Neutralizing Intel’s Management Engine

Five or so years ago, Intel rolled out something horrible. Intel’s Management Engine (ME) is a completely separate computing environment running on Intel chipsets that has access to everything. The ME has network access, access to the host operating system, memory, and cryptography engine. The ME can be used remotely even if the PC is powered off. If that sounds scary, it gets even worse: no one knows what the ME is doing, and we can’t even look at the code. When — not ‘if’ — the ME is finally cracked open, every computer running on a recent Intel chip will have a huge security and privacy issue. Intel’s Management Engine is the single most dangerous piece of computer hardware ever created.

Researchers are continuing work on deciphering the inner workings of the ME, and we sincerely hope this Pandora’s Box remains closed. Until then, there’s now a new way to disable Intel’s Management Engine.

Previously, the first iteration of the ME found in GM45 chipsets could be removed. This technique was due to the fact the ME was located on a chip separate from the northbridge. For Core i3/i5/i7 processors, the ME is integrated to the northbridge. Until now, efforts to disable an ME this closely coupled to the CPU have failed. Completely removing the ME from these systems is impossible, however disabling parts of the ME are not. There is one caveat: if the ME’s boot ROM (stored in an SPI Flash) does not find a valid Intel signature, the PC will shut down after 30 minutes.

A few months ago, [Trammell Hudson] discovered erasing the first page of the ME region did not shut down his Thinkpad after 30 minutes. This led [Nicola Corna] and [Frederico Amedeo Izzo] to write a script that uses this exploit. Effectively, ME still thinks it’s running, but it doesn’t actually do anything.

With a BeagleBone, an SOIC-8 chip clip, and a few breakout wires, this script will run and effectively disable the ME. This exploit has only been confirmed to work on Sandy Bridge and Ivy Bridge processors. It should work on Skylake processors, and Haswell and Broadwell are untested.

Separating or disabling the ME from the CPU has been a major focus of the libreboot and coreboot communities. The inability to do so has, until now, made the future prospects of truly free computing platforms grim. The ME is in everything, and CPUs without an ME are getting old. Even though we don’t have the ability to remove the ME, disabling it is the next best thing.

158 thoughts on “Neutralizing Intel’s Management Engine

    1. It would be nice to be able to ditch X86 but Arm is the only option out there right now since Apple killed PPC desktops,Compaq and HP were too stupid to know what they had in Alpha, and Oracle decided Sparc CPU are only for servers.
      Plus Intel decided to reinvent the wheel when they made UEFI even though Open Firmware did all the exact same thing but was well open.

        1. The issue with OpenFirmware and Forth isn’t really execution time (computers are *very* fast now, and you’re just loading enough off disk to get your real device drivers running.. a handful of megabytes).

          The real issue is you having to write device drivers in Forth – which is something exactly 3 people on the planet enjoy and makes everybody else cry a little.

          Compiled code conforming to the interface that UEFI specifies lets you possibly re-use some code from other drivers too.

      1. There was PPC which in some cases was faster than contemporary X86s but that ceased to be a good option back when Apple did the Intel switch which pretty much killed it as a desktop platform.
        But Arm has been getting faster and now many Arm chips now outperform low end X86s such as Atom or the new Mac Book.
        But Arm CPUs can have a trust zone feature but you have control over whether it’s turned on or not at boot.

          1. Actually the reason for the Intel switch is not what most people think.
            The real reason is most likely was because Apple was developing the iphone and the switch to Intel allowed them to move a lot of hardware engineers who were design custom silicon for macs to that project vs hiring more.
            There were low volt PPCs from PA Semi that were superior to the Core 1 series chips and maybe even Core 2.
            But the side effect the mac no longer has anything unique about it and I have not had a reason to buy a mac since 2007.
            Why bother buying one when you can build something faster for less or even run OSX in a VM?

    2. Kind of like driving your car and bypassing the electronic controls – who knows what would happen. Is it worth taking the risk? Enough paranoia. Nobody has been harmed by this, so let it go.

      1. Those of us who’ve done some real driving, like amateur rally or similar, are scared to death of the electronic nannies doing the wrong thing. I think you’re Dunning Krugering here.

      2. Actually I’ve done that a few times.
        I once replaced the computer controlled ignition and carb on 1980s Dodge truck with a standard HEI and Holley carb and gained 40hp and 2mpg this is often necessary as those systems don’t age well and were junk to begin with I also and once replaced the entire ECM on a 280ZX with a Megasquirt setup.

        1. Since you bring 30 year old technology into play as the viable alternative, how many things that you do on a modern computer would function very well on your Apple-1 or 8080? Just as you can’t run modern code on a 30 year old computer, your 30 year old HEI wouldn’t work very well on any current technology engine so I’m not sure how this is remotely relevant.

      1. Yes sadly AMD introduced something into their product lineup that customers were asking for and were previously only reserved for those paying a premium.

        Seriously this has been around for the best part of 15 years. Now it’s included on boring old PCs instead of only servers and everyone loses their mind.

  1. This is why I hate the whole dearth of Cyrix, AMD, etc; effectively competition crushing monopolies suck. At least with OS we can do Linux/Unix and have as good an experience as the Win-Macs; but alternate or open processing and 3D hardware is at very best 5-10 years behind the cutting edge.

    1. With too much competition, you dilute your value and don’t have standards. That sucks even worst. I recall the Nokia (who was that?) phones with 4 different connectors. Bought the headsets with the wrong connector? Too bad. Go back to the store. Bought the xyz with the wrong….?? You get the picture. Better to sacrifice a little, but be practical.

          1. Though making phone manufactures use micro USB was one of the rare instances they did something right but it is clearly toothless as Apple phones still use proprietary connectors.

  2. I don’t have a problem with Intel including ME. There are good IT uses for it and the whole AMT. My problem is the inability to ‘shut it off’. This isn’t just a ‘potential’ backdoor for hackers but it certainly is an existing backdoor for the NSA. Does anyone here think the NSA doesn’t already have access?

    1. So whatever happen to security at the edge router for enterprise customers? You know? The one’s most likely to be using ME and AMT in the first place, and possessing the needed knowledge.

    2. Obviously there’s no way for me to post convincing proof, but Intel refuses to make variants of the ME firmware — they only publish the “big one” and the “little one,” and the little one only exists because a very large company wanted something with a smaller attack surface. There was one Intel engineer who slipped up in a casual conversation and admitted there is another firmware specifically made for the NSA, but didn’t say whether it was for NSA’s internal computers or for something else.

    1. True, although the 68020 in the 1200 had no MMU or memory protection circuit. Everything was accessible to everyone. Ripping sounds and graphics from games was childs play back then. :-)

      1. Yep. I designed with the 68030. One of the greatest processors ever. Which then became Coldfire. Sadly mostly gone due to the prevalence of ARM. One core does it all. Now there are over 400 (more?) suppliers. Way too much competition. Diluting more value. Better to have just a few and get it right.

      1. No it is based on dedicated hardware that verifies that firmware is signed by Intel. Those keys are strongly protected even against Intel employees. Even knowing the format of the firmware, the encryption algorithm and the public key one still can’t crack the system.

        BTW security through obscurity _is_ a valid tactic to increase security – it is systems that only uses obscurity for protection that have problems. Intel ME isn’t one of them.

        1. No it is a poor solution as it depends on end user to being naive enough to accept ME is a magical box to have blind trust in the company that holds the keys to have not sold them out to nation states or eventually loose the keys.
          It has happened in the past and will happen again.
          This is one case nothing at all and having to depend on other means to achieve security would be an improvement.

  3. Maybe I’m missing something but it looks to me like the management interface is not enabled unless you explicitly enable it in the BIOS settings. So it seems to me like a valuable feature with no downside. I mean, there could be an attack surface that is exposed even when the interface itself is disabled but so far I don’t think anyone has even claimed this is true?

    1. ME triggers before the big CPU is started. So it’s unlikely that a BIOS option (which runs on the big CPU) could disable it. I think you are talking about Intel TPM (trusted platform module) and Intel GardSomething which are just software running on the ME. You can not prevent the ME to run, and if you do via hardware (removing the SPI flash for example), the big CPU is reset after 30mn.

      1. On laptops the “BIOS” can sometimes be KBC firmware that happens to place the CPU-executed BIOS image at power-up in the 0FFF (?) address location (read too many schematics of ROMs attached to KBC ICs).

        The T400 I had would show the network activity lights when “off” and hooked to network and also there was power being drawn to drain the battery in a couple days, sometimes more. Oh and it had a(n in-)”security” chip. LOL

        Another way to think of the laptop KBC is as the industrial equivalent to the aurduino: They provide I/O for the fans, temperatures, battery over SMBUS, occasionally has a CPU0-bootstrap (BIOS), sometimes acts as a hypervisor, Some other things (TL;DWr) and of course the keyboard.

      2. There’s BootGuard that runs before the CPU reset is released, and does BIOS authentication. Once the fuse to enable BootGuard is burnt, there’s no way to disable BootGuard again (other than physically replacing the chipset).
        The ME isn’t present on all chipsets, but there’s usually something similar to ME running on every Intel chipset.

        1. The IME is present on ALL Intel systems since 2006. Whether or not features are specifically related to remote access and system administration are presented to the user, THAT depends on how much you paid for your chip.

      3. i don’t care if the management coprocessor is “running”, i care if it is answering network traffic in a way that exposes a vulnerability to the outside world. when it starts up, it queries the bios settings to find out how it should expose itself to the outside world, if at all. assuming this functionality works — which, again, no one has asserted that it doesn’t — who cares?

        1. Thank you for that. If anything, just block network traffic to the management engine on the LAN at your firewall. Set up vPro on a server and remote into it with iAMT, vPro, etc. for an example of the network traffic, what ports are used, etc. The sky isn’t falling. People interested in hacking the ME could easily be up to no good when all you have to do is block the traffic.

          1. blocking traffic is useless, It binds to the network interface and has access to every single packet in flight – all it takes is hardcoded backdoor magic packet

  4. I’m trying to imagine how something living in the chipset can access the tcp/ip stack. That is part of the operating system. Sure, something living on the motherboard can access all the memory and the tcp/ip stack is in memory. But.. it’s going to live inside of some data structure, probably in a different spot in memory at each boot and that data structure is going to vary from OS to OS or even OS version to version. So… how does this thing work? Does it have a big ROM in it containing everything it needs to understand how every version of every OS past, present and future represents the tcp/ip stack in memory? I don’t think so.

    What makes more sense is that it has access to the on-board network chip plus it’s own tcp/ip stack. Does the computer end up getting two ip addresses? Or is it somehow inspecting everything that goes by at the ethernet level, determining the ip address the operating system’s tcp/ip stack is using and impersonates it?

    Either way, TL/DR…

    What if you just add a second network card and don’t plug in the onboard one. Preferably add one with a completely different chipset than the one built into the motherboard. Would that prevent ME from talking to or being talked to from the network?

    Of course this is all assuming that Greg A is incorrect. If it can just be easily disabled then that’s that.

    1. I wondered that too. I would say as it has full access, it lets the OS run the hardware and just inspects the packets at the right level of the IP stack. I would guess if it is doing something on the net it is checking for updates? This is also a common attack vector.

      Not sure about the “even if the PC is off” claim…….

        1. Correct! Pretty much no computer is actually off. The power button on the front of the case merely tells a microcontroller to start the power on sequence. This is how you get soft-power-off switches (and why your OS shuts down when you press the power button and you have to hold it for a few seconds to *really* force a power off). This is also true for laptops – and when in a low power state (e.g. suspended), *something* has to do the job of ensuring DRAM is refreshed and waiting for the signal to wake everything back up when you open the lid.

          On servers, you’ll have a BMC which will always be on too, and it’s usually an ARM processor running Linux, at least a few hundred megahertz, a few hundred MB RAM, and some amount of flash storage and can do things like have PCI and USB devices that appear in your server that are emulated by the BMC itself (see for an open source implementation of the software stack). It’s the thing that speaks IPMI over the network.

        2. So a wall switch [or unplugging the PC] would be just as effective at isolating it ?
          Still need the hack for when the machine is on.

          I have the Beaglebone, but the prospect of opening up my Mac is – daunting.

      1. It’ll have access to the hardware, so both the ME and the OS get to look at the packets. Splitting a physical network port between multiple computers inside your computer is actually relatively common – many servers do it so you only need to plug in one network cable to talk to the BMC and the host.

      1. So simply plug in a PCI pr PCIe network card, preferably one with a non-Intel chip and newer than the motherboard. Also preferably one that requires a driver for the OS you’re using.

        Unless the IME has a sooper-sekrit flash ROM that self updates with data on newer network chips, there wouldn’t be any way for it to communicate when the computer is powered down with just the power button circuit on.

    2. It has a TCP/IP stack of its own. It has access to the network hardware. That’s why it can do networking without the “big” CPU.

      Of course, having access to the network hardware allows it to do MITM (unless all traffic is encrypted: but are your DNS requests encrypted?).

    3. The TCP/IP stack is not part of the operating system, it’s in the firmware of the NIC, which is why things like PXE boot and BootP work. The operating system simply accesses them and passes the data.

      1. The TCP/IP stack used by ME is a part of ME. NIC firmware might or might not have a TCP/IP stack – it depends on BIOS. In UEFI environment, the UEFI NIC drivers don’t have their own TCP/IP stack, because UEFI BIOS provides that.

      2. Some NICs’ firmwares include knowledge of TCP/IP, and any chipset firmware that supports PXE or BootP has its own implementation of TCP/IP, but the OS still has its own TCP/IP stack.

  5. My knowlege on GM45 and Intel Management Engine (IME/ME).

    Last time I looked I can’t see anywhere on my spare Latitude E6400 a seperate chip for Intel ME (GM45 BTW), only an empty EEPROM space labeled ME_ROM. Also couldn’t find anything about ME except for the optional ROM spot that isn’t installed. Unless I’ve missed something.

    I found under the base-plate, a sticker that says VER: ME-Disabled.
    That finding and this current article leads me to think that disabling ME is and has always been as simple as not giving it firmware (like no ROM for my GM45 laptop). i.e. manufacturer optional.

    The T400 Lenovo I gave away for nothing: that had a GM45 and had options for enabling and disabling Intel ME.

    edit: Change X400 to T400

    edit: troll those who want the edit button, including self because prouf raeding by adding edit:

  6. Honestly, the Intel ME solution saved my bacon several times; most recently, when having to install desktop computers “headless” in closets in locations around the country that were highly secured. We had reasons to access BIOS level screens, and what’s NOT talked about here is how Intel’s ME along with the AMT exposes an encrypted VNC connection to the workstation *at the hardware level*. E.g. it acts like a TCP/IP KVM. It absolutely ROCKS for that, giving the same experience as Dell’s DRAC cards or HP’s iLO cards.Wit that said, you HAVE to be VERY judicious with how you set it up/use it (of course).

    1. Exactly the point- so a remote door in below the BIOS, that you know no one else can access how??? So you have a VNC connection into it- it is in there, now inside the VNC connection….

      1. Yeah. Back when you paid extra for these features no one cared. Now that they are available at low cost everyone freaks out.

        And to think I paid extra for a server board that did this when I could have had any run of the mill vpro enabled CPU.

    2. Exactly this. The purpose of the management engine isn’t to secretly pwn your computer, it’s to make life easier for sysadmins who have to administer many desktop computers.

      I do question why it’s included in their enthusiast chipsets (like Z170) though, it makes sense for companies, but not most home users.

      1. That’s maybe the opinion of a sysadmin. The problem is, does it have a backdoor? Pwning your computer is just an extra sysadmin you didn’t ask for! It seems overwhelmingly likely the TLAs have special access, because A: it’s the sort of thing they do, B: why else would Intel bother adding a part to all computers, that’s basically useless to the majority of customers?

        Society now relies on computers, it wouldn’t function without them. If you can control every computer, you can control society. To a fair, undemocratic, extent at least. And I think that’s a BAD thing!

        What’s needed is for somebody to hack the IME, completely fuck up lots of important computers, and those belonging to ordinary people. Then people will start giving a shit, this will come out into the open, and finally it will affect something Intel care about, which is money. Right now it’s only paranoid geeks (like me) who care or even know about it.

        It’ll be a high cost, but that’s what happens when megacorps and unaccountable agencies mess with things on such a scale.

    3. IME has its uses, yes. That they’re not talked about here is not that bad, Intel’s colorful propagana does that allright (and better than we could here).

      I wouldn’t complain if there was a way (jumper, whatnot) for me to install firmware *signed by myself* or at least to disable the parts of it I don’t want.

      That’s why my kudos go to those intrepid hackers who, once more, are doing the job Intel should have been doing in the first place.

  7. A custom router with rules that dropped addresses which were not white listed would disable access via ME. Obviously not something easy to do in an age where going to any website involves communications with dozens of other websites.

    I have wanted for some time to log all traffic to a large ring buffer on disk and a table of addresses so that if new addresses show up I can inspect the traffic. You’d need to build models for all the ad related traffic, but that wouldn’t be too hard. My reason for wanting this is it’s the *only* way to have any assurance that your system hasn’t been subverted. It’s still not a guarantee, but it’s better than nothing.

      1. Apple of the 1980s was a very different company than the one that exists today.
        Everything in the Apple II was open and fully described.
        You could get schematics for all the circuits and even make your own peripherals.

    1. I wonder why people are …. “helping” with this…. “project”. Folks are great at thinking their way through “problems”…. but I don’t think anyone actually stopped and thought.

  8. So… let’s assume that for all platforms (Intel: ME, ARM: TrustZone, AMD: PSP) the lowest ring code must be asymmetrical cryptographically signed to continue booting.

    Does there exist a list of devices with corresponding ‘public’ keys? Are the libre/core-boot people able to discern the signatures? Which cryptography is it based on (RSA? ECDSA? …) ? Is there a community that gathers a ‘centralized’ collection of public keys the first trusted platform code is signed with for different kinds of chips/devices?

    Imagine some day a cryptographer breaks the relevant crypto, to abuse it within say financial systems would be hard and dangerous as it is probably logged. Also consider the possibility the cryptographer intends no harm, yet believes people should have access to sovereign computation. If such a list of public keys existed, he might calculate and publish the public keys in one round without interactivity, while without such a pre-existing list he would have to communicate to the world the crypto is broken, provide a means of contacting and then interactively reply each request for calculating a private key. On the other hand perhaps a benevolent cryptographer has already cracked the crypto, but lacking such a list and lacking the enthusiasm to buy each and every device out there to free each device model one by one…

    1. It will eventually happen though I suspect the government has already placed back doors into it.
      How could someone like the NSA deal with the spread of relatively unbreakable encryption algorithms?
      Simple get hardware manufactures and software vendors to supply a closed source solution that already has a back door in it.
      Call me paranoid but in someways Intel ME and similar technologies remind me of the NSA’s Clipper chip which had a built in back door.

      1. Yes of course the endpoints are compromised, but asymmetric cryptography is still used to prevent end-users to install different bottom ring bootloaders. Please carefully re-read the article and then what I wrote.

    2. Whuh? Aren’t the public keys in the IMEs themselves, and that’s how they verify the signing by the private keys?

      That’s why it’s safe (for Intel at least) to put decryption keys in every motherboard, because they’re public.

      1. Of course the public keys are in the chipsets (burn e-fuses or whatever), I wonder:

        1) if libre/core-boot community knows the public keys?
        2) if theres gathered lists of device/public key pairs?

        such that if a benevolent cryptographer ever breaks one of the used asymmetric signature crypto, (s)he could grant the end-users the private keys with as little risk as possible for exposing him/her-self. Such a person may already exist, but unable to take the risk of reaching out interactively with multiple communication rounds…

        If the effort would be low to maintain such wish-lists public keys whose private keys are wanted, it wouldn’t really hurt to be optimistic just in case?

        1. Unless a lot of very smart people are very wrong, you’re never going to be able to find a private key from it’s public key. So there’s more likely ways to get hold of the private key, like wishing, or kidnapping the President and holding him for ransom, etc.

          1. I am talking exactly about the unlikely situation. What’s wrong with publishing a wishlist? Also how does responsible disclosure work for cryptography (as opposed to responsible disclosure of erroneous implementations)? Cryptographic breaks may conceivably exist and already be found by individuals, who are unwilling to mess up their own lives, unless they could minimize their personal risk (single round publishing, versus multiple interactive rounds of announcing the breakthrough, and responding with private keys as public keys for devices are published one by one…). The payoff for libreboot would be huge versus the effort to gather a straightforward list of public keys, crypto used…

          2. Said differently, the security rests on a lack of proof of a feasible algorithm to break the crypto. Absence of evidence (we don’t find a way to break modern asymmetric crypto) should not be confused with evidence of absence.

          3. “So there’s more likely ways to get hold of the private key, like wishing, or kidnapping the President and holding him for ransom, etc.”
            You make the claim but do not prove it.
            IF someone finds/has found say a fast (i.e. feasible) way to compute the euler totient function, … THEN simply computing the private key seems more likely a way than “kidnapping the President and holding him for ransom, etc.”

  9. “Five or so years ago” – Try over ten years ago.
    “Intel rolled out something horrible” – Try Intel finally integrated a premium product once reserved for server chipsets commanding lots of money into their cheaper offerings.

    Yeah it’s all Intel’s fault, and nothing at all to do with users who’ve been asking for it.

        1. the comparison is rather poor as others have noted in the comments:
          such sys-admin style utility is only possible if the end-user receives the private key to sign his own trusted code, or a means of setting his own public key in the chipset. In effect it would just amount to an extra kind of protection, like MMU’s. But without a means for the end-user to get real bonafide root without false bottom, it gives none of the benefits, only a back door by the manufacturers.

          so yeah, to be knowledgeable enough to compare the functionality yet to deny the difference in power/control does sound like a shill talking…

    1. I wouldn’t mind using it, or at least configuring it so someone else doesn’t use it. At least on all my computers, it seems Intel spent the money to put IME in, yet forgot to tell me how to use it. Maybe they didn’t put it in for me after all…

      1. Depends on the feature set of the processors. IME started as a small processor management system and grew from there. Got a very early form of it? Well you’ll have to do with basic power management and dynamic clock control. Got a current vPro enabled model and a motherboard that supports it? Then enable Intel AMT in the BIOS and go from there.

  10. I don’t want to neutralise the damn thing, I wanna know how to use it! Such a useful function especially for being able to support friends and family who are having computer issues no matter where they are. Like RDP, VNC, and the whole list of other remote access protocols out there it needs to be properly secured but once you have that in place being able to remotely troubleshoot pre functional OS issues is a godsend!

    1. I ended up giving my parents a SuperMicro workstation-class board with an IPMI interface. It relies on some proprietary protocols (Runs on the VNC port, but doesn’t quite do VNC), but I can access the console as if I was sitting at it physical and can perform power control on the system without worrying about the OS. Also has the capability of mounting media to the device remotely. Every Friday evening, I connect to the VPN I set up at their place, log into the IPMI device, attach a live-CD, power the machine on, create a full image of their hard drive and copy it to my backup server in my home. I then power down the machine and they don’t have anything they need to do.

      Theoretically, the Intel ME is capable of doing this, but like hell am I paying Intel a massive stack of cash to get the software to connect to it and ensure that I’m the only one who can access it.

    1. The ME can have its own NIC, ever heard of Wake-on-LAN. Powered off rarely means all power has been physically disconnected these days, it typically mean that 500 microamps or below are being used.

    2. In ancient times long forgotten by common folk, in times of legend and wonder (in 1995 to be exact), great sages of Intel specified that every ATX power supply should deliver 5 volts at +5VSB pin with minimum of 10mA of current and maximum of 720mA of current, thus making such wonders as rebooting with power cycle and Wake on LAN possible. Now this great power is used by IME and other such systems for good or ill of all folk, as was declared by great sages of Intel.

    3. No ATX-based machine is ever capable of completely powering off. The power button on the front works only because the motherboard is supplied with enough current to instruct the power supply to start pushing more energy down to the Mother Board and peripherals.

      ATX motherboards use enough energy while off for:
      -The front-panel power button
      -NICs so that the system can respond to WoL packets
      -PS/2 ports for keyboards with the proper button can turn the system on
      -Any RS-232 serial ports so the system can be powered on if the RI pins is brought high
      -The BIOS/RTC to bring the system up when an alarm is configured
      -The PCI and PCIe buses supply a small amount of power to support WoL or any other methods of power-up
      -On modern system, the SMBus interface is also provided a bit of power so that other devices (such as IPMI / iLO / RBAC devices can bring the system up.

  11. I wonder what this crowd’s opinion of a baseboard management controller is. They are a separate microcontroller independent of the host CPU with a network connection running code an end user can’t examine and have access to many low level hardware buses.

    1. The issue is, who writes the software. Or at least who pays to have it written. If your baseboard management controller is under control of your company (who are the real end-user, not the drone sat in front of it), then that’s fine. It’s their computer, they own it. In that case it’s just another feature.

      Nobody’s against the IME for what it does, just who it does it for.

      1. There are also complaints about the fact that it can’t be turned off if its not needed, nor is there anyway to see what it is actually doing and no way to verify if the code is free of back-doors.

        The IME is quite advanced, capable of given a remote user fill access to the system over the internet, including management of the BIOS. I have a work laptop with the IME configured on it. The IT department was able to update the BIOS on my system, unlock the encrypted boot disk, apply OS patches, and power the system on and off remotely. I was connected to my Hotel’s WiFi network in Brussels while they where seated in San Francisco. The BIOS update was to fix an issue where the NIC reported the wrong ID to the OS and the OS would not be able to use it with the latest NIC drivers.

        I monitored another session from both the perspective of the OS as well as what was on the wire (Wireshark on the OS, TCPdump on my router). I compared the two dumps to pull the IME’s traffic. Found out that the IME is impersonating the host OS, using the exact same IP/MAC pair (it seemed to pull the IP and MAC from packets passing out of the NIC). It was also able to grab the SSID and network keys for the wireless network and was able to continue connecting to the wireless network after the OS was shut down and another OS booted in place. I also noticed that it would phone home periodically even if the system was powered off but the display was open.

        I tried this on my desktop as well, which had the IME but was not configured. I found that it still sent out packets to a multi-cast address, seems that it was looking for a management server to connect to.

        With this, it seems possible that an attacker could impersonate a Management server and then instruct the machine to power on and pull keys from the TPM (it has access to the internal crypto processor and the LPC bus) and send them off to a location of the attacker’s choice. That attacker could be a malicious hacker on the network, or could be some nation intelligence service. They could pull of that attack without the user ever being wise to what is happening. Could easily be performed at an international airport and gain access to any system that had logged onto the airport’s WiFi. Although it is possible that there are hard-coded SSID / key pairs that the IME will attach to if it detects their presence.

        The part that -really- worries me is that the chips are baked in a Chinese factory, and the Chinese government has the resources to reverse engineer the chip to discover any flaws or any back doors built for someone else.

  12. This is way too vulnerable to government pressure. Be it USA or China. All it takes is a private key which governments will demand in private. Chip and motherboard makers claim it’s a requested feature but 99.99% of people have no clue what it is or how it can be used so how can they be requesting it? Also why can’t ALL BUILT IN KEYS be invalidate with a section for users to enter their OWN keys thus actually making it a feature they might request? Also how about an irrefutable way to monitor/verify what software is running on the background computer? Furthermore it’s just a private key; so should there be a government leak then ALL desktop computers and servers would be instantly screwed overnight. Hackers or foreign governments could take down the majority of computer systems for months in a heartbeat sending the US economy into a recession… Other governments and certain properly invested individuals could handsomely profit from the chaos. Whomever the bureaucrat/politician was in the USA that strong-armed this needs to be taken out and shot for treason. It’s the equivalent to hooking up a nuke to the internet over a telnet account.

  13. As far as I know, my Panasonic Toughbook CF-30 Mark III has the GM45/ICH9 chipset and has ME. I’ve disabled it in the BIOS and so far I cannot ALT+P into it and running the ‘reset Intel ME’ option in the BIOS does not work unless it is enabled. It also doesn’t show up in the device manager either. Can’t guarantee its disabled since it uses 25MB for every GB of RAM but here’s to hoping, right?

  14. Can’t remember where it was, but there has been rumors some of the enterprise chips from Intel containing a independent cellular modem providing the IME a basically undetectable route to WAN. I agree that to some extent the IME is a great feature, but the user should be in charge when and how it is used.

      1. NO. It “enterprise chips from Intel containing a independent cellular modem” was a rumor spread by people with no clue about electronics.
        SMS option is enabled on laptops that ship with cellular modem.

  15. So, for mortals, the only way to prevent Mordor from invading our privacy would be to do all our sensitive stuff on linux on a raspberry or some other open hardware like that.

  16. YOu find that scary? You better don’t have a too close look on your smartphone… there are at least three completely separate computing environments and even in the best case (rooted OS) you only have access to one of them (the Android or iOS user interface). What happens underneath that is completely hidden from the user and exploits e.g. for the baseband processor are already “on the market” since at least a decade without anyone bothering to bring any security fixes to the users at all…

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s