ports on public IPs.
> But still. *Jeeze*. Don't Do That!
> Your management interfaces belong on private ports (or VLANs, if you must) on private broadcast domains reachable *only* via authenticated, secured VPN.
Intel's zero-day problem
Intel's zero-day problem
* Use UPnP to accept inbound network requests from arbitrary Internet hosts
* Uncritically communicate with anything on the local network segment or anything directly routable and addressible from it
Intel's zero-day problem
Wol