Big Brother potentially exists right now in our PCs, compliments of Intel's vPro

Posted by Rick C. Hodgin

Opinion - Last week, Intel announced the third generation of its vPro Technology for business PCs. Comprised of CPU, motherboard and networking components, vPro is essentially a set of technologies which enable remote monitoring, maintenance and management in a PC. Intel bills these as tools useful for IT professionals, which they are. But shouldn't we be looking deeper into the potential threat of such technologies?


The old way: Remote access via OS

There have been phenomenal advancements in remote system access over the years.  These have enabled products like Microsoft's NetMeeting, a product which allow IT professionals useful access to a remote PC. IT staff can now take over a system's mouse and keyboard and operate on the system as though they were right there in front of the machine itself, even seeing what's on the user's screen. All of this occurs across a LAN or Internet connection.

Countless millions of problems have been solved this way. Still, this approach does have one major downfall. If the user's OS is corrupted or crashed, then the remote connection will only be as stable as the corruption allows. Enter vPro.


The new way: Covert remote access

Intel's preferred solution today is to have a PC equipped with an Intel Core 2-based processor, Q45 chipset and an 82567LM network chip. This combination of components allows covert remote access via something Intel calls vPro.  And, it's built right in.

This combination of hardware from Intel enables vPro access ports which operate independently of normal user operations. These include out-of-band communications (communications that exist outside of the scope of anything the machine might be doing through an OS or hypervisor), monitoring and altering of incoming and outgoing network traffic. In short, it operates covertly and snoops and potentially manipulates data.


vPro is a tool

vPro was created to be a useful tool for IT personnel. Remote access to the innards of a PC can be granted by bypassing a potentially crashed OS and any of its security and safety protocols which may or may not be operating at the time of the crash. And this new third generation just released now allows a PC user to press a few keystrokes, even in the midst a total operating system crash when not even the mouse pointer is responding. This sends a dispatch to IT indicating the user needs help. Interestingly, this also shows that the motherboard is monitoring all keystrokes all the time. But is that all vPro is doing?


Real Big Brother concerns?

Access to the machine through vPro is available via remote connection regardless of the machine's CPU state. It doesn't matter if it's turned on or off, what it's doing or who's using it. And this is where the concern comes in.

Since vPro operates on the main system bus via the Q45 chipset, and on the CPU via Core 2, and we now know that it monitors (at the very least) every keystroke, it theoretically allows access to not only every piece of hardware connected to the system bus, but also to every byte of memory currently in use (even while the machine is running). The motherboard provides access to all hardware including memory, the CPU to special software and compute abilities and communications allows it to send and receive behind the scenes.

In short, because of the type of components utilized to make vPro work (motherboard resources, processor resources and communications resources), a remote user could theoretically gain access to the entire system, covertly through vPro. And then it's just a matter of snooping through memory and hard drive files until whatever they're looking for is found.

Using a relatively otherwise unsaturated Gigabit ethernet connection (meaning the user isn't doing a lot of high-speed networking at the time), the entire contents of even 16 GB of RAM could be transmitted in about two minutes. And if the vPro snoop software was intelligent (which, why wouldn't it be?) it could empty the typically used 800 MB or so of OS RAM and program data in under 10 seconds. This area of memory contains the complete OS (as loaded in memory), all running software and data - including any cipher keys and encrypted data, and information about paged data which could then be retrieved from the hard disk. And all of this happens remotely and covertly without the typical user ever knowing anything about it. In fact, they would keep using their machine without seeing any side-effects.

In addition, since vPro requires the Q45 chipset, it could be possible to read a PC's hard drive contents and transmit that data as well. A 500 GB hard drive could be completely copied (using an otherwise unsaturated Gigabit ethernet connection) in 67 minutes. And again, if the vPro snoop software were intelligent it could copy the most crucial non-OS files (such as parts of the registry and data files not particular to an OS) in just a few minutes.

In short, with vPro's gigabit ethernet ability it would take about the same amount of time to copy everything as it would to go to the bathroom. Someone, somewhere, out there, could have your machine's state completely copied through vPro in short order ... at least theoretically.


Hints of ECHELON

In truth, these abilites may or may not exist today in vPro. I doubt we'll ever know for sure because if they did Intel wouldn't want to publish that information. And to be sure, I'm not saying these abilities do exist. Let's be clear about that. But, the possibility of them existing is definitely there and that's the point of this opinion piece. As a point of fact, it wouldn't even be difficult to implement these abilities being discussed. It would be a mild extension to the incredible footprint of existing technology already in the CPU, chipset and ethernet controller.

In the late 1990s, many complaints were filed about a believed-to-exist, yet unproven and undisclosed technology in cell phones called ECHELON. This technology was later acknowledged to exist and is now known to be in nearly all modern day cell phones. The only way to disable it is to remove the battery from the phone, thus rendering the device useless to ECHELON - but also the user.

ECHELON is a hidden system which operates in the background in cell phones. Its purpose is to grant remote access to the phone's microphone and data files. The remote authority (typically an authorized government agency (FBI, police, etc.,) working under a duly authorized search warrant, but theoretically anybody who has access to the cell phone network) can access a phone, turn its features on and off and access all of its data. Any cell phone files, including camera images and voice data, can then be searched or sent across the cell phone network at any time.

The ECHELON system inside of cell phones operates only in the background. It allows the phone operate normally from all outward signs and without any observable changes in behavior for the user. In fact, the average user would never know ECEHLON was even present or working as everything it does is totally behind the scenes and outside of the user's awareness. This is also its appeal to governments, authorized agencies, and of course hackers.


So is vPro compromised?

The ability for a CPU, chipset and network chip to operate independently of the OS through commands given to it from hidden, out-of-band communications is a telltale sign that it is possible. And while there may be many applications which benefit from such technology (Intel indicates billions of dollars saved, including hundreds of thousands of tons of greenhouse gas emissions, through the use of vPro's ability to operate even if the machine is off), the enabling factors are there for vPro to be used by another type of system;  something like Big Brother.


Opinion conclusion

It is theoretically possible vPro systems could watch what we do, what programs we run, what images we look at, what websites we visit, what data files we receive and transmit, what we store on our hard drives, what images we load from our own personal digital cameras, even what DVDs and CD-ROMs we use, and more. It is theoretically possible that vPro could enable any remote agent to do far more than is currently being disclosed, and to do so completely covertly beyond the ability of any average user to realize. But then again, the average user would never be using a vPro system because this platform is exculsively targeted at business and enterprise users today. But what about tomorrow?

Is all of this really happening inside of vPro enabled machines today? It is highly unlikely. In fact, it's extremely unlikely. Still, it is possible and there are precedents for technologies like this to exist, even when they are not disclosed to the public.

And finally, does it really seem outside the realm of possibility that when something so powerful is made possible through this technology, that it will really go unexploited by the disingenuous among us? History tells us that it will be exploited, if there is enough reason and motivation to do so.

View some of vPro's disclosed out-of-band abilities in operation via this YouTube video, published by an Intel insider.


The opinions expressed in this commentary are solely those of the writer.