would like to ask a general question concerning IT-security and Intel hardware (CPUs, chip-sets, NUC-boards).
I have several older and newer computers and read terrifying press reports about security issues that don't concern Operation Systems or Applications, but chip-related exploits, e.g., FDIV-bug Pentium, Active Management Technology AMT, Management Engine ME, TPM, as well as outdated or missing security features in older processors. However, I'm not expert enough to judge the actual consequences of such exploits and gaps in practice.
This causes uncertainty even if the OS and all apps are updated: which Intel cpu/chipset can be used for security-critical applications, like online-banking or other personal web-accounts, and which should be avoided (outdated design without modern security features, or hardware bugs, etc)?
The variety of CPUs, chips-sets and related security features/gaps is vast and confusing. Hence, I believe that Intel's customers would very appreciate to get some guidance here.
E.g., is there any reason not to connect to a bank-account with a computer that uses an
- Intel Celeron 550 from 2008, or
- Intel Atom N455 from 2010, or
- Intel Core i3 M370 from 2011, or
- Intel Dual-Core i5 from 2015, or
- Intel Pentium N3700 from 2016?
The point is that many older computer are in too good shape to be scrapped, so it would make sense to simply classify and use them as follows:
Category A: secure "green" (state-of-the-art security features, no exploits known, can be used for login into web-accounts, online-banking/shopping, email, etc)
Category B: ok "yellow" (security features a bit outdated, but no bugs known, ok for reading news on the web, but not recommended for login into critical accounts, like online-banking, shopping-portals, etc)
Category C: insecure "red" (for non-critical offline use only)
How would Intel (and others) rate the above mentioned 5 processor types using this simple system?
And if a CPU is being rated B or C: can it be secured by any kind of firmware-update from Intel?
Proposal: Intel-experts could walk through the whole product catalog--as it is documented here on this website--and mark each CPU with either a green, yellow, or red flag. This would probably not be much work for personell with the right experience and competence, and it would be quite helpful to make the web a more secure place, raise customer satisfaction, and maybe motivate some people to invest in new Intel-hardware.
Many thanks for your responses in advance!
Best regards, Martin
Every 3 to 6 months, someone will ask a question like this. If old(er) processors concern you, dump them for something new(er).
You have far, far more to worry about from software exploits than hardware exploits. If some government agency, or some hacker is interested in what you do, they will find a way to get it. If Intel processors and chipsets concern you, purchase AMD.
Proposal: Get yourself a good anti-virus and firewall, keep your system up-to-date, and practice safe-surfing. Do not fill your machine with social networks and connections. "Try" to not let Microsoft and Windows 10 run with the defaults. Lay down the rules for your employees as well, and do not let this "hardware" issue consume you and your time.
Just my opinion.
Thanks, Doc, for the advices concerning software and web-use, however, the subject matter here is hardware/processors.
A computer can be compared with a house:
The Hardware including CPU/chipset is the foundation, the bed-plate, the OS and all apps stand on. If this foundation is weak -- swamp, sinkholes, quicksand -- the house is insecure and will break down one day - no matter how robust it was constructed.
Some processors have modern security features that others don't include, hence, they provide a safer foundation:
- Intel AES New Instructions (encryption)
- Intel Trusted Execution Technology (segregation/compartmentization)
- Secure key (improved random-number-generator)
- Execute Disable Bit (malware blocking)
- Secure boot (trusted OS only)
But what is the impact on security -- actually in practice -- if I use a CPU without one or more of those features?
What is the worth of newest/updated OS and expensive protection-software, if the hardware can be exploited?
My laptop has an Intel Core i3-370M without 4 of these 5 functions, and even newest computers with modern CPUs don't include all of those features, e.g, those with N3700-CPU-series. Would it fix the security gap if I bought a new computer? Maybe - maybe not.
I believe, many of Intel's customers are overstressed with analysis and comparison of certain CPU-features and would appreciate some kind of categorization and advice concerning security.
Thanks again & regards, Martin
No one here on this forum, which is for support, can help you. The most you will get is that your information has been forwarded to the appropriate department and, if necessary, they will contact you.
Then, you can wait until you get tired of waiting.
What is overstressing people is reading news about such vulnerabilities in the press. This can be compared to the media when the possibility of a snow storm for the weekend might happen, then gets over-blown and terrifies people to raid the grocery store buying milk and bread, and hardware store buying $30 plastic shovels. During such raids, the real danger is from the people themselves. Then, they find the snow storm did not happen, and realize they fell victim to the press.
If you have data that is that critical and important, no matter what you do, nothing will help you. If someone wants to get to your system, they will.
And, my final comment is that "Security is an illusion, and will always be an illusion".
I will throw out a few things.
To get an Intel processor before the ME/AMT vulnerabilities, you have to return to ones that used FSB. They're a lot slower than today's processors.
Intel processors with vPro are the main problem. Before buying a processor, research the specifications on Intel Ark (https://ark.intel.com/ Intel® Product Specifications) and choose one without vPro. About half of Intel processors have vPro.
If you have a desktop, disabling the on-board Ethernet and adding an Ethernet card will narrow the avenues of vulnerability. Read the following two discussions:
AMD processors with PSP probably have the same vulnerability. To find one without PSP, you need to return to 32nm architecture or before, and new ones are just about sold out.
Many thanks, Paramountain, for your advices.
If I got it right, ME, AMT, and vPro are the processor-features that cause security problems, hence, should be avoided.
On the other hand, the problem I see with older processors is that they usually lack some of the 5 reasonable security features, see above.
Thus, either we use a modern processor and have several ME/AMT/vPro-related vulnerabilities, or we take an older one and leave some doors open concerning AES/Trusted Execution/Random-number-generation/Disable bit/Secure boot.
Customers are faced with a Catch 22 --> homework for Intel
Seems, Doc is in a way right when he says that "security is an illusion", however, I'm sure that risks can be significantly limited with the right hardware in combination with a security-focussed software strategy. The point is that not each attacker has all means available. Agencies probably have, but in the first place, I'm more concerned about criminals that distribute ransom-software, chaotic kids who harm others just for fun, and the like. And, yes, agencies are also a problem, if they belong to a hostile country. Another point is that the most customers don't have the expertise to choose "the right hardware" in terms of security details. I just stress this to show the need for discussions like this one in general and for processor manufacturers in special.
I'll look into the NIC/AMT/Ethernet-issue.
Regarding life-CDs and alternative OS:
I'll try Linux Mint, however, I tried several Linux distributions before, Ubuntu, Fedora, Debian, and OpenSuse, and found in many cases hash-warnings referring to Unix-commands when I ran rkhunter (root-kit-hunter) on brandnew installations. Means: somebody replaced a couple of command files, maybe the distributor with good intentions, maybe somebody else with bad ones. The only one that passed the tests relatively clean is openSuse 42.3. Maybe you can try rkhunter on Mint?
In general, Linux is not even well-known for providing "security out-of-the-box", vice versa, it usually needs to be hardened manually (complicated). Hence, I'm tending more towards openBSD, which has an excellent reputation due to it's security-focus and extensive code auditing. However, as far as I understood it, they check mainly their own basic system; I'm not sure if they do -- or have capacities to -- check the vast userland being offered on their web-sites, means: naked openBSD is supposed to be secure, but the risk raises with each installed program.
The approach using a life CD will make sure that nobody can clandestinely store anything on a computer (2 premises: no hard disk installed or mountable, and a secure chipset/processor that doesn't provide hidden storages inside the chips), but it takes time to boot, and it's cumbersome to create updated CDs/DVDs every time when the distributor announces a "security update" or an important bug-fix. And the CD has a fixed password, usually the default one, and this one is publicly known; an attacker could use it to penetrate the system while it is running.
A similar approach consists in using a separate PC with minimal software only for online-banking:
start - update - banking - shutdown, nothing else happens on this PC, no emails, no newschannels, no flash-player, no games, etc!
This works well, however, the possibility of faked OS- and browser updates, as well as printer-related infections, remains. And here it comes -- besides software issues -- partly back to chipset/processor features that either allow such attacks or help blocking them.
Today's best security practice may consists in consequent segregation, security-focussed OS, minimal software installations, updates, and secure hardware. This usually leads to use of several, quite different computers for different purposes. And, yes, it leaves a bit homework for Intel, see Catch 22 above, or at least a bit more guidance concerning choice of hardware components.
RE: "If I got it right, ME, AMT, and vPro are the processor-features that cause security problems, hence, should be avoided."
No! Exactly the opposite! The Management Engine has been in use with all Intel desktop, mobile, embedded and many enterprise processors since ~2008. Its entire purpose for being is to implement security and manageability features for the platform and, with the system BIOS, builds the root of trust necessary for booting secured O/Ss. You definitely want it (but with the vulnerabilities fixed, of course).
Thanks, Scott, for clarification. Here a brief summary of what I found out until today (please correct me if I'm wrong):
Intel's processor portfolio includes 13 features that are particularly intended to improve IT-security:
1 AES New Instructions (improved encryption)
2 Trusted Execution Technology (segregation/compartmentization)
3 Secure key (improved random-number-generator)
4 Execute Disable Bit (malware blocking)
5 Secure boot (trusted OS only)
6 ME (Management Engine)
7 AMT (Active Management Technology)
8 vPro (Threat management, protection from malware, data protection, but even some sort of "remote and local monitoring" and that might cause new vulnerabilities; some see vPro as "main problem", see above, I'll leave this one out)
9 Anti-Theft Technology (not relevant in terms of web-attacks)
10 OS Guard (improved successor of Execute Disable Bit)
11 Software Guard Extensions SGX (data protection)
12 Device Protection Technology (boot protection)
13 Memory Protection Extensions MPX (special feature for protection during program compilation)
Besides these ones, critical areas are onboard-Ethernet/NIC and TPM-Version.
What does that mean in practice (security-level of a special processor )?
What about the following rating-approach?
GREEN: A processor that includes/supports the first 7 ones can be put into Catergory 1 (green: appropriate for online banking).
RED: A processor that doesn't includes/support the 4 basic ones AES-NI, Secure Key, ME, or Execute Disable Bit, should be considered as outdated and too insecure for web-connection because of poor encryption capabilities (e.g. impact on HTTPS/TLS), hence, category 3 (red: offline use only).
YELLOW: A processor that includes/supports the 4 basic ones AES-NI, Secure Key, ME, or Execute Disable Bit, but not all of the first 7 ones belongs to category 2 (yellow: general web surfing without critical login).
All this is just a general rating approach based on data sheets; special bugs and exploits, like SA-00075 (AMT) and SA-0086 (ME) are not considered. This because those are supposed to be fixed by some kind of update soon, e.g. Firmware/BIOS, or on OS-level, but I have no idea how this works: Are the end-customers supposed to look for updates on Intel's website? Or do such updates automatically come with OS-updates (e.g. Windows10), or is it the computer manufacturer who is supposed to distribute hardware related updates in own responsibility?
If I look now on my own computers (see 5 processor-types above), it seems I can live with the N3700-unit and the Core i5 IF and AFTER the SA-00086 exploits has been fixed. Read somewhere that Intel plans to distribute an update for the NUC in 2 weeks from now.
! However, after I studied several processor datasheets and the descriptions of "Execute Disable Bit" and its at least 5-year old successor "OS Guard", I'm astonished to see, that Intel still manufactures processors with the old version, e.g. N3700. Why didn't Intel change the production to the improved version long ago ?!?
Sorry, I am not going to waste my time arguing about yet another arbitrary, completely misleading and thus completely useless rating system.
Since the motherboard firmware designers have control over the format of the firmware hub's (flash component's) contents, Intel cannot produce a generic package that can update (just) the ME firmware. As a result, the end-customer must obtain the ME firmware update (typically as part of a BIOS update package) from their motherboard or system manufacturer.
Of all the silly ideas. The fact that this "improved version" is not in a particular processor does not mean that that processor is not secure or not safe to use. If you really want the "improved version", buy the newer processors; it's that simple.
This entire discussion is turning into a total waste of my time. I am no longer monitoring it.
As Doc said, software is much more important than hardware. However, I will give slightly different advice, though his advice, "Do not fill your machine with social networks and connections," is pure gold. Start using Linux -- I recommend Linux Mint -- as it is more secure than Windows. And the most secure way to use Linux is with a LiveCD, which is simply a CD/DVD burned with a Linux distribution (a LiveUSB is almost the same thing, only using a USB flash drive). What you do is, start Linux via your LiveCD, do your banking, and shutdown the system. Malware will have no chance to enter your system if you only do banking, but there is a chance if you first use another website which could cause malware to be resident. After you shutdown your temporary system, all bits will be relegated to the bit bucket and not saved to the LiveCD. Using a LiveUSB has a theoretical chance of saving something to the USB flash drive, so if you're really paranoid, use a LiveCD (Puppy Linux allows for the saving of settings to a LiveUSB, so it's definitely possible). LiveCDs are slower than booting a system from a HDD, let alone an SSD, however, because CD/DVD drives are slow.